MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Sandbagger News
• The It Guys – Home
• Let There Be Light
• Backup over SSH RSync Script

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Starting a Business with Linux | Ask Noah 26 first appeared on Jupiter Broadcasting.

Why boring technology might be the better choice, Google revokes & China chokes, why you want to create an account at irs.gov before crooks do it for you.

Plus your great IT questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Why you should choose boring technology

• The basic premise is that in building technology, specifically web sites and web services, there is often a bias towards using the latest and greatest technology, rather than the same old boring stuff
• This often turns out to bite you in the end. Look at people who based their site or product on FoundationDB, which was recently bought and shutdown by Apple
• Look at one of the most popular sites on the internet, Facebook, originally written in PHP and MySQL, and still largely remains based on those same old technologies
• “The nice thing about boringness (so constrained) is that the capabilities of these things are well understood. But more importantly, their failure modes are well understood.”
• “Anyone who knows me well will understand that it’s only with a overwhelming sense of malaise that I now invoke the spectre of Don Rumsfeld, but I must.“
• “When choosing technology, you have both known unknowns and unknown unknowns”
• The Socratic paradox
• A known unknown is something like: we don’t know what happens when this database hits 100% CPU.
• An unknown unknown is something like: geez it didn’t even occur to us that writing stats would cause GC pauses.
• “Both sets are typically non-empty, even for tech that’s existed for decades. But for shiny new technology the magnitude of unknown unknowns is significantly larger, and this is important.”
• The advantage to using boring technology is that more people understand how it works, more people understand how it fails, more people have come before you, tried to do something similar to what you are doing
• You won’t find the answer on Stack Overflow if you are the first person to try it
• “One of the most worthwhile exercises I recommend here is to consider how you would solve your immediate problem without adding anything new. First, posing this question should detect the situation where the “problem” is that someone really wants to use the technology. If that is the case, you should immediately abort.”
• People like new toys and new challenges
• Businesses should try to avoid new costs, and new risks
• Adding a new technology is not a bad thing, but first consider if the goal can be accomplished with what you already have

Google revokes CNNIC root certificate trust

• On March 20th Google security engineers noticed a number of unauthorized certificates being used for gmail and other google domains
• The certificates were issued by a subordinate CA, MCS Holdings
• “Established in 2005, MCS (Mideast Communication Systems) offers Value Added Distribution focusing on Networking and Automation businesses.”
• MCS Holdings makes Firewalls and other network appliances
• MCS got its subordinate CA certificate from CNNIC (Chinese Internet Network Information Center)
• “CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.”
• Google added the MCS certificate to its revocation list so it would no longer be trusted
• “CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system”
• Google accepted the explanation as the truth, but is unsatisfied with the situation
• “This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it.”
• CNNIC has specific obligations it must fulfill in order to be a trusted CA
• The CA/Browser Forum sets the policies agreed upon for signing new trusted certificates
• Mozilla has an existing policy that enumerates the possible problems and their immediate and potential consequences
• “Update – April 1: As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products. This will take effect in a future Chrome update. To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist. While neither we nor CNNIC believe any further unauthorized digital certificates have been issued, nor do we believe the misissued certificates were used outside the limited scope of MCS Holdings’ test network, CNNIC will be working to prevent any future incidents. CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place.”
• CNNIC has released an official statement calling Google’s actions “unacceptable”
• Mozilla is considering similar actions:
• Reject certificates chaining to CNNIC with a notBefore date after a threshold date
• Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs
• Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list)
• If CNNIC’s re-application is unsuccessful, then their root certificates will be removed
• The Mozilla community feels that CNNIC needs more than a slap on the wrist, to ensure other CAs (and Governments) get the message that this type of behaviour is unacceptable
• Google reiterates the need for the Certificate Transparency project
• “Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.”
• Additional Coverage – Ars Technica

Signup for an account at irs.gov before crooks do it for you

• “If you’re an American and haven’t yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process.”
• “Recently, KrebsOnSecurity heard from Michael Kasper, a 35-year-old reader who tried to obtain a copy of his most recent tax transcript with the Internal Revenue Service (IRS). Kasper said he sought the transcript after trying to file his taxes through the desktop version of TurboTax, and being informed by TurboTax that the IRS had rejected the request because his return had already been filed.”
• “Kasper said he phoned the IRS’s identity theft hotline (800-908-4490) and was told a direct deposit was being made that very same day for his tax refund — a request made with his Social Security number and address but to be deposited into a bank account that he didn’t recognize.”
• The fraudster filed the new return using nearly identical data to the correct information that the victim had filed the previous year
• The victim suspects that the fraudster was able to use the irs.gov portal to view his previous returns and extract information from them to file the fraudulent return
• The fraudster files a corrected W-2 to adjust the withholding amount, to get a bigger refund
• The story goes on into details about the case, including the college student that was used as a money mule
• “The IRS’s process for verifying people requesting transcripts is vulnerable to exploitation by fraudsters because it relies on static identifiers and so-called “knowledge-based authentication” (KBA) — i.e., challenge questions that can be easily defeated with information widely available for sale in the cybercrime underground and/or with a small amount of searching online.”
• In addition, Americans who have not already created an account at the Social Security Administration under their Social Security number are vulnerable to crooks hijacking SSA benefits now or in the future. For more on how crooks are siphoning Social Security benefits via government sites, check out this story.
• In Canada, to get access to your CRA Account, a passcode is mailed to you, at the current address the government already has on file for you
• In order to gain access to your account, you also must answer more specific questions than just KBAs, usually including things like “the number from line 350 of your 2013 tax return”

Feedback:

• I heard Allan likes ZFS

• ultimate travel router?

• Linux Server Management

• freenas backup sanity check

Round Up:

• Facebook successfully tests laser internet drones
• “Not Invented Here” is bad, but “Never Invent Here” is worse
• A Few Thoughts on Cryptographic Engineering: Truecrypt report
• Personal details of a number of world leaders were accidently emailed to Asian Cup organizers by Australian immigration department, the leaders were not notified of the disclosure
• New Firefox version says “might as well” to encrypting all Web traffic
• Firefox contains mp3 playback vulnerability, could lead to code execution
• N.J. school district’s ‘bitcoin hostage” problem caused by weak passwords, firewall holes | NJ.com
• Vulnerable hotel Wifi puts guests at risk
• What every stackoverflow question looks like
• Vulnerability in python scripts shipped as part of SELinux allow attackers to execute commands as root

The post Any Cert Will Do | TechSNAP 208 first appeared on Jupiter Broadcasting.