Show Notes: linuxunplugged.com/433

The post The Lessons of Jellyfin | LINUX Unplugged 433 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/379

The post Favorite Linux Tweaks | LINUX Unplugged 379 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/363

The post Return of the Terminal Server | LINUX Unplugged 363 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/109

The post Linux Action News 109 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/286

The post Ell is for Linux | LINUX Unplugged 286 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback

Last Week hit Close to Home for afixia-web

I’ve had so many so close to great workflows in windows and linux. But at the end of the day, a maxed out macbook pro can run 4 monitors, sign ios apps, compile android and mac apps, and run some of the most intuitive workflow processes i’ve ever seen (alfred worflows and homebrew alone????).

Love the struggle though, but too close to home.

IndyTechTrekkie is all in on Win10

Also, if you’re a QT fan, there are some awesome powershell scripts that make the static build far less painful to set up. I haven’t booted up my MacBook in a couple of months.

Help with the Roku App · Slexy.org Pastebin

I heard you mention this on Coder Radio. I’m sorry Chris I didn’t realise that you needed help with your Roku channel.

Hoopla

Here’s How Unicorns Trick You Into Thinking They’re Real – Bloomberg

The study looked at 116 unicorns founded after 1994, with average valuations of $2.7 billion. Researchers found that 11 percent of companies, including HomeAway and SolarCity, used preferential stock to boost their valuations to more than twice what they would be worth using the study’s fair value estimates.

Google pulls YouTube from Amazon TV boxes amid bitter feud

Google has taken a swipe at Amazon by pulling its hugely popular YouTube service from Amazon’s Echo and Fire streaming devices.

This feels very weird to me… #Amazon doesn’t sell Chromecast etc, so #Google targets their devices / users to be blocked from Youtube? @ChrisLAS

— Michael Dominick (@dominucco) December 6, 2017

Love my new Amazon Fire Stick. So worth waiting an extra 3 years until it was available in Canada. pic.twitter.com/WDZ6UoXvvr

— Chris Simpson (@chris_e_simpson) December 8, 2017

But as a software developer, I am deeply ambivalent about an Apple dominated future. Apple isn’t shy about cultivating the experience around their new iOS products and the App Store.

Pick of the Week

Submitted by Khaotic_Kernel in the subreddit

Theia is a cloud & desktop IDE framework implemented in TypeScript.

Theia is an extensible platform to develop full-fledged multi-language Cloud & Desktop IDE-like products with state-of-the-art web technologies.

The post Collateral User Damage | CR 286 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

• This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
• CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
• The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
  • CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
  • A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
  • CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
• During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
• When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
• Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

• “Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
• But, there are some shortcomings to that type of password manager
• How do I synchronize this file on all my devices?
• How do I access a password on my parents’ computer without installing my password manager?
• How do I access a password on my phone, without any installed app?
• To solve this, LessPass does it differently
• “The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
• “No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
• There are some issues though.
  • Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
  • Some sites obviously do not hash passwords correctly, and do not allow some characters
  • What if you want to, or need to, change your password?
• LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
• To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
• Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
• So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
• There are obviously some privacy concerns, and security concerns here.
• How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
• Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
• “You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
• The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
• This leaves a few problems:
  • You can never change your master password, as it will effectively change all of your passwords
  • It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
  • The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
  • LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
• There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

• It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
• Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
• Colin’s day job is running Tarsnap – backups for the truly paranoid.
• To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
• “While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
  • the vulnerability can be exploited remotely, over the internet;
• the attack cannot be blocked by firewalls;
  • the attack can be carried out without any account credentials on the system being attacked;
  • the attack yields money (as opposed to say, credit card details which need to be separately monetized);
  • once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
  • the attack can be performed without writing a single line of code.
• “Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
• “The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
• “Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
• “For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
• The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
  • Pay for something using bitcoin.
  • Wait until the price of bitcoin drops.
  • Send more bitcoins to the address used for the initial payment.
  • Ask for a refund of the excess bitcoin.
• “Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
• “Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
• “Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
• “As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
• “And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
• A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

• ipV6 vs Mirai

• Freenas replication

• Freenas 10 question

• Backup & LUKS

• Chromecast across subnets

• A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

• Windows Atom Tables popped by security researchers
• The Million-Key Question—Investigating the Origins of RSA Public Keys
• Microsoft stops selling Windows 7 and Windows 8.1 to computer makers i
• Researchers make high performance battery from junkyard scraps
• Why Windows hack is being blamed on Russia-linked group
• “Decimeter-Level Localization with a Single WiFi Access Point” — Locating a device to within 4 inches using only 1 WiFi access point
• Stealth Cell Tower
• Kaspersky quarterly DDoS report: 70-80% of botnets consist of Linux devices, most attacks last under 4 hours.
• Level 3 drops its packets for hours, causing Internet traffic jam
• Microsoft Reimagines Open Source Cloud Hardware
• Pagliano Emails Detail Attempts to Hack Clinton Unsecure Email Server 10 Times in Two Days in November 2010 – U.S. Secret Service Informed of Hacking Attempts – Judicial Watch
• Teenager accidentally DDoSes 911 system

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

Take advantage of the Chromecast without Google, extend Kodi with awesome new backends & cast media around your network with free Linux tools. Our panel covers great tips to fully trick out your Linux media setup.

Plus our thoughts on the FCC forcing TP-Link to support open source firmwares, reverse tethering for Android, a quick look at Mint 18 XFCE edition & a lot more!

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show

• System Monitor – GNOME Shell Extensions
• Extension causes stutter lag in video players.

Follow Up / Catch Up

Bring Linux apps to the Mac Desktop with Docker

Here are a few reasons why you may want to use Docker to run Linux applications on macOS:

• To access to newer versions of software
• To test various versions of the same software simultaneously
• To use tools which may not be ported to macOS yet

• For sandboxing an application:

  • To tighten up on security
  • or to isolate and/or spy on network traffic

• Docker for Mac and Windows is Now Generally Available and Ready for Production | Docker Blog

• Docker Containers on the Desktop

Home Netgear GS116 stopped passing packets. Suspecting this (middle) slightly bulging 820uF cap. Plausible? pic.twitter.com/RVHTYWrVft

— Alan Pope (@popey) August 2, 2016

FCC forces TP-Link to support open source firmware on routers

TP-Link agreed to pay a $200,000 fine, comply with the rules going forward, and to let customers install open source firmware on routers.

SimpleRT: Simple Reverse Tethering for Android

Reverse Tethering utility for Android.

Allows you to share your computer’s internet connection with your Android device via a USB cable.

Development is still in progress, bugs and errors can occur.

No root, no adb required!

Linux & OSX are supported! Windows is not, and unlikely to be in the future (ok, maybe in some day).

TING

• Ting – mobile that makes sense

Win an Ubuntu Linux laptop in the System76 ‘Pop Quiz’ giveaway

System76 is giving away one of its most popular Linux-based laptops — the Lemur.

Linux Mint 18 “Sarah” Xfce released!

Linux Mint 18 is a long term support release which will be supported until 2021. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use.

• New features in Linux Mint 18 Xfce – Linux Mint

GNOME Maps Is Back On Track Thanks to Mapbox

“With this [3.20.4] release we switch from using the MapQuest open API for fetching tiles. And instead we start using Mapbox API. Using an community API key from Mapbox,” writes Maps dev Jonas Danielsson in the change-log to accompany the release.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Chromecast Without Google

• Google has sold 30 million Chromecasts, 5 million in the past 2 months

Pichai revealed that the company has shipped 30 million Chromecast units since the release of the device back in 2013.

Videostream for Google Chromecast – Chrome Web Store

Play your own local videos on your Chromecast or Android TV directly from your computer (PC, Mac, Linux) – Subtitles supported!

castnow: commandline chromecast player

castnow is a command-line utility that can be used to play back media files on
your Chromecast device. It supports playback of local video files, videos on the web and torrents.

You can also re-attach a running playback session (this sentence should belong somewhere else).

Stream Videos To Chromecast From The Command Line Using Stream2Chromecast ~ Web Upd8: Ubuntu / Linux blog

Stream2Chromecast is a command line Chromecast media streamer for Linux. The tool can transcode unsupported formats in real time and play them on the Chromecast.

Stream2Chromecast features:

• cast audio and video to a Chromecast device;
• can transcode any formats not supported by the Chromecast in real time (using FFmpeg or Libav), so you don’t have to convert any video manually;
• provides basic control commands: pause / unpause / stop playback (currently this only works when not transcoding), set or mute volume;
• allows specifying a device when multiple Chromecasts are connected on the same network;
• supports passing custom custom transcoder parameters to ffmpeg or avconv (thanks to this, you can set the quality, add subtitles even though Stream2Chromecast doesn’t directly support it, etc.);

• supports specifying the port to use for streaming media.

• GitHub – Pat-Carter/stream2chromecast: Chromecast media streamer for Linux

dlnacast: Cast local media to your TV through UPnP/DLNA

Cast local media to your TV through UPnP/DLNA.
Based on thibauts node-upnp-mediarenderer-client.

Kast for Kodi

A bash script tool for casting media to the Kodi entertainment center using a Linux desktop/laptop.

• https://github.com/MichaelTunnell/Kast

Linux Academy

• Linux Academy | Linux and AWS Online Training

Home Netgear GS116 stopped passing packets. Suspecting this (middle) slightly bulging 820uF cap. Plausible? pic.twitter.com/RVHTYWrVft

— Alan Pope (@popey) August 2, 2016

Making Kodi Great Again

Naming video files/TV shows

Kodi requires each TV show to be in its own folder, and for each file to contain a pattern from which Kodi can determine the season and episode number (e.g. “S01E01”).

• tinyMediaManager

tinyMediaManager is a full featured media manager to organize and clean up your media library.

• Screenshot gallery

Flirc: Use any remote with your media center

Backend Options

PlexKodiConnect: let Kodi talk to your Plex — Plex Forums

PKC synchronizes your media from your Plex server to the native Kodi database. Because PKC uses the native Kodi database, the above limitations are gone!

• You can browse your media full speed, images are cached
• All other Kodi addons will be able to “see” your media, thinking it’s normal Kodi stuff

• Use any Kodi skin you want!

• PlexKodiConnect: Plex add-on for Kodi

PKC combines the best of Kodi – ultra smooth navigation, beautiful and highly customizable user interfaces and playback of any file under the sun, and the Plex Media Server to manage all your media without lifting a finger.

Have a look at some screenshots to see what’s possible.

What is currently supported?

PKC currently provides the following features:

• All Plex library types
  • Movies and Home Videos
  • TV Shows
  • Music
  • Pictures and Photos
• Different PKC interface languages:
  • English
  • German
  • More coming up
• Plex Watch Later / Plex It!
• Plex Companion: fling Plex media (or anything else) from other Plex devices to PlexKodiConnect
• Plex Transcoding
• Automatically download more artwork from Fanart.tv, just like the Kodi addon Artwork Downloader
  • Banners
  • Disc art
  • Clear logos
  • Landscapes
  • Clear art
  • Extra fanart backgrounds
• Automatically group movies into movie sets
• Direct play from network paths (e.g. “\\server\Plex\movie.mkv”) instead of streaming from slow HTTP (e.g. “192.168.1.1:32400”). You have to setup all your Plex libraries to point to such network paths. Do have a look at the wiki here

Add-on:Emby for Kodi – Official Kodi Wiki

Emby is a media management server that allows you to synchronize media libraries, watched status, and watch progress between compatible devices. Emby for Kodi allows Kodi to use an Emby as a media management backend. This add-on effectively replaces the Kodi built-in media database with Emby. Currently supported media includes Movies, TV Episodes, & Music.

A quick intro video from one of the dev’s: https://youtu.be/IaecDPcXI3I?t=119

Post-Show: What if Apple is intentionally slowing down the Mac platform, to spur iPad adoption?

• iPad Pro — What’s a Computer? – YouTube

You think you know what a computer is, but then you see this one. Meet iPad Pro.

• Apple’s new ad really wants you to believe the iPad Pro is a full computer | The Verge

The post Your Media Just Got Served | LINUX Unplugged 156 first appeared on Jupiter Broadcasting.

A lot is happening in the world of Google this week & some of the new changes are big improvements for it’s users. Plus the new MacBook killer by Xiaomi that might really be killer & Washington State is suing Comcast.

Plus a really neat Kickstarter of the week, local streaming to a Chromecast & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links:

• New Android Trojan SpyNote leaks on underground forums

• Google has sold 30 million Chromecasts, 5 million in the past 2 months

• Localcast – Simple stream for Chromecast

• Google Account sign-in notifications are now sent directly to your Android device

• 90% of YouTube and Google Calendar connections are now encrypted with HTTPS

• Xiaomi takes on the MacBook with the $750 “Mi Notebook Air”

• Washington state sues Comcast, says it sold near-worthless service plans | Ars Technica

Kickstarter of the week:

• Time Flies: Levitating Nixie Clock by Tony Adams — Kickstarter

The post Google Gets Pushy | TTT 254 first appeared on Jupiter Broadcasting.

A Google leak suggests a new Chromecast & two new Nexus devices are just around the corner. Facebook is turning up the tracking & the big statement Microsoft is making with their $75 million donation.

Plus an illuminating Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Exclusive: This is the 2nd gen. Chromecast w/ backdrop feeds, better WiFi, ‘Fast Play,’ more | 9to5Google
• Exclusive: Google and Spotify launching Chromecast support later this month | 9to5Google
• Facebook’s Like Buttons Will Soon Track Your Web Browsing to Target Ads | MIT Technology Review
• Microsoft to spend $75 mln to boost computer science in schools
• Google Glass now “Project Aura,” ex-Amazon Fire Phone employees hired | Ars Technica

Kickstarter of the week:

• Zyntony Torch: Baddest Light on the Planet! by Zyntony — Kickstarter
• Zyntony | Where will your Torch take you?

The post Dislike the Like Button | TTT 213 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

Google buys a satellite company and we round up the latest from this week’s 2014 E3 conference.

Then we cover Comcast’s plans to turn your wifi on for the public, the first Google watch is near and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Headlines

Google Pays $500M for Satellite Maker Skybox, for Photos and Eventually Internet

Google said on Tuesday it had bought Skybox Imaging, a company that provides high-resolution photos using satellites, for $500 million in cash.

Google explained the deal as such: \”Their satellites will help keep our maps accurate with up-to-date imagery. Over time, we also hope that Skybox\’s team and technology will be able to help improve Internet access and disaster relief — areas Google has long been interested in.\”

Sonic the Hedgehog speeding onto movie screens

The film, produced in collaboration between Sony, 22 Jump Street Producer Neal Moritz, and Japanese company Marza Animation Planet, will combine live action and computer animation to tell Sonic\’s story.

— Games —

• Doom trailer teases the game\’s reveal at QuakeCon 2014

The new Doom from id Software and Bethesda Softworks is coming to QuakeCon 2014, but here\’s the first teaser trailer.

• Yoshi\’s Woolly World lets two players sync up and squabble over spilled eggs

During our hands-on time with the title, we played with a friend in a level set among the clouds. These two Yoshis had to find ways to climb blocks, bridge gaps between floating platforms and take out angry Piranha Plants together. Towards the beginning of the level, we encountered a Paratroopa that we had to knock out of the sky with one of many baby chick-creatures in order to steal its shell.

• Nintendo will let you build your own Super Mario Bros. game

During its E3 presentation Nintendo just announced one of the most compelling reasons yet to pick up a Wii U. Mario Maker is essentially a Mario Bros. game construction set for the Wii U, letting users build their own levels — either in the classic Super Mario Bros. style, or using the visual elements from New Super Mario Bros. U — and then play them.

Comcast is turning your Xfinity router into a public Wi-Fi hotspot

Some time on Tuesday afternoon, about 50,000 Comcast Internet customers in Houston will become part of a massive public Wi-Fi hotspot network, a number that will swell to 150,000 by the end of June.

Exclusive: LG G Watch will be given away at Google I/O 2014

Although we don’t have all the details, sources directly familiar with the situation tell us that the Moto 360 will be shown off at the event. As for the LG G Watch? As expected, the device is essentially a reference device for Android Wear and will not only be shown off at Google I/O, it will be given away to all those that attend Google I/O 2014 this year!
Reportedly there will also be also be at least one other manufacturer that will

VLC Adding Chromecast Support to Android, iOS and Desktop Apps

Expedia Starts Accepting Bitcoin for Hotel Bookings

Expedia EXPE +0.49%, the big online travel site, announced on Wednesday it will begin accepting bitcoin for hotel bookings through its website, becoming the first major travel-agency to take the digital currency. If the reception is good, the company said it expects to bring bitcoin to its other service lines as well.

• Bitcoin\’s big future

Support Tech Talk Today creating DAILY PODCASTS

Unfilter Shirt: Unfilter Episode 100 Shirt! | Teespring

Hosts:

Guest:

• Twitter Nunes
• Google+ +ChaseNunes

Chris:

• Twitter ChrisLAS
• Google+ +ChrisFisher

The post Nintendo is back at #E32014! | Tech Talk Today 7 first appeared on Jupiter Broadcasting.