Show Notes: error.show/85

The post Name Your Shoes | User Error 85 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• We’re Updating Patreon’s Fee Structure. Here’s Why. – The Patreon Blog
• We messed up. We’re sorry, and we’re not rolling out the fees change. – The Patreon Blog
• Amazon.com: Sonos Play:1 Compact Wireless Speaker for Streaming Music. Works with Alexa. (Black): Home Audio & Theater
• Amazon.com: Bose SoundLink Revolve Portable Bluetooth 360 Speaker, Triple Black: Electronics
• Goodbye, net neutrality—Ajit Pai’s FCC votes to allow blocking and throttling | Ars Technica
• Bomb threat temporarily disrupts FCC vote to kill net neutrality rules | Ars Technica

The post Old Dog, New Tricks | User Error 39 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• A phone app that listens to your car and could warn of impending trouble | Ars Technica
• Rover Log Playlist
• Buy Now – Nintendo 2DS – Console Bundles

The post All Natural Drugs | User Error 33 first appeared on Jupiter Broadcasting.

In this special episode of LAS, we go off the rails as we buckle down & prep for our visit to SCaLE live on the air! Plus picks, your feedback & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

— PICKS —

Runs Linux

• This Viewers Car Runs Linux

Desktop App Pick

reep.io | peer-to-peer filesharing made easy

With reep.io you can transfer files directly to another browser.
Just point to a file you want to share. Your peer will then be able to download this file
directly from you. No data is stored on a server in-between.

Weekly Spotlight

GalliumOS – A fast and lightweight Linux distro for ChromeOS devices

A fast and lightweight Linux distro for ChromeOS devices.

Brought to you by: System76

Feedback:

• EasyTag Forks
• Gnome Boxes

SCaLE Planning

• SCaLE 14x

SCaLE 14x: The Southern California Linux Expo is upon us again! I’m looking forward to seeing & sharing with everyone in the free software community in Southern California this year; last year was a blast.

SCaLE 14x is January 21-24, 2016 at the Pasadena Convention Center

Equipment Chris is bringing:

• GoPro Hero 4
• Zoom SGH-6 Shotgun Mic
• Zoom H4n

Thanks to Ryan (@techhelper1)

• Offered the use of his 99 Cadillac Seville while at SCALE

Thanks to Brian

• Offered his long driveway, which might or might not work.

Post-Show

• SyncThing

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Pre SCaLE LAS | LAS 401 first appeared on Jupiter Broadcasting.

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

• “TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
• “In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
• That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
• Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
• “We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
• So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
• “A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
• “It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
• With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
• Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
• “Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
• “It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
• Additional Coverage — The Independant
• Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
• Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
• Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
• Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
• Video from TalkTalk CEO
• If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
• New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
• “Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

• “Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
• “This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
• Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
• “Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
• “The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
• “The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
• US Regulators grant DMCA exemption to legalize vehicle software tinkering
• Additional Coverage: NPR
• The ruling uses the terms “good faith security research” and “lawful modification.”
• “The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
• “The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
• Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

• “Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
• Google’s Blog Post
• Symantec Report
• “Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
• It seems like Symantec was trying to downplay the incident, and gloss over its failings
• “Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
• “The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
• This brings up serious questions about the management and oversight of the Symantec certificate authority
• “It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
• “More immediately, we are requesting of Symantec that they further update their public incident report with:”
• A post-mortem analysis that details why they did not detect the additional certificates that we found.
• Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
• “We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
• “Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
• It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

• Running a file server on Debian

• ZFS repairing capabilities

• Episode 237 comments and suggestions

Round up:

• 13 million plaintext passwords belonging to webhost users leaked online
• New banking trojan steals 20 million British Pounds from online bank accounts
• DOJ: Apple owns your iPhone’s software, so it should have a backdoor
• IBM tops the list of worst offenders for hosting spam, as it acquires Softlayer, which had previously acquired ThePlanet, which was known for being especially bad
• Joomla bug puts millions of websites at risk of remote takeover
• EFF Finds over 100 license plate readers that are accessible on the public internet
• Wall Street Journal subscriber base information may have been compromised
• WWII CIA (OSS) Simple Sabotage Field Manual (Field Manual #3)
• NSA issues warning about quantum cryptography, sparks concerns of secret advance in technology
• Debate over the depreciation of the leap second at the World Radiocommunication Conference Full ACM Article by Poul-Henning Kamp
  

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

Behind the scenes on Ubuntu MATE’s new features pushing the Ubuntu platform forward for traditional desktops, why Apple’s latest court case proves Richard Stallman was right about owning your own software & there is real debate about Xiaomi’s new Linux laptop.

Plus the big EFF win that’s great for Linux users, the big problems facing x86 that are a wake up call to distro makers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• World Without Linux Episode 2: Are We There Yet? – YouTube

Feedback:

• Ubuntu MATE 15.10 Press Kit

• I was not satisfied with podcatchers for the command line, so i build my own – podfox

• EFF Wins Petition to Inspect and Modify Car Software

Linux Academy

• Linux Academy | Linux and AWS Online Training

Intel x86 considered harmful (new paper)

So, today I’m releasing this first paper, finally. You can get the PDF
_here, and also the EPUB version
here._

_As mentioned, the paper is mostly a (hopefully systematic) survey of the various
problems and attacks presented against the x86 platform over the last 10 year_s.

• Qubes 3.0

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

DOJ dismisses Apple’s arguments against decrypting iOS communications

Federal courts should require Apple to unlock encrypted data because the operating system is “licensed, not sold,” to customers, the Justice Department argued in a reply brief in the U.S. District Court for the Eastern District of New York.

• Richard Stallman is the hero the internet needs

But suddenly he doesn’t seem crazy anymore. After the Snowden revelations, and all the other major and minor privacy breaches of the past few years, his paranoia now seems justified — even rational:

• He warned of the growing danger of DRM in his great short story The Right to Read (1997).
• He refuses to own a cellphone, on the grounds that it might be used as a tracking or covert listening device. This still sounds slightly paranoid, but looks increasingly possible.
• Stallman considers cloud computing dangerous. In 2008 I thought this was alarmist; now nobody trusts the cloud.
• He’s always held that proprietary software cannot be trusted. Windows 10’s shady behaviour proves that he has a point.

TING

• Ting – mobile that makes sense

Xiaomi’s Linux Laptop To Enter Production ‘Early Next Year’

The model with a 12.5-inch screen will be manufactured by Inventec (who make laptops for Acer, Toshiba and HP), with an initial order of 250,000 units.

The slightly larger device is to be made by Compal Electronics (known for manufacturing Apple devices, and various PlayStation, Xbox and Nintendo games consoles), with Xiaomi placing an order for 300,000 units.

Support Jupiter Broadcasting on Patreon

The post What's New MATE | LINUX Unplugged 116 first appeared on Jupiter Broadcasting.

Samsung is actively disabling Windows Update on at least some computers, Car Hacking is ‘Distressingly Easy’, new iOS feature auto-deletes apps & Chromium follow up!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Samsung is actively disabling Windows Update on at least some computers | VentureBeat | Security | by Emil Protalinski
• Car Hacking is ‘Distressingly Easy’ – Slashdot
• From Russia with Love | Unfilter 56 | Jupiter Broadcasting
• Here’s the first official net neutrality complaint to the FCC – The Washington Post
• Google Play Music gets ad-supported radio stations in the US | Ars Technica
• Apple Music Signs Beggars Group, Merlin: Sources | Billboard
• iOS 9 Includes New Auto App Delete/Reinstall Feature for OS Updates on Devices With Insufficient Space – Mac Rumors
• Chromium Bugging Bug | Tech Talk Today 187 : techtalktoday

The post Agonizing over Adoption | Tech Talk Today 188 first appeared on Jupiter Broadcasting.

A list of the most hackable cars has been released on the eve of a highly anticipated Black Hat presentation, Mozilla developers get hacked, getting started with Linux and why a little video games can be good for kids.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Least Secure Cars Revealed At Black Hat

Research by two security experts presenting at Black Hat this week has labeled the 2014 Jeep Cherokee, the 2015 Cadillac Escalade and the 2014 Toyota Prius as among the vehicles most vulnerable to hacking because of security holes that can be accessed through a car’s Bluetooth, telematics, or on-board phone applications. The most secure cars include the Dodge Viper, the Audi A8, and the Honda Accord, according to Researchers Charlie Miller and Chris Valasek. Millar and Valasek will reveal the full report on Wednesday, but spoke to Dark Reading today with some preliminary data.

The two security experts didn’t physically test the vehicles in question, but instead used information about the vehicles’ automated capabilities and internal network. “We can’t say for sure we can hack the Jeep and not the Audi,” Valasek told Dark Reading. “But… the radio can always talk to the brakes” because both are on the same network. According to the “Connected Car Cybersecurity” report from ABI Research, there have been “quite a few proof of concepts” demonstrating interception of wireless signals of tire pressure monitoring systems, impairing anti-theft systems, and taking control of self-driving and remote control features through a vehicle’s internal bus, known as controller area network (CAN).

• Researchers to name the most hackable cars at Black Hat – Computerworld

Thousands of Mozilla developers’ e-mail addresses, password hashes exposed | Ars Technica

About 76,000 e-mail addresses and 4,000 password hashes were left on a publicly accessible server for about 30 days beginning June 23, according to a blog post. There is no indication the data was accessed, but Mozilla officials investigating the disclosure can’t rule out the possibility.

The code Mozilla uses for their developer login site is open source and posted on GitHub. It looks like from the code they didn’t key stretch the hash. While the salt keeps things ‘safer’ (no rainbow tables, etc), against a GPU brute-forcing attempt, the fact these are straight hashes means they are a little weak against brute-forcing.

Introduction to Linux | edX

Beginning August 1st, The Linux Foundation, in conjunction with online education giant edX, is offering a free Introduction to Linux course.

This class, first announced in early March, is available for free. That’s not bad for a class that usually runs $2,400!

This massively open online course (MOOC) is being taught by Jerry Cooperstein. Cooperstein is a nuclear astrophysicist who’s been using Linux since 1994 and teaching it for almost that long.

According to Dice, the leading career site for technology and engineering professionals, nine out of ten IT hiring managers are looking for Linux pros.

This class looks at Linux from a very high level. You’ll be able to use Linux distributions from any of the three major Linux families, including Red Hat, with Fedora or CentOS; Debian, including Ubunt or Mint; and SUSE, including openSUSE.

This course will cover the various tools and techniques commonly used by Linux programmers, system administrators and end users to do day-to-day work in Linux.

• Linux Foundation’s free online intro to Linux class opens its doors | ZDNet

Could a Little Video Game Play Be Good for Kids?

Researchers found that kids who played video games for less than one hour a day were more likely to be happy, helpful and emotionally stable than kids who never grab a controller, according to findings published online Aug. 4 in the journal Pediatrics.

More than three hours daily of gaming had the opposite effect, however. Video game junkies were more likely to be moody, unhappy with their life and apt to act out in negative ways.

To examine both the positive and negative effects of gaming, researchers assessed the video game habits and emotional growth of nearly 5,000 British boys and girls aged 10 to 15.

The post BlackHat Carmageddon | Tech Talk Today 38 first appeared on Jupiter Broadcasting.