This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

• The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
• The official advisory is available on the Open Threat Exchange website
• The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
• In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
• Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
• “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
• Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
• Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

• After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
• A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
• The investigation centres on a Monaco company called Unaoil.
• Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
• The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
• Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
• The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
• The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
• It is the Monaco company that almost perfected the art of corruption.
• It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
• How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
• Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
• On a semi-related note, another big story for you to go read:
• How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

• No, not that kind of Visa, the other one.
• Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
• This has very important security considerations, as the application process for getting a visa is when most security checks are done
• Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
• Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
• After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
• As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
• “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
• Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
• State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
• “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

• SSH key protection

• Router Thoughts from Allan

• rmh from the chatroom asks…

Round Up:

• Microsoft Sues Justice Department Over Client Data Gag Orders
• Root cause analysis of a recent Flash zero day
• Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
• After an outage, an Australian mobile provider credited customers with a single day of unlimited data usage. One customer managed to use 994 GB of mobile usage in a single day
• Sophisticated bribe scheme gets game company with access to antivirus whitelist to falsely list malware was trusted
• Microsoft releases optional Windows update to mitigate “mousejacking”, where an attacker can take over your wireless mount and keyboard from up to 100 meters away
• Github commits can now be GPG signed to prove their authenticity
• If you can’t break crypto, break the client. Recovery of plaintext from iMessage
• Renting a movie on your iOS device might free up some space for you
• The Italian Ministry of Economical Progress has revoked “HackingTeam”’s licence to export their Galileo remote control software outside of the EU, must ask special permission for each sale
• Laziness remains the greatest enemy of password security
• The “All Prior Art” project seems to machine generate every possible patent and release it under a creative commons license, so it can never be patented by anyone else. The ultimate reverse patent troll?
• How to identify a vehicle at risk of collisions

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

Where does TypeScript fit in, and are the many criticisms lobbied at it legitimate? We discuss the state of scripting, and the new dark pragmatism that seems to be setting in.

Plus picking your ideal client, package managers for Windows and Mac, your feedback & more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• Question on Learning OOP

• CR114 pkg managerment Mac

• Chocolatey Gallery

• Finding your ideal client

• Hextris

• Hextris

Dev Hoopla:

Microsoft/TypeScript · GitHub

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

https://www.typescriptlang.org

TypeScript – Wikipedia, the free encyclopedia

TypeScript is a free and open source programming language developed by Microsoft. It is a strict superset of JavaScript, and adds optional static typing and class-based object-oriented programming to the language. Anders Hejlsberg, lead architect of C# and creator of Delphi and Turbo Pascal, has worked on development of TypeScript.[1][2][3][4]

TypeScript is designed for development of large applications and transcompiles to JavaScript.[5] As TypeScript is a superset of JavaScript, any existing JavaScript programs are also valid TypeScript programs.

TypeScript supports header files which can contain type information of existing JavaScript libraries, enabling other programs to use objects defined in the header files as if they were strongly typed TypeScript objects. There are third-party header files for popular libraries like jQuery, MongoDB, Node.js, and D3.js.[6]

Common criticisms of TypeScript

• Why does TypeScript have to be the answer to anything? – Scott Hanselman

TypeScript was announced and folks are saying “TypeScript is clearly Microsoft’s answer to Google’s Dart” or “So TypeScript is Microsoft’s answer to CoffeeScript.”

People have compared TypeScript to Dart. That’s comparing apples to carburetors. TypeScript builds on JavaScript so there’s no JS interop issues. Dart is a native virtual machine written from scratch. Dart interops with JavaScript…but it’s not JS. It doesn’t even use the JavaScript number type for example.

• Charles’ Problem with TypeScript

TypeScript | Build 2014 | Channel 9

JavaScript has grown from a webpage toy to being used in large-scale deployments both on the server and in the browser. This rapid growth has outpaced the growth of the language itself, which lacks features that allow teams to communicate requirements and build applications safely. This session will be a guided tour of TypeScript, showing how the language and toolset makes it easier to write cross-platform, large-scale JavaScript applications.

The post The Scripting Chronicles | CR 115 first appeared on Jupiter Broadcasting.

The GTK camp is pushing hard for Client Side Decorations, but there are some major drawbacks on non-Gnome desktops. We discuss the pros and cons, and if this is going to lead to a new kind of desktop Linux fragmentation.

Plus our thoughts on the best password managers, your follow up, and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

F.U.

• Ubuntu One.. Not Dead Yet!

• Switching to Linux

• RE: Heartbleed This is what I see

• LibreSSL

• DigitalOcean, perfect use case for a HUGE (16 core, 48G RAM) VM

• A small segment on LAS that introduces and discusses password managers?

• Straw Poll: Your Password Manager Choice?

Client Side Diva

• Open Letter: The issues with client-side-window-decorations

That’s why I decided to CC the Ayatana mailinglist and publish this letter as an open letter on my blog. CSD is a topic that is important for every user and nothing we should discuss in a small group.

Consistent window decorations: This in fact is my greatest doubt. The current situation is that all windows have the same window decoration. For CSD to work applications have to be changed to support them. This will render the changed applications using CSD while all other applications are decorated by the window manager. I think it is impossible to have the same behavior for both CSD and wm decos. I think there are lots of legacy applications which cannot be changed, for example Amarok 1.4 which is still used by many users even in GNOME. I doubt you will be able to change Qt 3 to use CSD. My bigger concern is that we will end up with applications shipping their own style and doing their own kind of decorations. So we end up with situations like one window has buttons on left, one on the right, one in order close, maximize, minimize, the other in close, minimize, maximize, etc.

Just look on the Microsoft Windows desktop to see what proprietary applications tend to do when they get the chance to influence the decorations.

The Wayland Reason, he disagrees with:

Get gtk+ working on Wayland: I don’t see how Wayland can be an argument for CSD. Could we consider Wayland as unimportant till it is looking like something is actually going on? I checked the commits in 2010 in the public git repository and well it looks like KWin has more commits per day. It’s nice that you think of the future, but please don’t use it for argumentation. So also not valid.

On the Gnome Wiki they state this about Wayland and Client Side Decorations:

• Initiatives/Wayland/GTK+ – GNOME Wiki!

Under Wayland, it is preferred that clients render their own window decorations. Since gnome-shell will need to keep support for decorating X clients, it would be good if GTK+ and gnome-shell could share the css theming.

The comment thread on this post introducing CSD in Gnome 3.10 is quite interesting

• CSDs came to stay in GNOME 3.10! | woGue

The post Client Side Drama | LINUX Unplugged 37 first appeared on Jupiter Broadcasting.

A leaked email blows the lid off App store payola practices, Mike lays out why this is a major issue that undermines the future of the software industry.

Plus getting in the zone to do your best work, breaking the bad news to your boss or client about their bad code, and the 25% problem.

Thanks to:

GoDaddy.com Use our code coder295 to get a .COM for $2.95.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes —

Feedback

Daniel Gee:

I\’ve heard that if the requirements of a codebase shift more than 25% or so, it becomes faster to start from scratch than to try to update the code. Greg Wilson brought it up in his talk \”What We Actually Know About Software Development, and Why We Believe It\’s True\”. Basically, the most costly part of coding isn\’t the coding, it\’s the nailing down the requirements. Once you have those, starting over is relatively cheap.

Dev World Hoopla

• AppGratis Pay to Play

For example, this document shows AppGratis estimates a ~$300,000 buy will land an app in the top five slot in the US version of the App Store.

• The market for paid iOS apps isn’t dead – Marco.org

In most categories, if you either solve a new problem that a lot of people have, or solve an old problem in a new and better way, you can sell a paid app today just as well as you could in 2008. In fact, the market is much bigger now. But, as with any maturing market, you’ll need to do more to get noticed since so many problems have already been solved so well.

The bar is higher, but the market is fine.

• No, the market is not fine

Like Arment, I agree that the bar is higher for apps than it was just a few years ago, but I contend that the bar being higher is a problem for the average independent developer. Many of these developers simply do not have the capital required to hire a decent designer and effectively market an app.

Follow the show

• Email the show
• Join the Coder Radio Sbureddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Payola Problems | CR 46 first appeared on Jupiter Broadcasting.

You know you need to do it, and today Mike tries to convince you. At a minimum errors need to be logged with enough information to point to the line of code, but where do you go from there? Slogging through bug reports, pulling important metrics, and a few bumps and bruises.

Plus: The inventory problem developers face, some forgotten glory, defending Yahoo, a batch of your feedback and more!

Thanks to:

GoDaddy.com Use our code coder295 to get a .COM for $2.95.
Ting.com Visit coderradio.ting.com to save $25 off your device or service credits.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes —

Feedback

• Louie points out my super high pitched voice on the word “business” in the last show

• Mike asks:

  “With every platform having its own app store you would think that it would be a boom for Indy Devs. But I don\’t believe that is the case because app discovery seems to suck on all platform. Am I crazy or correct? Is there anyone trying to fix this? Like a place that promotes Indy apps?”

• Dominic’s Question: The Stupid Client Problem

• Mike share’s the forgotten glory of Balmer doing TV ads in the 80’s
• A lot of divided opinion re Yahoo’s ban on working from home

Logging

• The essence of ¿Que?
• The feel of ¿Por Que?

Two key types of logging

• Diagnostic logging

Do you care enough to throw an exception up through the app or manage it another way? This is an \”it depends\” but logging info level messages probably should be skipped.

• Audit logging

Audit logging captures significant events in the system and are what management and the legal eagles are interested in. This is things like who signed off on something, who did what edits, etc. As a sysadmin or developer troubleshooting the system, you\’re probably only mildly interested in these. However, in many cases this kind of logging is absolutely part of the transaction and should fail the whole transaction if it can\’t be completed.

Follow the show

• Email the show
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Captain’s Log | CR 39 first appeared on Jupiter Broadcasting.

Since the beginning of the year, nearly a dozen different subscription-driven titles have announced their intention to switch to various versions of Free-to-Play subscription models, across the MMO landscape. In today’s episode we’ll look at a few of the most recent additions to this playing field, and discuss the ins-and-outs of their particular takes on the F2P concept. How are they moving from premium subscriptions without alienating existing consumers? How will they market themselves to new gamers? Find out on this week’s MMOrgue!

Show Notes: