Show Notes: linuxactionnews.com/220

The post Linux Action News 220 first appeared on Jupiter Broadcasting.

Facebook pushes back that it’s been hacked, the PS4 has been jailbroken & Congress snuck a surveillance bill into the federal budget last night.

Plus the FCC wants to talk to T-Mobile and AT&T about their sponsored data plans & our Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

• FauxShow SWAG for the Holidays

Show Notes:

— Episode Links —

• Developer Claims ‘PS4 Officially Jailbroken’ – Slashdot
• The Netflix Tech Blog: Per-Title Encode Optimization
• Regulators want to talk to AT&T, Comcast and T-Mobile about sponsored data – The Washington Post
• Congress snuck a surveillance bill into the federal budget last night | The Verge
• Instagram HACKED! Researcher Hacked Into Instagram Server and Admin Panel
• Man arrested in toymaker hack that exposed data for millions of kids | Ars Technica
• Windows’ authentication ‘flaw’ exposed in detail • The Register

Kickstarter of the Week:

• Fleye – Your Personal Flying Robot by Fleye — Kickstarter

Fleye is a whole new kind of drone. Safe, fun and autonomous. Invent the future of flying robots thanks to its open API and SDK.

The post Instahacked & Jailbroken | TTT 227 first appeared on Jupiter Broadcasting.

CISA provides no solutions, just new excuses. The new Australian smartcard system is a total disaster & why Google’s URLs are so crazy.

Plus some great questions, our answers, a rockin’ round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

CISA: “Cybersecurity Information (Over)Sharing Act“

• On Tuesday afternoon, the Senate voted 74 to 21 to pass a version of CISA that roughly mirrors legislation passed in the House earlier this year, paving the way for some combined version of the security bill to become law.
• CISA is designed to stem the rising tide of corporate data breaches by allowing companies to share cybersecurity threat data with the Department of Homeland Security, who could then pass it on to other agencies like the FBI and NSA.
• But privacy advocates and civil liberties groups see CISA as a free pass that allows companies to monitor users and share their information with the government without a warrant, while offering a backdoor that circumvents any laws that might protect users’ privacy.
• The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.”
• Critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology (CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.
• CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”
• On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer.
• If only there were an easier way, we are told, for companies to share so-called “indicators of compromise”
• In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data.
• How Krebs’ Sees it: the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation.
• The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches.
• Rather than encouraging companies to increase their own cybersecurity standards, the professors wrote, “CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network.”
• CISA Security Bill Passes Senate With Privacy Flaws Unfixed
• Additional Coverage: ThreatPost

Australian PLAID Crypto, ISO Conspiracies, and German Tanks

• PLAID (Protocol for Lightweight Authentication of ID), the Australian ‘unbreakable’ smart card identification protocol has been recently analyzed in this scientific paper
• Technically, the protocol is a disaster. In addition to many questionable design choices, we found ways for tracing user identities and recover card access capabilities. The attacks are efficient (few seconds on ‘home’ hardware in some cases), and involve funny techniques such as RSA moduli fingerprinting and… German tanks. See this entry on Matt Green’s crypto blog for a pleasant-to-read explanation.
• PDF: Unpicking PLAID: A Cryptographic Analysis of an ISO-standards-track Authentication Protocol
• “when a reader queries the card, the reader initially transmits a set of capabilities that it will support (e.g., ‘hospital’, ‘bank’, ‘social security center’). If the PLAID card has been provisioned with a matching public key, it goes ahead and uses it. If no matching key is found, however, the card does not send an error — since this would reveal user-specific information. Instead, it fakes a response by encrypting junk under a special ‘dummy’ RSA public key (called a ‘shill key’) that’s stored within the card. And herein lies the problem.”
• “You see, the ‘shill key’ is unique to each card, which presents a completely new avenue for tracking individual cards. If an attacker can induce an error and subsequently fingerprint the resulting RSA ciphertext — that is, figure out which shill key was used to encipher it — they can potentially identify your card the next time they encounter you.”
• “To distinguish the RSA moduli of two different cards, the researchers employed of an old solution to a problem called the German Tank Problem. As the name implies, this is a real statistical problem that the allies ran up against during WWII. The problem can be described as follows: Imagine that a factory is producing tanks, where each tank is printed with a sequential serial number in the ordered sequence 1, 2, …, N. Through battlefield captures you then obtain a small and (presumably) random subset of k tanks. From the recovered serial numbers, your job is to estimate N, the total number of tanks produced by the factory.”
• But the story behind PLAID’s standardization is possibly even more disturbing. PLAID was pushed into ISO with a so-called “fast track” procedure. Technical loopholes made it possible to cut off from any discussion the ISO groups responsible for crypto and security analysis. Concerns from tech-savvy experts in the other national panels were dismissed or ignored.
• The author of the post contacted ISO and CERT Australia before going public with our paper, but all we got was a questionable and somewhat irate response (PDF) by PLAID’s project editor (our reply here). Despite every possible evidence of bad design, PLAID is now approved as ISO standard, and is coming to you very soon inside security products which will advertise non-existing privacy capabilities.
• The detailed story of PLAID in the paper is worth a read, and casts many doubts on the efficacy of the most important standardizing body in the world. It is interesting to see how a “cryptography” product can be approved at ISO without undergoing any real security scrutiny.
• A Few Thoughts on Cryptographic Engineering: Attack of the Week: Unpicking PLAID
• Bruce Schneier: Amateurs Produce Amateur Cryptography
  

Unguessable URLs for security and privacy

• This post on Bruce Schneier’s blog talks about how Google uses unguessable URLs to protect the photos you post
• Additional Coverage — The Verge: Google secures photos using public but unguessable URLs
• If you look at some of your private photos in “Google Photos”, you can right click on a photo, and copy the source URL
• That is a public URL, that anyone can access, if you share it
• The photos are available to anyone who types in the right string of characters
• The key is that that string of characters, is very long
• “So why is that public URL more secure than it looks? The short answer is that the URL is working as a password. Photos URLs are typically around 40 characters long, so if you wanted to scan all the possible combinations, you’d have to work through 1070 different combinations to get the right one, a problem on an astronomical scale.”
• “There are enough combinations that it’s considered unguessable, It’s much harder to guess than your password”
• The same applies to facebook photos. If I have access to someone else’s photo, but the person I want to share it with does not (even have a facebook account), I can copy the source URL, rather than the facebook viewer URL, and share it with them
• Because traffic to and from Google Photos, and Facebook, is encrypted with HTTPS, someone cannot get the URLs of those photos by sniffing your traffic
• They could get the data from your browser history, or in other ways if your machine was compromised, but in those cases they’d have access to the photos anyway
• The only real problem here is that it can be hard to ‘revoke’ access to a photo. If you give this unguessable but public URL to someone, they can share it as much as they want, completely outside of your control
• Also, because CDNs and caches are used, even if you delete a photo, it might still be accessible by that URL, if someone already knows it
• Schneier notes: “It’s a perfectly valid security measure, although unsettling to some”

Feedback:

• Complicate FreeNAS box or Combine with Linux?

• Encrypting Windows Workstations. Want to use Bitlocker, but some machines don’t have a TPM chip.

• Connecting 2 FreeNAS over the internet

• PHP-FPM 100% CPU Load

• Book Review: “FreeBSD Mastery: ZFS”

• Buy your copy at: https://www.zfsbook.com/

Round up:

• Number of VPN servers at risk due to weak DH keys may be fewer than originally thought
• British Gas leak sees 2,400 customer passwords posted online
• Updates on the VMWare GPL violation law suite
• Top German official infected by highly advanced spy trojan with NSA ties
• Attackers are compromising MySQL servers with the Chikdos malware to force them to conduct DDoS attacks
• Rockwell patches PLCs that could be exploited via a malicious URL
• The impact of Netflix’s open source software development
• CEO Pride may get in the way of Cyber Security. TalkTalk as an example: “Our cybersecurity is head and shoulders above the competition” followed by “we have no legal obligation to encrypt customer bank details”
• New technology can steal your face
• Are Russians tapping undersea cables?
• TrueCrypt has critical vulnerability. Allows privilege escalation. While not a problem with the crypto, this could allow an attacker to take over your machine and gain access to the decrypted data
• US DoD and Military still using deprecated SHA-1 in TLS certificates

The post PLAID Falls Out of Fashion | TechSNAP 239 first appeared on Jupiter Broadcasting.

Defense Secretary Ash Carter declares the US is shifting strategy in Syria & will be sending in troops. We break down the scope of this “shift” & what’s motivating it. A few worthy notes from Hillary’s Benghazi hearing sneak through, we’ve grabbed them & why every hashtag matters, according to the FBI.

Plus a simple explanation of why CISPA is a surveillance bill & our largest drone update ever!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links:

• Did Times Underplay Drone Program Leak? – The New York Times
• Russian Ships Near Data Cables Are Too Close for U.S. Comfort – The New York Times
• CIA director says hack of his email epitomizes cyber threat – Yahoo News
• Ashton Carter: U.S. to Begin ‘Direct Action on the Ground’ in Iraq, Syria – NBC News
• Senate passes CISA, strikes down four pro-privacy amendments — RT USA
• US military to officially add ground forces in Syria : unfilter
• BBC Protects U.K.’s Close Ally Saudi Arabia With Incredibly Dishonest and Biased Editing
• New U.S. Combat Mission in Iraq Is Not New – Bloomberg View
• Fact-checking Sean Hannity’s claim on the U.S. accepting 250,000 refugees | PunditFact
• Inside the Ring: Russian military flights over Iraq questioned – Washington Times

The post Boots for Syria | Unfilter 164 first appeared on Jupiter Broadcasting.

CISA is working its way through the system, we highlight some reasons to be concerned & the role Facebook might be playing. Plus the European Parliament rejects amendments protecting net neutrality & some TalkTalk hack follow up.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Despite Concerns, Cybersecurity Bill Heads to Vote | Al Jazeera America
• Senior Former Intelligence Official Admits That ‘The Point’ Of CISA Is Surveillance | Techdirt
• Petition: Facebook betrayed us by secretly lobbying for cyber-surveillance bill / Boing Boing
• Ex-NSA Chief’s Cybersecurity Startup Draws Funding – WSJ
• TalkTalk hack: Police arrest teenager (15) in Northern Ireland – BelfastTelegraph.co.uk
• TalkTalk says it was “not legally required” to encrypt leaked customer data | Ars Technica UK
• European Parliament rejects amendments protecting net neutrality | The Verge
• Exclusive: Wal-Mart seeks to test drones for home delivery, pickup | Reuters

The post Drone Shipping Wars | TTT 221 first appeared on Jupiter Broadcasting.

Is the ISIS Cyber Division responsible for a spree of hack attacks across America? We’ll review the smattering of defacements throughout the week linked to ISIS. An Obama administration official leaks Israel’s spying, Iran talks heats up & Ted Cruz lies through his teeth on air.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

CISA Security Bill: An F for Security But an A+ for Spying | WIRED

When the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act by a vote of 14 to 1, committee chairman Senator Richard Burr argued that it successfully balanced security and privacy. Fifteen new amendments to the bill, he said, were designed to protect internet users’ personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks. But critics within the security and privacy communities still have two fundamental problems with the legislation: First, they say, the proposed cybersecurity act won’t actually boost security. And second, the “information sharing” it describes sounds more than ever like a backchannel for surveillance.

On Tuesday the bill’s authors released the full, updated text of the CISA legislation passed last week, and critics say the changes have done little to assuage their fears about wanton sharing of Americans’ private data. In fact, legal analysts say the changes actually widen the backdoor leading from private firms to intelligence agencies. “It’s a complete failure to strengthen the privacy protections of the bill,” says Robyn Greene, a policy lawyer for the Open Technology Institute, which joined a coalition of dozens of non-profits and cybersecurity experts criticizing the bill in an open letter earlier this month. “None of the [privacy-related] points we raised in our coalition letter to the committee was effectively addressed.”

“CISA goes far beyond [cybersecurity], and permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force,” reads the letter from the coalition opposing CISA. “The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans—including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause. This undermines Fourth Amendment protections and constitutional principles.”

Israel Denies Spying on Iran Nuclear Talks – NYTimes.com

Three top Israeli ministers on Tuesday denied a report that their intelligence services had spied on the closed-door negotiations over Iran‘s nuclear program, as tensions continued to mount between Washington and Jerusalem.

“There is no such thing as Israel spying on the Americans,” the defense minister, Moshe Yaalon, said at a pre-Passover toast, according to a transcript provided by his office. Mr. Yaalon said he had checked and found no complaint from the United States to Israeli intelligence services about such spying. “There is a strict prohibition on that,” he said.

NSA shared Americans’ private communications with Israel: Snowden

Former U.S. intelligence analyst Edward Snowden has accused the U.S. National Security Agency of routinely passing private, unedited communications of Americans to Israel, an expert on the intelligence agency said Wednesday.

James Bamford, writing in the New York Times, said Snowden told him the intercepts included communications of Arab- and Palestinian-Americans whose relatives in Israel and the Palestinian territories could become targets based on the information.

“It’s one of the biggest abuses we’ve seen,” Bamford quoted Snowden as saying.

Snowden said the material was routinely transferred to Unit 8200, a secretive Israeli intelligence organization.

Bamford cited a memorandum of understanding between the NSA and its Israeli counterpart outlining transfers that have occurred since 2009.

Leaked by Snowden and first reported by the British newspaper the Guardian, it said the material included “unevaluated and unminimized transcripts, gists, facsimiles, telex, voice and Digital Network Intelligence metadata and content.”

• Israel stole classified US information and used it to help congressional Republicans – Vox

The Wall Street Journal‘s Adam Entous dropped a huge story Tuesday morning: Israel acquired classified US information while spying on the Iranian nuclear negotiations, and leaked the stolen information about the emerging deal to American lawmakers in an attempt to sabotage the Obama administration’s outreach to Tehran.

US House Votes 348-48 To Arm Ukraine, Russia Warns Lethal Aid Will “Explode The Whole Situation” | Zero Hedge

Yesterday, in a vote that largely slid under the radar, the House of Representatives passed a resolution urging Obama to send lethal aid to Ukraine, providing offensive, not just “defensive” weapons to the Ukraine army – the same insolvent, hyperinflating Ukraine which, with a Caa3/CC credit rating, last week started preparations to issue sovereign debt with a US guarantee, in essence making it a part of the United States (something the US previously did as a favor to Egypt before the Muslim Brotherhood puppet regime was swept from power by the local army).

The resolution passed with broad bipartisan support by a count of 348 to 48.

According to DW, the measure urges Obama to provide Ukraine with “lethal defensive weapon systems” that would better enable Ukraine to defend its territory from “the unprovoked and continuing aggression of the Russian Federation.”

“Policy like this should not be partisan,” said House Democrat Eliot Engel, the lead sponsor of the resolution. “That is why we are rising today as Democrats and Republicans, really as Americans, to say enough is enough in Ukraine.”

Engel, a New York Democrat, has decided that he knows better than Europe what is the best option for Ukraine’s people – a Europe, and especially Germany, which has repeatedly said it rejects a push to give western arms to the Ukraine army, and warned that Russia under President Vladimir Putin has become “a clear threat to half century of American commitment to an investment in a Europe that is whole, free and at peace. A Europe where borders are not changed by force.”

This war has left thousands of dead, tens of thousands wounded, a million displaced, and has begun to threaten the post-Cold War stability of Europe,” Engel said.

Odd, perhaps the US state department should have thought of that in a little over a year ago when Victoria Nuland was plotting how to most effectively put her puppet government in charge of Kiev and how to overthrow the lawfully elected president in a US-sponsored coup.

Then again, one glance at the Rep. Engel’s career donors provides some explanation for his tenacity to start another armed conflict and to escalate what he himself defines as a cold war into a warm one.

Cruz’s Wife Heidi to Take Unpaid Leave From Goldman – Bloomberg Business

Heidi Cruz, a managing director at Goldman
Sachs Group Inc. in Houston, has taken an unpaid leave from her
private wealth-management job to help with her husband’s
campaign for the U.S. presidency, a person familiar with the
matter said.

Ted Cruz, 44, a Republican senator from Texas, said on
Twitter early Monday morning that he plans to run for president
in the 2016 election. Heidi Cruz’s leave will last the duration
of the campaign, said the person, who asked not to be identified
speaking about Cruz’s employment.

Heidi Cruz, 42, a Harvard Business School graduate who
worked in President George W. Bush’s administration, joined
Goldman Sachs in 2005 and was promoted to managing director, the
firm’s second-highest rank, in 2012. She serves as regional head
of the Houston office in the private wealth-management unit,
which serves individuals and families who have on average more
than $40 million with the firm.

The post Who's Following ISIS | Unfilter 138 first appeared on Jupiter Broadcasting.

A new cybersecurity bill is working its way through the system looks a lot like previous attempts and raises the same privacy concerns, we’ll cover the details.

Plus Samsung gets into VR and the Potato Salad Kickstarter that’s already earned $70k USD.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Senate Panel Passes Cybersecurity Bill Despite NSA Fears

The Cybersecurity Information Sharing Act, advanced in a 12-3 vote, would make it easier for businesses and the government to share information with each other about cyberattacks. Business groups argue that legal barriers are preventing them from getting the information they need to stop hackers.

But the privacy groups are still worried that the legislation could encourage a company such as Google to turn over vast batches of emails or other private data to the government. The information would go first to the Homeland Security Department, but could then be shared with the NSA or other intelligence agencies.

“Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA,” the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, and dozens of other privacy groups wrote in a letter to senators last month.

Exclusive: Samsung’s virtual reality headset will be called Gear VR, launch at IFA 2014 | SamMobile

A month ago, Engadget exclusively reported on Samsung’s upcoming VR device, which is being developed in collaboration with Facebook’s Oculus VR. Today, we can confirm that Samsung is indeed working on a virtual reality device, and it’s called the “Gear VR”. Samsung will be announcing the device, alongside the Galaxy Note 4, at IFA 2014.

Instead of making a completely standalone virtual reality headset, Samsung has developed a modular design, which allows the user to dock in a Galaxy device into the Gear VR using USB 3.0. Virtual reality effect is achieved through head tracking, and instead of equipping the headset with sensors, Gear VR makes use of the smartphone’s accelerometer, gyroscope and processing power to track head motion.

You might say that this is exactly like Google’s Cardboard VR headset, which was handed out to I/O 14 attendees, and you would be right! The main concept behind Gear VR is the same. However, the Gear VR is much more comfortable to wear, thanks to the elastic head band and soft padded cushions on each side of the device, and Samsung’s implementation is also much better than that of Google’s Cardboard.

The hardware of the device is being developed by Samsung alone, but the software is being developed in cooperation with Oculus VR

Potato Salad by Zack Danger Brown — Kickstarter

• Potato salad on Kickstarter: The project has raised more than $40,000.

Last week, Zack Brown posted a Kickstarter page titled simply “Potato Salad.”

“I’m making potato salad,” Brown wrote. Then, in case anybody was confused or skeptical or more inclined to support the preparation of a German-style potato salad than a mayo-heavy American version, he clarified: “Basically I’m just making potato salad. I haven’t decided what kind yet.”

His goal: $10.

Manjaro Linux Developers Experience A Mass Exodus

• Follow up: Manjaro Linux Developers Experience A Mass Exodus

Feedback:

• Waze claiming anonymize user data is probably arguably laughable.

The post Return of CISPA | Tech Talk Today 23 first appeared on Jupiter Broadcasting.