Show Notes: linuxactionnews.com/137

The post Linux Action News 137 first appeared on Jupiter Broadcasting.

What’s taking the states so long to catch up to the rest of the civilized world and dip the chip? Turns out it’s really complicated, we explain. Plus keeping a Hospital secure is much more than following HIPAA, and an analysis of Keybase malware.

Plus great questions, our answers, and much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The great American EMV fake-out

• “Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe).”
• But how many people have been to a retailer and ended up swiping their chip card?
• “Comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers”
• “Visa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV. Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.”
• This leaves the question of why more retailers are not using the chip. In Canada, and the EU, almost all transactions use chip-and-pin
• “New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.”
• “Some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.” “They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store”
• It seems that even with the liability shift, which Visa and Mastercard hopes would push merchants to be ready on time, many merchants have not completed upgrades to their payment systems and cash registers. Apparently many of the acquiring banks have long queues to ‘certify’ the upgraded software, further causing delays
• “Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.”
• In Canada, the transition was fairly quick, although this might be due to the fact that many people use debit cards that already required a pin, so the change for the customer was just inserting the card rather than swiping it
• “The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.”
• “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”
• Now the software is more complicated, as it involves correctly implementing cryptography, and the terminal vendors seem to be struggling to keep up
• “There are very few EMV software developers who understand the U.S. market”
• “There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me – there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”
• Note that this is still fraud, and you could go to jail
• “If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.””
• Does typing your pin really take much longer than signing the receipt?

Securing Hospitals

• Researchers working for a hospital were able to compromise both Patient Monitors and the Drug Dispensary
• “The research results from our assessment of 12 healthcare facilities, 2 health care data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report.”
• “One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective. The background, motivating factors, nuances, and misunderstandings that perforate the healthcare industry with regard to security are discussed at length in this report. In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.”
• “The two major flaws in the healthcare industry with regard to threat model are that 1) the focus is almost entirely on protecting patient records, and 2) the measures taken address only unsophisticated adversaries: essentially, only one of the adversaries listed above — the Individual or Small Group adversary highlighted above in yellow. The industry is aware and speaks to Organized Crime and Nation State adversaries, but underestimates their sophistication and motivation. The strategies aim to curtail blanket, untargeted (i.e., indiscriminate) attacks to obtain patient healthcare records, and ignores the motivations and strategies that would be employed if targeting patient health or specific victims’ health records. These motivations and scenarios are highlighted in red in the above table”
• The protection of health records has been the focus for quite some time, even before records were computerized, but it seems the industry has not “noticed” that medical devices have been connected to the network, and are insufficiently protected from attack
• Devices compromised during the testing were: an insulin infusion pump, a patient monitor station, and a barcode reader
• The following attack surfaces / areas of vulnerability were identified:
  • Patient Health
  • Patient Records
  • Service Availability
  • Community Confidence and Trust
  • R&D, Intellectual Property
  • Business Advantage
  • Hospital Finances
  • Hospital Reputation
  • Physician Reputation
• PDF Report, 71 pages

KeyBase malware analysis

• “The usage of a rather simple keylogger malware has gone through the roof after its builder got leaked online last summer”
• “KeyBase is a spyware family that can capture keystrokes, steal data from the user’s clipboard, and take screenshots of the victim’s desktop at regular intervals”
• “Caught red-handed, its author promised to stop working on the malware, closed down the website from where he was selling KeyBase for $50 / €45, and abandoned the project.”
• “Researchers also discovered that while KeyBase’s control panel was secured with authentication, the folder in which images were sent for storage was not, meaning that after all this time, they could easily put together a simple script and find all the KeyBase panels available online.”
• “Using this simple method, Palo Alto staff discovered 62 Web domains where the KeyBase control panel was installed, 82 different control panels, and 125,083 screenshots from 933 Windows computers.”
• “Of all infected computers, 216 were workstations in corporate environments, 75 were personal computers, and 134 were used for both. 43 of the 933 computers also included details from more than one user, meaning they were shared assets, used by multiple family members or work colleagues.”
• “Taking a look at the screenshots, researchers discovered images depicting banking portals, invoices, blueprints, video camera feeds, email inboxes, social media accounts, financial documents, booking software, and many more.”
• Both personal and corporate banking details were seen, as well as a Hotel reservation system
• “The set for educational institutions wasn’t notably attributable to any one panel, but equally distributed. What made it stand out though is that the same tactic for delivering the KeyBase phish was applied here and “Admissions” people were targeted. These individuals are constantly sent Word or PDF documents, allegedly from parents, so it’s no surprise they would open the malicious files”
• “In the original KeyBase report, Palo Alto revealed that the malware’s creator managed to infect himself during the keylogger’s tests, and had his activities recorded through screenshots and then sent to the Web control panel. This apparently happened again, and 16 of the actors behind this new wave of KeyBase infections also managed to infect their computers. The screenshots saved from their PCs shows that while a few were just curious script kiddies, some of the other hackers were actually professionals involved in highly-targeted campaigns.”
• These screenshots provide interesting insight into the attackers
• “This next actor’s resolution was such that the screenshots only captured the top left portion of his or her screen; however, it was enough to make some interesting observations on tactics. The actor appears to be trying to engage in romance scams with multiple women, along with preying on seniors through dating sites”
• “Our analysis provides a unique opportunity to see the entire life cycle of a malware infection. Commonly, we’d see the first image in a set to be the KeyBase executable or malicious document all the way through until the Anti-Virus alerts of an infection. Sometimes that happened all within one screenshot.”

Feedback:

• Read Only File Server?

• How much Power Does a Server use at Home ?

• pfSense on TP-LINK?

• Software Freedom Conservancy condemns Ubuntu including ZFS

Round Up:

• MouseJack Technical Details
• How To Kill A Supercomputer: Dirty Power, Cosmic Rays, and Bad Solder — In the IBM Blue Gene, After weeks of searching, the culprit was uncovered: the solder used to make the boards carrying the processors. Radioactive lead in the solder was found to be causing bad data in the L1 cache
• FBI Insists It’s Not Trying To Set A Precedent, But Law Enforcement Is Drooling Over Exactly That Possibility
• OpenSSL to release new versions on March 1st to fix “high” severity issues
• Google Is Lighting Up Dark Fiber All Over the Country
• Asus Settles FTC Charges re: security vulnerabilities and negligent practices related to Asus routers and accompanying services, Agrees To 20 Years Of Supervision
• Judge confirms what many suspected: Feds hired CMU to break Tor
• Linux Mint site hacked, ISOs injected with malware. This is why posting an MD5 checksum on the site is not good enough
• Researchers manage to disarm SimpliSafe Wireless Home Security System
• glibc vulnerability worse than thought, “a skeleton key of unknown strength”
• Rumor: IBM gobbles Bruce Schneier, Resilient for $100m

The post Dip the Chip | TechSNAP 255 first appeared on Jupiter Broadcasting.

Who doesn’t like a good party? Some folks will tell you that Linux is boring, or for geeks. This week we’ll show you how you can have a very loud and bright time with Linux.

Plus Valve officially pins down a Steam Machine launch date. More encryption for Linux, and did the CHIP guys underestimate the cost of their $9 computer?

Plus some great feedback, some helpful app picks & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Party With Linux

+Linux Compatible DMX Interface

Brought to you by: System76

— PICKS —

Runs Linux

• Train Ad Sensor Runs Linux

Video of ad system that uses a raspberry pi to sense when a train is coming so that it can start playing a specific part of an ad.

Sent in by Dumitru V.

Desktop App Pick

• Q Light Controller Plus

QLC+ is a fork of the great QLC project written by Heikki Junnila. This project aims to continue the development of QLC and to introduce new features.
The primary goal is to bring QLC+ at the level of other lighting control commercial softwares

• Controls an arbitrary number of universes, 512 DMX channels each
• Fixture editor to create and customize fixtures
• 440+ ready made fixtures
• Web access for remote control
• Input/Output plugins to support a wide variety of hardware and software
• MIDI Input / Output and Feedbacks (for devices with motorized faders)
• MIDI support of Notes, Control Change, Program Change and Beat clock
• Virtual Console to get the best while performing live shows
• Quick access to 750+ gobos, color presets, RGB values, thanks to the Click And Go technology
• Simple Desk for manual DMX channels control
• Multitrack Show editor for offline desk programming
• Audio input/output support
• Import/export fixtures list
• Channels groups
• Fixture remapping
• ArtNet and E1.31 native input/output plugin
• OSC input/output/feedback plugin
• DMX4ALL StageProfi and FX5 DMX USB support
• Dump DMX values into scenes/chasers
• Look & feel based on the Humanity icon theme

Weekly Spotlight

+SSHFS

T his is a filesystem client based on the SSH File Transfer Protocol. Since most SSH servers already support this protocol it is very easy to set up: i.e. on the server side there’s nothing to do. On the client side mounting the filesystem is as easy as logging into the server with ssh.

• Based on FUSE (the best userspace filesystem framework for linux
• Multithreading: more than one request can be on it’s way to the server
• Allowing large reads (max 64k)
• Caching directory contents

Jupiter Broadcasting Meetup

Our Past Picks

These are the weekly picks provided by the Jupiter Broadcasting podcast, the Linux Action Show.

This site includes a separate picks lists for the “Runs Linux”, Desktop Apps, Spotlight Picks, Android Picks, and Distro Picks.

— NEWS —

Steam Machine Launch Date

November 10, 2015: May it forever be known as “Steam Day”—the day Valve will officially unleash its suite of Steam Machines, Steam Link, SteamOS, and the Steam Controller. Sure, it’s almost exactly a year later than anticipated, but…well, if you want one, this is when you can get one. Officially.

“Unofficially,” you can get a Steam Machine and Steam Controller as early as October 16, provided you’re in the market for Alienware’s model. Preordering through GameStop ensures you’ll receive Alienware’s Steam Machine (which Valve previously referred to as “a console that encapsulates the full potential of what a Steam Machine should be”) almost a month early.

HP Enterprise will be all-in

What’s the latest enterprise IT company to proclaim its love of open source? HP, that’s who – or, more specifically, Hewlett Packard Enterprise, one of two companies that will emerge once HP splits this November.

Speaking at the HP Discover conference in Las Vegas this week, CTO Martin Fink said open source will be central to how HP’s enterprise incarnation conducts its business.

“We have taken this very, very seriously and we are all-in on the notion of open source,” Fink said, adding that even game-changing big bets like the Machine will be backed by open source software.

“I want to stress something here: It is not called HP Grommet. It is called Grommet,” Fink said. “It is HP’s contribution to the IT industry to bring consumer-grade capabilities with an enterprise user experience framework so that all of you can take advantage of it.”

Dell Inspiron 14 Ubuntu Review

I ‘ve been using this new Ubuntu notebook from Dell for a couple days, and overall, I’m pretty happy. For a $299 computer (that’s list price, I got mine for $249), it has reasonably good specs, looks nice, and performs about like you would expect considering the hardware and price.

Easy Risk Free Encrypted Colab released for LINUX

Tresorit protects the files you never want leaked or lost.
Work with your most sensitive documents without second thoughts. Use Tresorit to keep control – even when you share with coworkers, clients or vendors

• End-to-end encryption
• Proven Security
• Swiss Privacy
• Encrypted Backup
• Certified secure datacenters
• Up to 1TB encrypted storage

Chip to be $20 not $9

Allwinner confirmed R8 just SOC cost $4.80 but this makes not much sense either this is the price of A33 quad core SOC why they price so expensive obsolete A13 Cortex-A8 SOC???

On my question how then Next Thing Co. sell this computer for $9 Allwinner response is:

“CHIP 9$ computer launched a big advertising campaign to promote their new development board, their actual cost is higher than 9$. After the Kickstarter their computer will sell for 39$.”

So, sorry guys to break your dreams for 1Ghz SOCs costing $1, maybe in future this would be possible, but not now.

— FEEDBACK —

• https://slexy.org/view/s21KDjHKHH
• https://slexy.org/view/s2ASJK9erM

• https://slexy.org/view/s21wgTEAdk

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Party with Linux | LAS 368 first appeared on Jupiter Broadcasting.

We get the opportunity to talk to the Krita project. Can professional graphic design be done on Linux? What it will take to get the project to the next level? We find out!

Plus a crazy member of our audience takes CentOS desktop challenge & we check in. CryEngine to support Linux, Firefox OS in Africa, Snappy packages, Python 3 in Ubuntu by Default & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Krita Lead Developer Interview

Brought to you by: System76

Krita | Digital Painting. Creative Freedom.

Krita is a FREE digital painting and illustration application.

Krita offers CMYK support, HDR painting, perspective grids, dockers, filters, painting assistants, and many other features you would expect. Check out the gallery to see what other artists have done with Krita

Krita: free paint app – let’s make it faster than Photoshop! — Kickstarter

Krita is the free and open source digital painting program used by artists all over the world. Help make Krita even faster and better!

— PICKS —

Runs Linux

Ubuntu Powered Drone

It seems world is slowly and steadily moving towards Linux powered devices. After Linux was used to power destroyers for US Navy, now Erle Robotics has used Ubuntu to power a drone.
Erle Robotics, a Spanish company, has been at the forefront of using Linux in devices and had introduced the Erle-Copter drone powered by Ubuntu Snappy Core back in February 2015, has launched the world’s first Ubuntu powered Drone on 3rd May.

Desktop App Pick

Fort Password Manager

Fort allows you to store passwords and other sensitive information. Today it’s important not to use the same password on multiple places. Passwords should also be more than 8 characters long and contain mixed case letters, numbers and special characters. Of course it’s impossible to remember such passwords. That’s where Fort comes in. All you have to do is to remember one password, the Fort master key. Fort will remember rest of your passwords.

• QtPass by IJHack

Weekly Spotlight

Centos 7 on the Desktop

https://slexy.org/view/s21VYbhCQh

Last night I started a challenge. A good friend of mine said to me “I doubt you could use CentOS 7 on your desktop for a month.” After thinking about it, I realised I probably could. So I accepted his challenge. Mind you this was at 10:30 at night. Maybe tiredness played a role in my decision, but I am going to document my experience with CentOS 7 on my desktop for the next month.

Jupiter Broadcasting Meetup

Our Past Picks

These are the weekly picks provided by the Jupiter Broadcasting podcast, the Linux Action Show.

This site includes a separate picks lists for the “Runs Linux”, Desktop Apps, Spotlight Picks, Android Picks, and Distro Picks.

— NEWS —

CryEngine to Support Linux

Let’s talk about the pengui… elephant in the room If you read the above paragraph, it might not come as a major surprise to you, but we are proud to announce that we will add an Open GL implementation and support for running your EaaS games on Linux with one of our next updates. For now, Linux support will be limited to the game launcher, and the Sandbox editor will still require Microsoft Windows. And of course, Linux support will be subject to the same developer-friendly terms as on Windows: Your monthly subscription fee will allow you to sell your games for Linux in addition to Windows, with no additional fees or royalties required.

A massive change for Ubuntu package management is on the horizon

Snappy Personal is slotted to take the place of Desktop Next. If you’ve been following Ubuntu, you know that Next is the iteration of Ubuntu that will feature Unity 8 and Mir, which will power desktops, phones, and tablets. Snappy Personal will be the desktop image that will install Ubuntu 15.10 (if it arrives in time for that release) that’s built with said Unity 8 and Mir.

• An important notice for Desktop Next users Edit: This is referring to the…

Ubuntu Plans for Python 3 by Default

Within the Ubuntu world, by Ubuntu 16.04 LTS next April they want Python 3 by default and potentially to only have Python 3.5. In upstream Debian for their 9.0 Stretch release they are also hoping for no Python2 by default, albeit the Stretch release is much further out.

Orange Launches First Firefox OS Smartphones in Africa

We are happy to share that the first Firefox OS smartphones went on sale in Senegal and Madagascar this week. This follows an announcement from Mozilla and Orange at Mobile World Congress 2015 that Firefox OS smartphones would be available in markets across Africa and the Middle East later this year.

CHIP – The World’s First Nine Dollar Computer by Next Thing Co. — Kickstarter

C.H.I.P. is a computer. It’s tiny and easy to use.

C.H.I.P. does computer things. Work in LibreOffice and save your documents to C.H.I.P.’s onboard storage. Surf the web and check your email over wifi. Play games with a bluetooth controller. With dozens of applications and tools preinstalled, C.H.I.P. is ready to do computer things the moment you power it on.

C.H.I.P. is a computer for students, teachers, grandparents, children, artists, makers, hackers, and inventors. Everyone really. C.H.I.P. is a great way to add a computer to your life and the perfect way to power your computer based projects.

• The CHIP Is A $9 Computer That Can Almost Do It All | TechCrunch

Star Trek Comes To Linux, Star Trek 25th Anniversary & Star Trek Judgement Rites On GOG

GOG have now added two classic Star Trek games to their collection with Star Trek 25th Anniversary and Star Trek Judgement Rites.

— FEEDBACK —

https://slexy.org/view/s21arPPLb8

https://slexy.org/view/s2chw0Y94r

https://slexy.org/view/s21HnD5eRw

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Krita Developer Interview | LAS 364 first appeared on Jupiter Broadcasting.

We’ve got the details on a critical flaw in the chip and pin credit card system. The future of secure hashing, doing proper backups with rsync, and how squirrels and sharks take down the Internet.

Plus a big batch of your questions, and our answers.

All that and more, on this week’s TechSNAP

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: