Show Notes: linuxactionnews.com/190

The post Linux Action News 190 first appeared on Jupiter Broadcasting.

Show Notes: error.show/82

The post OK Then | User Error 82 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How not to avoid browser security warning

Verbal passwords

Obscurity is a Valid Security Layer

Feedback

• Kaspersky’s 7zip file

• Containers/Jails/Zones : Containers vs Zones vs Jails vs VMs, Container descriptions and security, Docker and the rise of popularity of containers, Papers We Love Zones and Jails

Round Up:

• https://www.crunchyroll.com/ Cloudflare configuration compromised

• New York Times via dark web

• USB Stick with Heathrow Security and Queen’ Data Found on London Street see also Met Police Special Escort Group

• Google to ditch public key pinning in Chrome

• Performing & Preventing SSL Stripping: A Plain-English Primer

• Researchers turn LG’s Hom-Bot vacuum cleaner into a real-time spying device

The post SSL Strippers | TechSNAP 344 first appeared on Jupiter Broadcasting.

Liz Abinante began her journey at the age of 12 and is now a software engineer at New Relic! She also funded her way through school by selling knitting patterns!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Art Craft Code
• Art Craft Code Github
• Feministy
• Groupon

Full transcription of previous episodes can be found at heywtr.tumblr.com

The post OMG the Internet! | WTR 20 first appeared on Jupiter Broadcasting.

We discuss the details of the current crop of smart phones, then look at Microsoft’s new Surface 3, get skeptical about Project Spartan & celebrate the Supreme Court’s GPS Tracker decision.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Microsoft’s Surface 3 is a $499 tablet that could be a full Windows laptop | The Verge

Surface 3 will start at just $499, and it’s available to pre-order today with devices shipping on May 5th in the US / Canada and May 7th internationally.

Introducing Project Spartan: The New Browser Built for Windows 10

As we started building Project Spartan, we took a hard look at everything we were doing with the browser — from the way we engineered it, to the way we designed the user experience, to the way we approached compatibility and interoperability, to the way we interacted with our customers and Web developers, to the way we released it.

License Details Hint MS Undecided On Suing Users of Its Open Source Net Runtime – Slashdot

With Microsoft proudly declaring its .NET runtime open source, a colleague and I decided to look at the licensing aspects. One part, the MIT licence, is straightforward, but there’s also a patent promise. The first two-thirds of the first sentence seems to announce good news about Microsoft not suing people. Then the conditions begin. It seems Microsoft can’t yet bring itself to release something as free software without retaining a patent threat to limit how those freedoms can be exercised. Overall, we found 4 Shifty Details About Microsoft’s “Open Source” .NET.

U.S. Supreme Court: GPS Trackers Are a Form of Search and Seizure — The Atlantic

The Supreme Court clarified and affirmed that law on Monday, when it ruled on _Torrey Dale Grady v. North Carolina, _before sending the case back to that state’s high court. The Court’s short but unanimous opinion helps make sense of how the Fourth Amendment, which protects against unreasonable search and seizure, interacts with the expanding technological powers of the U.S. government.

“It doesn’t matter what the context is, and it doesn’t matter whether it’s a car or a person. Putting that tracking device on a car or a person is a search,” said Jennifer Lynch, a senior staff attorney at the Electronic Freedom Foundation (EFF).

In this case, that context was punishment. Grady was twice convicted as a sex offender. In 2013, North Carolina ordered that, as a recidivist, he had to wear a GPS monitor at all times so that his location could be monitored. He challenged the court, saying that the tracking device qualified as an unreasonable search.

North Carolina’s highest court at first ruled that the tracker was no search at all. It’s that decision that the Supreme Court took aim at today, quoting the state’s rationale and snarking:

The post Google Kills Your Battery | Tech Talk Today 150 first appeared on Jupiter Broadcasting.

Coming up this time on the show, we’ll be talking to Sean Bruno. He’s been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We’ve also got answers to viewer-submitted questions and all this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

AsiaBSDCon 2015 schedule

• Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up
• This year’s conference will be between 12-15 March at the Tokyo University of Science in Japan
• The first and second days are for tutorials, as well as the developer summit and vendor summit
• Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again
• Not counting the ones that have yet to be revealed (as of the day we’re recording this), there will be thirty-six different talks in all – four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD
• Summaries of all the presentations are on the timetable page if you scroll down a bit

FreeBSD foundation updates and more

• The FreeBSD foundation has posted a number of things this week, the first of which is their February 2015 status update
• It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform
• There’s a FOSDEM recap and another update of their fundraising goal for 2015
• They also have two new blog posts: a trip report from SCALE13x and a featured “FreeBSD in the trenches” article about how a small typo caused a lot of ZFS chaos in the cluster
• “Then panic ensued. The machine didn’t panic — I did.”

OpenBSD improves browser security

• No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser
• Ted Unangst writes in to the OpenBSD misc list to introduce a new project he’s working on, simply titled “improving browser security”
• He gives some background on the W^X memory protection in the base system, but also mentions that some applications in ports don’t adhere to it
• For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT engine) needs to be fixed to use it
• “A system that is ‘all W^X except where it’s not’ is the same as a system that’s not W^X. We’ve worked hard to provide a secure foundation for programs; we’d like to see them take advantage of it.”
• The work is being supported by the OpenBSD foundation, and we’ll keep you updated on this undertaking as more news about it is released
• There’s also some discussion on Hacker News and Undeadly about it

NetBSD at Open Source Conference 2015 Tokyo

• The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo
• There’s even a spreadsheet of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around)

• If you just can’t get enough strange devices running BSD, check the mailing list post for lots of pictures

• Their next target is, as you might guess, AsiaBSDCon 2015 – maybe we’ll run into them

Interview – Sean Bruno – sbruno@freebsd.org / @franknbeans

Cross-compiling packages with poudriere and QEMU

News Roundup

The Crypto Bone

• The Crypto Bone is a new device that’s aimed at making encryption and secure communications easier and more accessible
• Under the hood, it’s actually just a Beaglebone board, running stock OpenBSD with a few extra packages
• It includes a web interface for configuring keys and secure tunnels
• The source code is freely available for anyone interested in hacking on it (or auditing the crypto), and there’s a technical overview of how everything works on their site
• If you don’t want to teach your mom how to use PGP, buy her one of these(?)

BSD in the 2015 Google Summer of Code

• For those who don’t know, GSoC is a way for students to get paid to work on a coding project for an open source organization
• Good news: both FreeBSD and OpenBSD were accepted for the 2015 event
• FreeBSD has a wiki page of ideas for people to work on
• OpenBSD also has an ideas page where you can see some of the initial things that might be interesting
• If you’re a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it
• Who knows, you may even end up on the show if you work on a cool project
• GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you’d like to hack on

pfSense 2.3 roadmap

• The pfSense team has posted a new blog entry, detailing some of their plans for future versions
• PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions
• PBIs are scheduled to be replaced with native pkgng packages
• Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely
• 3.0 will focus on having a REST API, and separating the GUI from the actual implementation of the configuration
• The ultimate goal is to have pfSense be a package you can just install on top of a regular FreeBSD Install

PCBSD 10.1.2 security features

• PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post
• A new “personacrypt” utility is introduced, which allows for easy encryption and management of external drives for your home directory
• Going along with this, it also has a “stealth mode” that allows for one-time temporary home directories (but it doesn’t self-destruct, don’t worry)
• The LibreSSL integration also continues, and now packages will be built with it by default
• If you’re using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update
• They’ve also been working on introducing some new options to enable tunneling your traffic through Tor
• There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week
• A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity
• Look forward to Kris wearing a Tor shirt in future episodes

Feedback/Questions

• Antonio writes in
• Chris writes in
• Van writes in
• Stu writes in

Mailing List Gold

• H
• Pay up, mister Free
• Heritage protected
• Blind leading the blind
• What are the chances

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Next week’s episode will be prerecorded since we’ll be at AsiaBSDCon in Tokyo
• Be sure to say hello if you’re at the event – we’ve got at least two interviews confirmed already

The post Just Add QEMU | BSD Now 79 first appeared on Jupiter Broadcasting.

Microsoft is building a new browser in-house that is rumored to work and look a lot more like Chrome & Firefox. The FBI has a lead on the Lizard Squad & who won big in the gadget sales over the holidays.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Microsoft is building a new browser as part of its Windows 10 push | ZDNet

There’s been talk for a while that Microsoft was going to make some big changes to Internet Explorer in the Windows 10 time frame, making IE “Spartan” look and feel more like Chrome and Firefox.

It turns out that what’s actually happening is Microsoft is building a new browser, codenamed Spartan, which is not IE 12 — at least according to a couple of sources of mine.

Spartan is still going to use Microsoft’s Chakra JavaScript engine and Microsoft’s Trident rendering engine (not WebKit), sources say. As Neowin’s Brad Sams reported back in September, the coming browser will look and feel more like Chrome and Firefox and will support extensions. Sams also reported on December 29 that Microsoft has two different versions of Trident in the works, which also seemingly supports the claim that the company has two different Trident-based browsers.

However, if my sources are right, Spartan is not IE 12. Instead, Spartan is a new, light-weight browser Microsoft is building.

FBI Allegedly Investigating Lizard Squad Member Over Xbox Live, PSN Attacks

The FBI is actively investigating a member of the hacker collective that claimed responsibility for recent high-profile cyberattacks on Microsoft and Sony properties, according to multiple sources with knowledge of the investigation and the attacks. A member of the Lizard Squad hacking group, who goes by the alias “ryanc” or Ryan, allegedly garnered the attention of a special agent with the Federal Bureau of Investigation after speaking with the media about Lizard Squad’s Christmas-day attacks on Xbox Live and the PlayStation Network.

The Interview Online Sales – Business Insider

Sony announced Sunday night that “The Interview” was downloaded or rented online more than 2 million times, generating over $15 million in sales.

After initially pulling the movie from theaters, Sony decided to release it online instead. “The Interview” premiered December 24 on YouTube, Google Play, Xbox Video, and Sony’s own site, SeeTheInterview.com.

On Sunday, Apple made the movie available for rent or purchase on iTunes.

“The Interview” costs $14.99 to own or $5.99 to rent.

A source familiar with the movie’s online sales told Business Insider the “vast majority” of rentals and downloads came from Google Play and YouTube.

Meanwhile, “The Interview” was pirated an estimated 1.5 million times in its first two days, according to Torrent Freak.

Apple and Apps Dominated Christmas 2014 | Flurry

Flurry examined these new device activations to understand what types of devices consumers are exchanging for the holidays, and with which types of apps they are filling them. Since the beginning of the mobile revolution, Christmas Day has seen the highest number of new device activations and app installs each year, and 2014 was no exception. Flurry examined data from the more than 600,000 apps.

Apple accounted for 51% of the new device activations worldwide Flurry recognized in the week leading up to and including Christmas Day (December 19th – 25th). Samsung held the #2 position with 18% of new device activations, and Microsoft (Nokia) rounded out the top three with 5.8% share for mostly Lumia devices. After the top three manufacturers, the device market becomes increasingly fragmented with only Sony and LG commanding more than one percent share of new activations on Christmas Day. Up-and-comers Xiaomi, Huawei, and HTC all had less than one percent share on Christmas Day. One reason is surely their popularity in Asian markets where December 25th is not the biggest gift-giving day of the year.

6 Terabyte Hard Drive Round-Up: WD Red, WD Green and Seagate Enterprise 6TB

For a while, 4TB drives were the top end of what was available in the market but recently Seagate, HGST, and Western Digital announced breakthroughs in areal density and other technologies, that enabled the advent of the 6 Terabyte hard drive. This round-up looks at three offerings in the market currently, with a WD Red 6TB drive, WD Green and a Seagate 6TB Enterprise class model. Though the WD drives only sport a 5400RPM spindle speed, due to their increased areal density of 1TB platters, they’re still able to put up respectable performance. Though the Seagate Enterprise Capacity 6TB (also known as the Constellation ES series) drive offers the best performance at 7200 RPM, it comes at nearly a $200 price premium. Still, at anywhere from .04 to .07 per GiB, you can’t beat the bulk storage value of these new high capacity 6TB HDDs.

The post Microsoft goes Spartan | Tech Talk Today 110 first appeared on Jupiter Broadcasting.

Angela and Chris cover some Faux tech news that will bend your mind, then discuss the new Firefox developer browser, Obama’s plans for Net Neutrality & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pepsi Is Testing Doritos-Flavored Mountain Dew, Which Means the End Is Near | E! Online

Reddit user pcmasterrace posted the above photo of a booth setup at his school with Pepsi employees handing out little cups filled with Doritos-flavored Mountain Dew.

We repeat: Doritos-flavored Mountain Dew. They’re calling it Dewitos.

Tagline suggestion: “Because stoners shouldn’t have to buy Mountain Dew and Doritos separately.”

Sharing Night-Time Photos Of The Eiffel Tower Is Illegal

Taking and sharing photos of the Eiffel tower at night is a copyright violation that could land you with a hefty fine (not that it’s stopped the selfie-snapping masses, of course).

Torrent Freak explains that although the building itself is in the public domain, the light show that illuminates it at night is an artistic work, and as such ‘reproducing’ it (i.e. snapping a photo) would require the permission of the artist. It’s the same law that stops you from filming a theatre show, just taken to a slightly absurd extreme.

vIt’s not just a theory, either: the website for the commercial use of the tower confirms that “the usage of these images is subject to prior request from the Société d’Exploitation de la Tour Eiffel.”

Selfies With Homeless People: The Latest Craze For Bored, Rich Kids

Net Neutrality: President Obama’s Plan for a Free and Open Internet

Mozilla launches Firefox Developer Edition with built-in tools for debugging apps and mobile browsers

The post Faux Talk | Tech Talk Today 88 first appeared on Jupiter Broadcasting.

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

• “From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
• “Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
• “The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
• Specifically, it is quite easy to establish a new company in England
• It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
• “The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
• Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

• Android versions before 4.4 (75% of all current Android phones) are vulnerable
• CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
• By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
• What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
• The attacker could scrape your e-mail data and see what your browser sees.
• Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
• As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
• Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
• The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
• Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
• Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

• Additional Coverage: ThreatPost
• Additional Coverage: Rapid7, includes metasploit module

Feedback:

• Where do you Apply Network Qos?

• Where are packets going?

• Double Trouble NAT

• Unsafe internet of things (IoT) devices

Round Up:

• Yet Another Reason Containers Don’t Contain: Kernel Keyrings
• Micron announces new 16nm SSD chips, only $0.45/GB, dynamically programmable as SLC or MLC
• What Exactly Is the Facebook Messenger App for iOS Tracking?
• Citadel banking trojan repurposed in attack against middle eastern oil companies
• Apple’s “warrant canary” disappears, suggesting new Patriot Act demands
• Details emerge about Home Depot hack, malware attempted to look like McAfee PoS protection system, looks like different attackers than Target
• The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed four different remotely exploitable vulnerabilities in IntegraXor, a popular SCADA server
  

The post Bait and Phish | TechSNAP 181 first appeared on Jupiter Broadcasting.

Want to make billions in days? Quit your job and become a botnet master. We’ll share the story about a Brazilian botnet that you’ve just got to hear.

Plus a major flaw in Android, encryption done right, your questions, our answers & much much more!

Thanks to:

— Show Notes: —

Botnet stealing from Brazilian banks rampent, maybe into the billions of dollars

• In Brazil, the most common form of payment, for everything from taxes, utility bills or large purchases and almost all business-to-business payments is “Boleto Bancario” (or just boleto for short)
• It is basically an bank transfer, somewhere between a cheque and a wire transfer
• Most Brazilians do not have credit cards, and credit card processing is expensive (usually 3-5% or more) and the merchant usually has to wait 30 days to receive the funds
• A boleto usually only takes 24 to 48 hours and has a low fixed fee (approximately $1)
• unlike credit card payments, which can be disputed and reversed, boleto cannot be reversed. Refunds are handled by bank transfer
• The information is filled out on a form, and then the recipient enters the details online to receive the payment
• Brian Krebs was shown a botnet that was lying in wait on infected computers, and as the user entered the details of a boleto, it would quickly change the recipient as the transfer was submitted, allowing the botnet controllers to receive the money, instead of the intended recipient
• “Thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time”
• Researchers at RSA Security (part of EMC) found an even larger botnet
• “RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.”
• “Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.”
• “RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds.”
• The botnet Krebs discovered was much less sophisticated, using only 3 destination bank accounts
• RSA PDF

Dealing with encrypted streams

• Adam Langley (of Google Security, and one of the authors behind BoringSSL) posts on his blog about how many file encryption systems, including gnupg, get it “wrong”
• Specifically, when encrypting large messages they often use a single MAC (Message Authentication Code) at the end of the message
• A MAC is used to ensure that the ciphertext has not been modified or corrupted before attempting to decrypt it
• The problem is, if you do something like this: gpg -d your_archive.tgz.gpg | tar -xz
• It will decrypt the contents of the gpg encrypted file and spit them out to the pipe, and not until it reaches the MAC at the end of the message, will it realize that the file was corrupted, and should not have been used. At this point it is too late, tar has already processed the invalid stream
• An attacker may be able to use this to cause tar to overwrite a file the user did not intend, or otherwise create corrupted files or exploit a vulnerability in tar
• The correct way to handle this situation is to not return the data until it has been authenticated, however this may require an impossibly large buffer
• The author discusses the reasonably low overhead (0.1%) of breaking the message into 16 KiB chunks, each with a 16 byte MAC. This would allow gpg to authenticate each small chunk before writing it to the pipe.
• However, with that approach “Although safer in general, when chunking one has to worry that an attacker hasn’t reordered chunks, hasn’t dropped chunks from the start and hasn’t dropped chunks from the end”
• Ted Unangst (of OpenBSD/LibreSSL) posts his thoughts
• Ted clarifies that OpenBSD’s ‘signify’ system in newer OpenBSD installers download the archive, verify the downloaded temporary archive before passing it to tar to be extracted, as opposed the the old design before signify, where the file was piped to tar directly from the ftp client, not requiring the temporary storage space
• Ted also mentions his ‘reop’ (Reasonable Expectation Of Privacy) tool, a light weight (incompatible) replacement for GnuPG, “However, the entire message must decrypt and authenticate successfully before any output is produced, so it’s actually safer than a small packet streaming program which may produce partial output. (reop cheats a bit by imposing a message size limit; it simply can’t encrypt large files, for large values of large.)”

Android keystore stack overflow flaw could allow key-theft

• The vulnerability could allow attackers to steal cryptographic keys from the device, including those for some banking services, virtual private networks, and PINs or patterns used to unlock vulnerable devices
• The flaw is fixed in Android 4.4
• Originally incorrectly reported as affecting 86% of devices, it only affects ~ 10.3% as it only affects Android 4.3
• The vulnerability requires a malicious app be installed on the targeted handset, but we have seen legitimate apps be bought or hijacked before, and it is often fairly easy to trick people into installing apps
• “Generally speaking this is how apps are going to store their authentication credentials, so if you can compromise the KeyStore, you can log in as the phone’s user to any service where they’ve got a corresponding app, or, at least, an app that remembers who you are and lets you log back in without typing a password. This means that most banking apps, which force you to type your password every time, are probably safe against this particular attack.”
• Researcher Post

Feedback:

• Mortgage Fraud and Decrypt Follow Up

• disaster recovery = backup??

• Backup Overview | dpBestflow

• Allan’s Backup Article

• ZFS – Copy on Write and Virtual Machines

• Hey Allen, how did you manage your passwords prior to Lastpass?

• QUESTION: Which groupware to use?

• Powerful Collaboration and Community Platform for Social, Mobile and the Cloud – Zimbra

• Overview | Kolab.org Community

• own notes

Round Up:

• Banking Malware Intercepts and Logs Network Traffic – Sent in by Mark
• Unix wildcards gone wild
• How to watch hacking, and cyberwarfare between the USA and China, in real time
• Norse – IPViking Live
• Bug in Amazon Fire TV causes Screensaver to use 80GB per day of data, blowing users’ transfer caps
• Goldman Sachs demands Google “Unsend an emails” that is accidently sent to @gmail.com instead of @gs.com. Google said “not without a court order”, Goldman Sachs filed with the New York Supreme Court, requesting “emergency relief” to avoid a privacy violation and “avoid the risk of unnecessary reputational damage to Goldman Sachs.”
• Microsoft kills “Patch Tuesday” emails, blames new Canadian anti-spam law
  • Microsoft provided feedback and was involved in every step of drafting the Canadian anti-spam law. It can as quite a shock to all involved when Microsoft announced they would be killing off their email services. After the uproar, Microsoft quickly reversed course “On June 27, 2014, Microsoft notified customers that we were suspending Microsoft Security Notifications due to changing governmental policies concerning the issuance of automated electronic messaging. We have reviewed our processes and will resume these security notifications with our monthly Advanced Notification Service (ANS) on July 3, 2014.”
• Fallout from the poor communications surrounding the announcement of a 2012 study by facebook which saw it modify the tone of stories displayed to users to track how it changed the emotions of the users. Surprise: Showing users sad stories made them sad, and vice versa
• NZ Court rules Dotcom encryption keys cannot be given to FBI
• Medal for writing Perl for the US Army
• Malware targetting ICS may have been able to sabotage electrical grid
  • “Its most vicious attack campaign saw it imperil several industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This resulted in companies installing the malware while downloading software updates for computers operating ICS equipment. These attacks not only gave the hackers a foothold in the targeted companies’ networks, but also provided them the means to mount sabotage operations against infected ICS computers”

The post Botnet Billionaires | TechSNAP 170 first appeared on Jupiter Broadcasting.

Angela recruits live viewer Nathan to assist in discussing iGoogle’s demise and alternatives for it.

Direct Download:

HD Download | Mobile Download | MP3 Download | YouTube

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Torrent Feed | iTunes Feeds

• What is happening to iGoogle? https://support.google.com/websearch/answer/2664197?hl=en

• iGoogle Themes: https://www.google.com/ig/directory?type=themes

• iGoogle https://lifehacker.com/5881052/lifehacker-faceoff-the-best-start-pages-for-your-browser

• Google Home https://www.techsupportalert.com/content/6-great-alternatives-igoogle.htm

• More alternatives: https://alternativeto.net/software/igoogle/

• Startpage html: https://bpaste.net/show/139778/

Find FauxShow!

Facebook: https://www.facebook.com/thefauxshow
Twitter: https://www.twitter.com/angerz
G+: https://www.gplus.to/fauxshow
Subscribe to Jupiter Signal: https://www.bit.ly/jupitersignal
Jupiter Radio: https://jblive.info
Affiliates Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/jupiterbroadcasting/
Affiliates Chrome Extension: https://chrome.google.com/webstore/detail/bjekemhblnilimncanbehhjijdpjgimj
Donations: https://original.jupiterbroadcasting.net/donate
Shows & Shownotes: https://original.jupiterbroadcasting.net/show/fauxshow/

The post iGoogle Alternatives | FauxShow 148 first appeared on Jupiter Broadcasting.

New research reveals your browser cache contains a lot more than you might expect, and we’ve got the details on some security issues WordPress doesn’t have a fix for…

Plus: We’ll answer your questions, chat about rolling your own email server, and much much more!

On this week’s TechSNAP

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!
Ang Reports on her Android challange Catch episode 144 find out how things stand after her week on Android

Support the Show: