HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Net Neutrality – mail your Congressional Reps and Senators & state

governor – do not email or fax them. Put it in the mail.

• FYI, but mail them instead: Redditor shares a text bot that will send a fax to your state representative, senators, and governor, with message to fight for net neutrality

• Net Neutrality subreddit

• Hacker News: what can you do to help net neutrality

Security Alerts from GitHub

• define dependencies in one of the supported manifest file types, like package.json or Gemfile.

• similar to FreeBSD vuxml database – uses dependencies already listed in each FreeBSD port

here are over a billion outdated Android devices in use

• It’s common knowledge that Android device tend to be more out of date than iOS devices, but what does this actually mean?

• People sometimes compare Android to Windows XP because there are a large number of both in the wild and in both cases, most devices will not get security updates. However, this is tremendously unfair to Windows XP, which was released on 10/2001 and got security updates until 4/2014, twelve and a half years later.

• Another difference between Android and Windows is that Android’s scale is unprecedented in the desktop world. The were roughly 200 million PCs sold in 2017. Samsung alone has been selling that many mobile devices per year since 2008.

• If we look at the newest Android release (8.0, 8/2017), it looks like you’re quite lucky if you have a two year old device that will get the latest update. The oldest “Google” phone supported is the Nexus 6P (9/2015), giving it just under two years of support.

• But even with the data we have, we can take a guess at how many outdated devices are in use. In May 2017, Google announced that there are over two billion active Android devices. If we look at the latest stats (the far right edge), we can see that nearly half of these devices are two years out of date. At this point, we should expect that there are more than one billion devices that are two years out of date! Given Android’s update model, we should expect approximately 0% of those devices to ever get updated to a modern version of Android.

• Project Treble

Flight rules for git

A guide for astronauts (now, programmers using git) about what to do when things go wrong.

• Flight Rules are the hard-earned body of knowledge recorded in manuals that list, step-by-step, what to do if X occurs, and why. Essentially, they are extremely detailed, scenario-specific standard operating procedures. […]

• NASA has been capturing our missteps, disasters and solutions since the early 1960s, when Mercury-era ground teams first started gathering “lessons learned” into a compendium that now lists thousands of problematic situations, from engine failure to busted hatch handles to computer glitches, and their solutions.

• What did I just commit?

• I wrote the wrong thing in a commit message

• I committed with the wrong name and email configured

• I want to remove a file from a commit

Feedback

• Dan announces he is leaving the show.

• postgres and shared memory

• containers vs VM

Round Up:

• StartCom gets out of the certificates business – some background

• Massive US military social media spying archive left wide open in AWS S3 buckets

• ZFS from a MySQL perspective

• Announcing Prometheus 2.0

  • Node Exporter
  • Installation overview of node_exporter, prometheus and grafana

• The 3-Minute SQL Indexing Quiz That 60% Fail

The post Neutral Nets | TechSNAP 346 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cultivating cybersecurity talent

• Unit 8200 dates back to 1952

Theresa may to create new internet that would be controlled and regulated by government

• Theresa May is planning to introduce huge regulations on the way the internet works, allowing the government to decide what is said online.

new SMB worm using 7 NSA tools not 2

• New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Feedback

• WannaCry – an overlooked defense

• user feedback on why no autofill for password managers

• Finnish developer shows how browser autofill profiles can be exploited to leak information

• DVL might want to remove webring

Round Up:

• The new normal?

• Congress introduces bill to stop US from stockpiling cyber-weapons

• The increased use of powershell in attacks

• Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware

• Comcast tries to censor pro-net neutrality website calling for investigation of fake FCC comments potentially funded by cable lobby

• What is astroturfing? vs grassroots movements

The post A Burrito Stole My Money | TechSNAP 321 first appeared on Jupiter Broadcasting.

A lot is happening in the world of Google this week & some of the new changes are big improvements for it’s users. Plus the new MacBook killer by Xiaomi that might really be killer & Washington State is suing Comcast.

Plus a really neat Kickstarter of the week, local streaming to a Chromecast & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links:

• New Android Trojan SpyNote leaks on underground forums

• Google has sold 30 million Chromecasts, 5 million in the past 2 months

• Localcast – Simple stream for Chromecast

• Google Account sign-in notifications are now sent directly to your Android device

• 90% of YouTube and Google Calendar connections are now encrypted with HTTPS

• Xiaomi takes on the MacBook with the $750 “Mi Notebook Air”

• Washington state sues Comcast, says it sold near-worthless service plans | Ars Technica

Kickstarter of the week:

• Time Flies: Levitating Nixie Clock by Tony Adams — Kickstarter

The post Google Gets Pushy | TTT 254 first appeared on Jupiter Broadcasting.

Noah joins Wes for the second time this week to talk with the mumble room. Package management for Bash takes it one step too far, Nvidia starts putting GPUs in your containers, we learn some surprising things about open source at Comcast & discuss just what “Microsoft Linux” really means.

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show

LuaRadio

LuaRadio can be used to rapidly prototype software radios, modulation/demodulation utilities, and signal processing experiments. It can also be embedded into existing radio applications to serve as a user scriptable engine for processing samples

Follow Up / Catch Up

Nvidia plugin makes GPU acceleration possible in Docker containers

Nvidia’s new approach — an open source Docker plugin named nvidia-docker — provides a set of driver-agnostic CUDA images for a container’s contents, along with a command-line wrapper that mounts the user-mode components of CUDA when the container is launched.
+ nvidia-docker plugin

Surf

surf is a simple web browser based on WebKit/GTK+

Mycroft AI Integration Now Available on KDE Plasma 5 Desktops

It took him about a month since the release of the Mycroft AI application for the GNOME Shell interface of the GNOME desktop environment, but developer Aditya Mehra managed to get it running on the KDE Plasma 5 desktop as well.

• Qt5 Frontend for Mycroft Aihttps://github.com/AIIX

Snappy in Arch moved to community repo

That’s right, snapd and snap-confine have now moved to the official community repository. This means that the barrier to entry is now significantly lower and that installation is even faster than before. You still want to read the snapd wiki page to know the details about various post-install activities.

TING

• Ting – mobile that makes sense

bpkg is a bash package manager

JavaScript has npm, Ruby has Gems, Python has pip and now Shell has bpkg!

With bpkg you can easily install and manage Bash packages. It takes care of installing/uninstalling, execution permissions and everything.

Besides installing shell scripts globally you can use them on a per-project basis.

• Packages by name

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

How Linux and Open Source Are Powering Comcast’s Massive Infrastructure

Comcast is a heavy user of Linux, and it touches everything: from back-end servers to customer facing devices like X1 products. Muehl said. “Comcast, like so many others, is a very Linux-heavy operating system company.”

Comcast has been involved with OpenStack since 2012. “We did a lot of early work around networking because we needed to get IPv6 working. We needed to do some traffic shaping and marking capabilities within the OpenStack infrastructure. All of those have now been upstreamed,” said Muehl.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Howto: Setup .NET Core on Ubuntu

.NET Core 1.0 is here and it’s a great, great opportunity to start playing with it not only on Windows platform but also on Linux.

• .NET Core Github

Running i3 Window Manager on Bash For Windows

Imagine my surprise when I installed Bash for Windows on this build and pretty much everything worked. I cloned my dotfiles and ran the post-install scripts that install i3 window manager, neovim, zsh, Go, and all the requisite development tools that I’m used to. Nothing failed.

…Returning to bash, I typed i3 again. Gloriously, the famililar i3 session appeared. I’m able to install and run Linux GUI applications like Firefox. I have terminator running as my terminal emulator. I’m running zsh as my shell. Neovim just works, as does Go. All of them think they’re running on a Linux computer, because for all intents and purposes they are. It just happens to have a Windows NT kernel at its core.

Strange, strange times we live in. 20 years ago Microsoft called Linux a cancer and did everything they could to make it die. Today they’re embracing Linux – and by extension me – and I have to say I’m really impressed with the outcome.

Support Jupiter Broadcasting on Patreon

The post To .NET or to .NOT? | LINUX Unplugged 152 first appeared on Jupiter Broadcasting.

Noah takes the mic to catch up on the tech news of the week. A passionate discussion about consumer drones, a Kickstarter close to the heart & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Google Play Music gets podcast support on Android and the Web | VentureBeat | Media | by Emil Protalinski
• YouTube rolls out support for 360-degree live streams and spatial audio | TechCrunch
• Amazon Ups the Ante on Streaming Video, Challenging Netflix – WSJ
• Netflix Has Twice as Many U.S. Subscribers as Comcast | AllFlicks
• DJI just released its most powerful drone yet | The Verge
• FAA confirms it’s a federal crime to shoot down a drone.
• Tech Talk Today is creating DAILY PODCASTS | Patreon
• FixIT Leeds Relocation | Indiegogo
• AFV – Intro Bob Saget – YouTube

The post Noah Drones On | TTT 240 first appeared on Jupiter Broadcasting.

Hewlett-Packard is splitting into two, Google wants its own chips for Android, Comcast has new caps & our mixed reaction to the announcement of a new Star Trek series.

Plus our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Hewlett-Packard Is Splitting Into Two Companies

• With Apple in Mind, Google Seeks Android Chip Partners

In the discussions, which occurred this fall, Google representatives put forward designs of chips it was interested in co-developing, including a phone’s main processor. The designs enable new features Google hopes to implement within Android software in the next few years, according to people briefed on the discussions.

• Android App Mutates Source Code, Spreads Virally and Enables Mesh Networks

• Comcast Dramatically Expanding Usage Cap Areas December 1

• Google engineer leaves scathing reviews of dodgy USB Type-C cables on Amazon

• New ‘Star Trek’ TV Series To Launch In 2017 – Update

• Petition · CBS: Cancel the New Star CBS Star Trek Series Now! · Change.org

In summation, and let me be clear:

We want it for free.

But first, we want you to cancel it.

Kickstarter of the WEEK:

• HUDWAY Glass: keeps your eyes on the road while driving by HUDWAY — Kickstarter

The post Six Dollar Reboot | TTT 222 first appeared on Jupiter Broadcasting.

Vulnerabilities in iOS & Android devices announced today, both are in the wild with no fix yet. We’ll share the details. Comcast wants to buy T-Mobile, Microsoft shakes it up, Kodi gets banned & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Episode Links:

• Researchers Find Major Keychain Vulnerability in iOS and OS X – Slashdot
• Samsung Cellphone Keyboard Software Vulnerable To Attack – Slashdot
• Comcast said to be leading suitor in T-Mobile buyout – CNET
• Microsoft Shakes Up Its Leadership And Internal Structure As Its Fiscal Year Comes To A Close | TechCrunch
• Let’s Encrypt Launch Schedule
• Amazon Bans Kodi/XBMC App Over Piracy Concerns | TorrentFreak

The post Comcast's Next Prey | Tech Talk Today 184 first appeared on Jupiter Broadcasting.

There is some major smoke around the Google I/O fire, we dig into an in depth discussion about the big Google Picture. Plus Vox buys up Re/Code in a move that consolidates tech news & OnePlus teases us with a new device!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Vox Media Adds ReCode to Its Stable of Websites – NYTimes.com

• Comcast, investor in Vox Media and Recode, could end up buying them both – Quartz

One reason for the renewed discussions may be Comcast’s role in encouraging Vox Media’s acquisition of Recode, the technology news site with a small audience but growing events business. Sources say Comcast, which owns minority stakes in both companies, gave its blessing to the deal several months ago. David Zilberman, a managing director of Comcast Ventures, its venture capital arm, sits on Vox Media’s board. He didn’t reply to a message seeking comment.

APNewsBreak: IRS says thieves stole tax info from 100,000

The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

Microsoft partners with LG, Sony, other OEMs to sell Android tablets featuring Office, OneDrive, Skype

In total, Microsoft has now partnered with 31 global and local OEMs (11 in March and 20 today) to preinstall its apps onto Android devices throughout this year. Only time will tell if Microsoft’s apps end up actually being used more because of these deals.

OnePlus teases next smartphone announcement on Twitter

OnePlus says it is “Time to change” in its latest tweet, teasing a possible smartphone announcement for June 1. Chinese smartphone maker, OnePlus, relies heavily on Twitter for making announcements and promoting products and now the company would like to shake things up according to its latest tweet.

Update on Extension Signing and New Developer Agreement

Next week, we will activate two new features on AMO: signing of new add-on versions after they are reviewed, and add-on submission for developers who wish to have their add-ons signed but don’t want them listed on AMO. We will post another update once this happens. When this is done, all extension developers will be able to have their extensions signed, with enough time to update their users before signing becomes a requirement in release versions of Firefox.

Google I/O 2015 Preview: We’re doubling down on Android M, Chrome, Wear and more

Obviously Android M(arshmallow?), Wear updates including the next Moto 360 are at the top of the list. I’ve been hearing whispers that the new 360 is smaller, uses more modern/efficient SoC and a better OLED display. I’m praying to the robot dog overlords at Google that they have these as developer demo units (read: presents) at I/O. Use on iOS as has been found in code would also be nice for us who use both platforms. I’ve heard Samsung might have something round for us to feast on soon, and who knows, maybe we’ll see a $1,400 Tag Heuer Watch somehow with Intel Inside.

The post Google's Tech Tease | Tech Talk Today 176 first appeared on Jupiter Broadcasting.

Down to the wire & nothing left to lose, we rebuild our live stream rig for the weekends big event & share the story of technical woes we’ve had to conquer.

Plus the Comcast merger falls flat, no upgrades for Apple Watch & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Ubuntu 15.04 Released, First Version To Feature systemd

The final release of Ubuntu 15.04 is now available. A modest set of improvements are rolling out with this spring’s Ubuntu. While this means the OS can’t rival the heavy changelogs of releases past, the adage “don’t fix what isn’t broken” is clearly one 15.04 plays to. The headline change is systemd being featured first time in a stable Ubuntu release, which replaces the inhouse UpStart init system. The Unity desktop version 7.3 receives a handful of small refinements, most of which aim to either fix bugs or correct earlier missteps (for example, application menus can now be set to be always visible). The Linux version is 3.19.3 further patched by Canonical. As usual, the distro comes with fresh versions of various familiar applications.

Comcast / Time Warner Cable / Charter Transactions Terminated

“Today, we move on. Of course, we would have liked to bring our great products to new cities, but we structured this deal so that if the government didn’t agree, we could walk away.

Pentagon says evicted Russian hackers, global cyber threat grows | Reuters

The United States on Thursday disclosed a cyber intrusion this year by Russian hackers who accessed an unclassified U.S. military network, in a episode Defense Secretary Ash Carter said showed the growing threat and the improving U.S. ability to respond.

Apple Watch Teardown – iFixit

it’s been eight months since Apple announced its (digital) crowning achievement, the Apple Watch. Join us as we make time stand still by tearing down the Apple Watch—and see what makes it tick.

Rufus Labs

With its built-in mic, speaker, and camera, you can answer and place voice or video calls right from your wrist and your connected iPhone or Android smartphone. If you don’t want your call overheard, simply switch off the speaker and continue by holding your wrist up to your ear or put the call back on your smartphone.

The post A Comcastic Collapse | Tech Talk Today 163 first appeared on Jupiter Broadcasting.

Like a magic pony with one more trick, Comcast announces it will magically turn on 2Gbps Internet Service to some areas that recently had Google Fiber installed. Does Comcast’s sudden ability to deliver this service perfectly demonstrate how real competition is all thats needed to save the net?

Plus TrueCrypt’s audit wraps up, Ford is chasing a dream & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Comcast leapfrogs Google Fiber with new 2Gbps internet service | The Verge

One way to answer critics and competitors alike is to simply do better, and for once Comcast is doing exactly that. The US cable giant is today announcing a new 2Gbps broadband service, which it will start rolling out in Atlanta from next month. There’s no price yet, but Comcast says it will be symmetrical — meaning you’ll upload just as quickly as you can download — and it won’t be limited “just to certain neighborhoods.”

Ford Is Chasing Tesla And Uber Into The Future – BuzzFeed News

Ford CEO Mark Fields says the legacy car manufacturer is trying to think like a startup.

U.S. Smartphone Use in 2015 | Pew Research Center’s Internet & American Life Project

10% of Americans own a smartphone but do not have broadband at home, and 15% own a smartphone but say that they have a limited number of options for going online other than their cell phone. Those with relatively low income and educational attainment levels, younger adults, and non-whites are especially likely to be “smartphone-dependent.”

A Few Thoughts on Cryptographic Engineering: Truecrypt report

The TL;DR is that based on this audit, Truecrypt appears to be a relatively well-designed piece of crypto software. The NCC audit found no evidence of deliberate backdoors, or any severe design flaws that will make the software insecure in most instances.

Microsoft will adopt open document standards following government battle | ITProPortal.com

Microsoft has confirmed it will start supporting the Open Documents Format (ODF) in the next update to Office 365, following a lengthy battle against the UK government.

Jupiter Broadcasting Meetup

Jupiter Broadcasting is interested in semi-frequent listener meetups, events in your area, and more. We’ll use this group to organize events.

The post Magical 2Gbit Internet | Tech Talk Today 152 first appeared on Jupiter Broadcasting.

Sony’s new hot legal defense goes after journalist & has a anti-Linux background. Ars gets hacked & why the big trend is the cord cutters friend.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony Demands Press Destroy Leaked Documents – Slashdot

In an effort that may run afoul of the first amendment, Sony, through their lawyer David Boies (of SCO infamy), has sent a letter to major news organizations demanding that they refrain from downloading any leaked documents, and destroy those already possessed. Sony threatens legal action to news organizations that do not comply, saying that “Sony Pictures Entertainment will have no choice but to hold you responsible for any damage or loss arising from such use or dissemination by you.”

Sony Planned to Flood Torrent Sites With “Promo” Torrents

Sony Pictures’ TV network AXN developed a guerrilla marketing campaign to convert users of The Pirate Bay, KickassTorrents and other torrent sites to paying customers. The company planned to flood torrent sites with promos for the premiere Hannibal disguised as pirated copies of the popular TV-show.

The revelations are part of the Sony Pictures leaks which contain a discussion on the plan, framing it as a “brilliant anti­piracy social campaign.” The AXN employee describes the idea as follows.

“The idea is simple. We made a promo dedicated to Hannibal which is convincing people in very creative and no­invasive way to watch Hannibal legally on AXN instead downloading it from torrents.

“[T]his promo is supposed to be downloaded on the torrents sites, imitating the first episode of Hannibal season 2 but in reality would be only a 60 sec promo. The torrents sites are exactly the place where people just after [the] US premier would be searching for the first episode of season 2. So the success of this project is more than 100% sure.”

Unfortunately for the AXN Central Europe team the advertising campaign wasn’t well received at Sony Pictures’ headquarters in Los Angeles.

Sony Pictures Executive Vice President, who emphasized that it was a no go.

“Forget about a site blocking strategy if we start putting legitimate PSAs or promos on sites we’ve flagged to governments as having no legitimate purpose other than theft… PSAs being for public good, etc…”*

And so it never happened…

Ars Technica is the latest site to fall victim to hack | The Verge

There has been a lot of hacking news in the past few weeks, and now noted technology news site Ars Technica has fallen victim to a hack. The site’s front page has gone black, with white text reading “Ars Security” alongside a couple of Twitter handles, presumably of those who have taken control of the site. There’s also some music playing to keep you occupied while waiting for the site to come back online.

The issue doesn’t appear to be completely widespread, as some Verge staffers located in different points around the globe aren’t currently having issues connecting to the site. Ars itself is also aware of the hack; the site’s Twitter account indicates they should be back online soon.

NBC to Live Stream Network Shows – WSJ

NBC is launching a live stream of its broadcast network, part of a broader effort at parent NBCUniversal to make more of its content available online via computers and mobile devices.

Instead, to access NBC’s live stream as well as additional content the company plans to offer via an on-demand platform, consumers will have to provide proof that they already have a pay-TV subscription.

NBC’s live stream will debut Tuesday online, and mobile platforms will be available early next year. Walt Disney Co.’s ABC launched a live stream of its network last year.

Separately, NBCUniversal is also going to start making content from its Bravo and Telemundo networks available through Microsoft Corp. ’s Xbox One game console. USA and Syfy already have deals with Xbox One.

OpenYourMouth

The post Sony's Facepalm Buffoonery | Tech Talk Today 106 first appeared on Jupiter Broadcasting.

The Pirate Bay goes offline, but is it truly dead yet? Comcast gets sued for turning on your modem’s wifi, major security flaws impacting X.Org, our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Swedish Police Raid The Pirate Bay, Site Offline | TorrentFreak

Police in Sweden carried out a raid in Stockholm today, seizing servers, computers, and other equipment. At the same time The Pirate Bay and several other torrent-related sites disappeared offline. Although no official statement has been made, TF sources confirm action against TPB.

However, over in Sweden authorities have just confirmed that local police carried out a raid in Stockholm this morning as part of an operation to protect intellectual property.

“There has been a crackdown on a server room in Greater Stockholm. This is in connection with violations of copyright law,” read a statement from Paul Pintér, police national coordinator for IP enforcement.

• Fonzie Jumps the Shark on Happy Days (Episode 5.3) 1977 – YouTube

Comcast Sued For Turning Home Wi-Fi Routers Into Public Hotspots

Benny Evangelista reports at the San Francisco Chronicle that a class-action suit has been filed in District Court in San Francisco on behalf of Toyer Grear and daughter Joycelyn Harris, claiming that Comcast is “exploiting them for profit” by using their home router as part of a nationwide network of public hotspots. Comcast is trying to compete with major cell phone carriers by creating a public Xfinity WiFi Hotspot network in 19 of the country’s largest cities by activating a second high-speed Internet channel broadcast from newer-model wireless gateway modems that residential customers lease from the company.

Although Comcast has said its subscribers have the right to disable the secondary signal, the suit claims the company turns the service on without permission. It also places “the costs of its national Wi-Fi network onto its customers” and quotes a test conducted by Philadelphia networking technology company Speedify that concluded the secondary Internet channel will eventually push “tens of millions of dollars per month of the electricity bills needed to run their nationwide public Wi-Fi network onto consumers.” The suit also says “the data and information on a Comcast customer’s network is at greater risk” because the hotspot network “allows strangers to connect to the Internet through the same wireless router used by Comcast customers.”

Just-Announced X.Org Security Flaws Affect Code Dating Back To 1987 t

Some of the worst X.Org security issues were just publicized in an X.Org security advisory. The vulnerabilities deal with protocol handling issues and led to 12 CVEs published and code dating back to 1987 is affected within X11. Fixes for the X Server are temporarily available via this Git repository.

KICKSTARTER OF THE WEEK: Mars by crazybaby: A Levitating Bluetooth Speaker | Indiegogo

Mars’s levitating 360° sound projection reduces sound wave absorption into surfaces by levitating above the subwoofer charging station.

The post Comcast Jumps the Shark | Tech Talk Today 103 first appeared on Jupiter Broadcasting.

Samsung files to block Nvidia chips from entering the US, a judge unseals 500+ Stingray records potentially by mistake. Plus Comcast’s big plans to get you to use the Internet less.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Samsung Files Complaint to Block Nvidia Chips From U.S. – Bloomberg

Samsung filed a complaint yesterday against Nvidia with the
U.S. International Trade Commission in Washington, according to
a notice on the agency’s website. A copy of the complaint wasn’t
immediately available.

The legal battle began in September when Nvidia filed its
own ITC complaint against Qualcomm Inc. and Samsung over
patented ways to improve graphics. It’s asking the agency to
block imports of the latest Galaxy phones and tablets that use
Qualcomm’s Snapdragon graphics processing units or Samsung’s
Exynos processors.

Samsung retaliated Nov. 4 with a patent-infringement suit
in federal court in Richmond, Virginia. In that case, Suwon,
South Korea-based Samsung claims Nvidia and one of its customers
infringe as many as eight patents. That lawsuit targets Nvidia’s
Shield tablet computers.

Each company has denied using the other’s technology. In a
Nov. 11 statement, Nvidia called Samsung’s lawsuit “a
predictable tactic.”

‘We have not seen the complaint so can’t comment, but we
look forward to pursuing our earlier filed ITC action against
Samsung products,” Hector Marinez, a spokesman for Santa Clara,
California-based Nvidia, said in an e-mailed statement.

Judge Unseals 500+ Stingray Records

A judge in Charlotte, North Carolina, has unsealed a set of 529 court documents in hundreds of criminal cases detailing the use of a stingray, or cell-site simulator, by local police. This move, which took place earlier this week, marks a rare example of a court opening up a vast trove of applications made by police to a judge, who authorized each use of the powerful and potentially invasive device

According to the Charlotte Observer, the records seem to suggest that judges likely did not fully understand what they were authorizing. Law enforcement agencies nationwide have taken extraordinary steps to preserve stingray secrecy. As recently as this week, prosecutors in a Baltimore robbery case dropped key evidence that stemmed from stingray use rather than fully disclose how the device was used.

Eyes-on with Streaming Photoshop: Adobe’s plan to bring PS to the cloud | Ars Technica

“Streaming Photoshop” is Adobe and Google’s plan to bring the incomparable photo editor to Chrome OS and the Chrome Browser.

“Streaming Photoshop” is a Chrome App that you download from the Chrome store (provided you are whitelisted). The app opens in a window that looks just like a local version of Photoshop—there’s no browser UI of any kind. Photoshop lives on a computer in the cloud, and a video feed of it is streamed to the Chrome app. The app captures clicks and sends them to the server. It sounds like using it would be a clunky mess, but the whole process looked indistinguishable from a local install of Photoshop.

Chrome OS has taken off as a competitor to Windows—the NPD’s last estimate put it at 35% of commercial notebook sales—but it lacks a few killer apps like Photoshop. The other benefit is that you can now run Photoshop on just about any computer without having to worry about RAM and CPU usage, since all the computer has to display is a video stream. Adobe says even the $200 Chromebooks on the market today should be fast enough to handle Streaming Photoshop.

Three to 4MB/s will get you the best results, and Adobe says Streaming Photoshop should still be usable on connections as slow as 1MB/s. There’s no offline support, of course.

Streaming Photoshop runs version 15.2.1 (the latest version) on a Windows box from Google Compute Engine.

That means you’ll be getting the Windows title bar and menus regardless of what your host OS is. The app will remap hotkeys, though, so other than a few minor visual differences, it shouldn’t feel too weird. Right now there’s no GPU support, so things like 3D functions are currently off-limits—the whole menu was grayed-out. There’s also no way to print directly from Photoshop.

Storage used Google Drive—it does not currently work with Creative Cloud—and if your file is in Google’s cloud, it opens instantly, no uploading required. We’d imagine most people have their Photoshop files backed up 24/7 in Creative Cloud, Dropbox, or Google Drive, so this shouldn’t be a big change for most people. Adobe says Creative Cloud support is coming, but for now, on Google’s platform, Drive support comes free.

What XFINITY Internet Data Usage Plans will Comcast be Launching?

In the Tucson, Arizona market, we announced in 2012 that the data amount included with Economy Plus through Performance XFINITY Internet tiers would increase from 250 GB to 300 GB. Those customers subscribed to the Blast! Internet tier, have received an increase in their data usage plan to 350 GB; Extreme 50 customers have received an increase to 450 GB; Extreme 105 customers have received an increase to 600 GB. As in our other trial market areas, we offer additional gigabytes in increments/blocks of 50 GB for $10.00 each in the event the customer exceeds their included data amount.

In Huntsville and Mobile, Alabama; Atlanta, Augusta and Savannah, Georgia; Central Kentucky;Maine;Jackson,Mississippi;Knoxville and Memphis, Tennessee and Charleston,South Carolina, we have begun a trial which will increase our data usage plan for all XFINITY Internet tiers to 300 GB per month and will offer additional gigabytes in increments/blocks (e.g., $10.00 per 50 GB). In this trial, XFINITY Internet Economy Plus customers can choose to enroll in the Flexible-Data Option to receive a $5.00 credit on their monthly bill and reduce their data usage plan from 300 GB to 5 GB. If customers choose this option and use more than 5 GB of data in any given month, they will not receive the $5.00 credit and will be charged an additional $1.00 for each gigabyte of data used over the 5 GB included in the Flexible-Data Option.

The post Dark Age of the Internet | Tech Talk Today 96 first appeared on Jupiter Broadcasting.

Obama calls on FCC to make ‘strongest possible rules’ to protect net neutrality, but the realities of this move might not be appealing. We’ll look at Net Neutrality from all sides & explain what Title II means.

Plus a high level US Diplomat is accused of Spying, a new study claims extended Cannabis uses causes brain damage, an ISIS update & much more.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

News

Hillary Donor Under Investigation in Counterintelligence Probe

A former high-ranking diplomat and Clinton ally at the center of an FBI counterintelligence probe was a registered foreign agent for the Pakistani government up until just days before she was appointed to run the U.S. State Department’s Pakistan aid team.

The Washington Post reported last week that the State Department’s aid coordinator for Pakistan, Robin Raphel, is the subject of a counterintelligence investigation and has had her security clearance revoked.

The FBI has not specified the nature of the probe, although the Post indicated that it could be espionage-related. She was reportedly placed on administrative leave last month, and the State Department said she is no longer employed by the agency.

Raphel previously served as an assistant secretary of state under President Bill Clinton and rejoined the State Department in August 2009 to focus on Pakistan and Afghanistan aid issues. She is also close to Hillary Clinton and contributed $2,000 to her presidential campaign in 2007.

• FBI Investigation Of Robin Raphel – Business Insider

Robin Raphel, the ‘obstacle’ in India-U.S. ties – The Hindu

In 1995, U.S. diplomat Robin Raphel was the toast of the State department. President Bill Clinton appointed her the first Assistant Secretary of State for South Asia (the post later included Central Asia), and she was known to be close to him and Hillary Clinton, as she knew the U.S. President from his time at Oxford.

“Eventually, we have been vindicated by this investigation,” said an official who preferred not to be named, speaking about the just-announced U.S. federal probe against Ms. Raphel, “We repeatedly told the U.S. that Ms. Raphel’s position was anti-India, but it was also not in the U.S.’s interests.” As a diplomat Ms. Raphel was responsible for two other controversial policies: that of suggesting support for the Taliban takeover in Afghanistan in 1996, as a means of securing the U.S. company Unocal consortium’s pipeline plan in the region, as well as advocating dropping parts of the U.S.’s Pressler amendment that put strict oversight over aid to Pakistan. After she retired, Ms. Raphel joined consultancy group Cassidy & Associates and landed a massive $1.2 million contract from the Pakistan government under President Musharraf, to “improve Pakistan’s image” in the U.S. in 2007.

• Pakistan lobbyist Robin Raphel under lens for alleged spying – The Times of India

In Ukraine, Shelling and Convoys of Armed Trucks Threaten Cease-Fire – NYTimes.com

An October report revealed that cluster munitions, which blanket a target area with bomblets filled with deadly shrapnel, have been used by government troops and possibly pro-Russian rebels against civilian population centers during the fighting in eastern Ukraine. Evidence strongly indicates that Ukrainian troops stationed about 30 kilometers, or 19 miles, southwest of the city launched attacks on Donetsk earlier this month, including an attack that killed a Swiss employee of the International Red Cross.

A shaky cease-fire in eastern Ukraine looked ever more tenuous on Sunday as European monitors confirmed reports of unmarked military vehicles driving through rebel-held territory while Donetsk, the region’s biggest city, endured a nightlong artillery battle.

The monitoring group, the Organization for Security and Cooperation in Europe, said that long columns of unmarked military vehicles, some towing howitzers, were spotted over the weekend. The monitors did not speculate as to the origins of the trucks or the people inside them, but Ukrainian officials said the statements bolstered their claims that Russia was again arming and training separatists.

The O.S.C.E. reported that its observers had driven on Saturday past a column of more than 40 trucks on a highway outside Donetsk. The trucks were covered with tarpaulins and “without markings or number plates — each towing a 122 mm howitzer and containing personnel in dark green uniforms without insignia,” the O.S.C.E. statement said.

On Sunday, after what journalists in Donetsk described as the heaviest night of artillery shelling in and around the city in at least a month, the O.S.C.E. observers saw two more unmarked military columns. The observers noted 17 trucks in each column, some equipped with Grad ground-to-ground rocket launchers and others towing more howitzers.

Net Neutrality

Obama calls on FCC to make ‘strongest possible rules’ to protect net neutrality | Technology | The Guardian

President says ‘open internet is essential to way of life’ and comes out against so-called ‘fast lanes’ for higher-paying web users.

Dear Senator Ted Cruz, I’m going to explain to you how Net Neutrality ACTUALLY works – The Oatmeal

Net neutrality, Obama, FCC, Title II … Your ESSENTIAL guide to WTF is happening • The Register

• Put simply, because rules that were created by the FCC in 2010 in order to deal with the modern reality of the internet — the so-called Open Internet Order — were struck down [PDF] by the US courts following a challenge by Verizon.

That left a potentially huge gap that people are worried that cable companies will exploit. Without new rules, it is possible — in fact, likely — that your cable provider, who is most cases is also your internet provider, will find ways to profit from the video, audio and text sent through its wires to subscribers.

• The very fact that Verizon then went to the trouble of suing the FCC to get the existing rules that prevented it from discriminating on the basis of content overturned is, ironically, what is spurring people on to push the old 1934 law of “common carriers” onto the cable companies, so that they are legally prevented from touching the data and so from imposing a cable business model on the internet.

• The cable companies make the valid point that the legislation that they would be pulled under is ancient, outdated and in many respects goes against the general philosophy of less government regulation that help the internet to thrive in the first place.

• Wheeler added: “I am grateful for the input of the President and look forward to continuing to receive input from all stakeholders, including the public, members of Congress of both parties, including the leadership of the Senate and House committees, and my fellow commissioners.
  “Ten years have passed since the Commission started down the road towards enforceable Open Internet rules. We must take the time to get the job done correctly, once and for all, in order to successfully protect consumers and innovators online.”

• The resulting Telecommunications Act of 1996 did not really address how people gained access to the internet, however, or how companies that make that access to the web possible should be viewed.

There was one very small part — literally one paragraph — in the 128-page text that defined a new term, “advanced telecommunications capability”, as “high-speed, switched, broadband telecommunications capability that enables users to originate and receive high-quality voice, data, graphics, and video telecommunications using any technology.”

This is the Section 706 that is held up as the alternative to Title II for how to fit broadband providers into the law.

• Just how out of date is Title II?

• There are 76 sections to Title II, and those wanting to reclassify broadband under it want to retain just six sections. They are:
  • 201: Services and charges — companies have to charge a reasonable sum for the service
  • 202: Discrimination — you can’t discriminate over the service
  • 208: Complaints — people can complain
  • 222: Privacy — people’s privacy has to be respected
  • 254: Universal service — you have to provide the service across the country
  • 255: Disability access — make it possible for people with disabilities to use it

Put together, these six sections are pretty light on regulation, although parts of them are still horribly outdated.

• There is specific reference in 201 to the law not impacting the ability of common carriers to “furnishing reports of positions of ships at sea to newspapers of general circulation.”

• Section 202 reveals the startling sum of “$6,000 for each such offense and $300 for each and every day of the continuance of such offense.” At those rates, AT&T won’t exactly be trembling in its boots. In today’s currency, the legislation should read $100,000 for each offense and $5,000 per day.

• Am I The Only Techie Against Net Neutrality?

AT&T to “pause” 100-city fiber buildout because of net neutrality rules | Ars Technica

AT&T CEO Randall Stephenson said today that his company will “pause” investments in fiber networks until the net neutrality debate is over. The statement came two days after President Obama urged the Federal Communications Commission to reclassify broadband as a utility and impose bans on blocking, throttling, and paid prioritization.

“We can’t go out and invest that kind of money deploying fiber to 100 cities not knowing under what rules those investments will be governed,” Stephenson told investors, according to Reuters. “We think it is prudent to just pause and make sure we have line of sight and understanding as to what those rules would look like.” Stephenson was speaking at a Wells Fargo event.

High Note

Regular marijuana habit changes your brain, study says – CNN.com

Researchers found that compared to nonusers, people who smoked marijuana starting as early as age 14 have less brain volume, or gray matter, in the orbitofrontal cortex. That’s the area in the front of your brain that helps you make decisions.

“The younger the individual started using, the more pronounced the changes,” said Dr. Francesca Filbey, the study’s principal investigator and associate professor at the School of Behavioral and Brain Sciences at the University of Texas at Dallas. “Adolescence is when the brain starts maturing and making itself more adult-like, so any exposure to toxic substances can set the course for how your brain ends up.”

Unfilter Debunk

..a study that looked at a relatively large group of marijuana users …

The study, published Monday in the Proceedings of the National Academy of Sciences, used MRI scans to look at the brains of 62 non-marijuana users and 48 regular marijuana users, 27 of whom used marijuana but not other drugs.

• 21 of the 48 pot-smokers reported using other drugs aside from weed.

• Puzzlingly High Correlations in fMRI Studies of Emotion, Personality, and Social Cognition

Major contention surrounding studdies that use MRI methods

Functional magnetic resonance imaging (fMRI) studiesofemotion, personality, and social cognition have drawn much attention
in recent years, with high-profile studies frequently reporting extremely high (e.g., >.8) correlations between brain activation
and personality measures. We show that these correlations are higher than should be expected given the (evidently limited)
reliability of both fMRI and personality measures. The high correlations are all the more puzzling because method sections
rarely contain much detail about how the correlations were obtained. We surveyed authors of 55 articles that reported findings
of this kind to determine a few details on how these correlations were computed. More than half acknowledged using a strategy
that computes separate correlations for individual voxels and reports means of only those voxels exceeding chosen thresholds.
We show how this nonindependent analysis inflates correlations while yielding reassuring-looking scattergrams.

New pot shops on the block not always so popular | Business | Seattle News, Weather, Sports, Breaking News | KOMO News

DENVER (AP) – The booming new marijuana industry has an image problem. Not with government officials and the public – but with other businesses.

From crime fears to smell complaints, new marijuana retailers and growers face suspicion and sometimes open antagonism from their commercial neighbors, especially in Denver, which now has 200 marijuana retailers and dozens of pot growing and manufacturing facilities.

The strife went public last week along a once-forlorn stretch of highway south of downtown Denver now sprinkled with marijuana shops.

About two dozen pot shops along this stretch of Broadway, often dubbed “Broadsterdam,” had a marketing idea for the upcoming holiday shopping season. Why not join forces with neighboring antique shops to market the whole area as “The Green Mile”?

The pot shops called a meeting, expecting an enthusiastic response from neighboring businesses that have seen boarded-up storefronts replaced with bustling pot shops with lines out the door. Instead, the suggestion unleashed a torrent of anger from the antique shops.

“We don’t want to work with you,” said James Neisler, owner of Heidelberg Antiques. “Your customers, they’re the long-haired stinky types. They go around touching everything and they don’t buy anything.”

The post Net Neutrality Reality | Unfilter 122 first appeared on Jupiter Broadcasting.

Belkin users go offline all over the world due to a router design flaw, Facebook has a private chat app in the works, Adobe spies on you & Comcast gets a customer fired for complaining about their service.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Borked Belkin routers leave many unable to get online | Ars Technica

Owners of Belkin routers around the world are finding themselves unable to get online today. Outages appear to be affecting many different models of Belkin router, and they’re hitting customers on any ISP, with Time Warner Cable and Comcast among those affected. ISPs, inundated with support calls by unhappy users, are directing complaints to Belkin’s support line, which appears to have gone into meltdown in response.

The reason for the massive outages is currently unknown. Initial speculation was that Belkin pushed a buggy firmware update overnight, but on a reddit thread about the problem, even users who claim to have disabled automatic updates have found their Internet connectivity disrupted.

Update: Belkin has given us the following statement:

Starting approximately midnight on October 7, Belkin began experiencing an issue with a service configured in certain Belkin router models that causes a failure when it checks for general network connectivity by pinging a site hosted by Belkin.

If your service has not yet been restored, please unplug your router and plug it back in after waiting 1 minute. Wait 5 more minutes and the router should reconnect. If you have any further issues, please contact our support at (800) 223-5546.

Facebook Readies App Allowing Anonymity – NYTimes.com

The company is working on a stand-alone mobile application that allows users to interact inside of it without having to use their real names, according to two people briefed on Facebook’s plans, who spoke on the condition of anonymity because they were not authorized to discuss the project.

The point, according to these people, is to allow Facebook users to use multiple pseudonyms to openly discuss the different things they talk about on the Internet; topics of discussion which they may not be comfortable connecting to their real names.

There are many unknowns as to how the new app will interact, if at all, with Facebook’s main site. It is unclear if the app will allow anonymous photo sharing, or how friend interactions and existing friend connections will work.

Adobe spies on reading habits over unencrypted web because your ‘privacy is important’ • The Register

Adobe confirmed its Digital Editions software insecurely phones home your ebook reading history to Adobe — to thwart piracy.

And the company insisted the secret snooping is covered in its terms and conditions.

Version 4 of the application makes a note of every page read, and when, in the digital tomes it accesses, and then sends that data over the internet unencrypted to Adobe.

Adobe explained that the data it collects is for digital rights management (DRM) mechanisms that may be demanded by publishers to combat piracy, and gave a detailed list of what and why it needs such specific information:

• User ID: The user ID is collected to authenticate the user.
• Device ID: The device ID is collected for digital right management (DRM) purposes since publishers typically restrict the number of devices an eBook or digital publication can be read on.
• Certified app ID: The Certified App ID is collected as part of the DRM workflow to ensure that only certified apps can render a book, reducing DRM hacks and compromised DRM implementations.
• Device IP: The device IP is collected to determine the broad geo-location, since publishers have different pricing models in place depending on the location of the reader purchasing a given eBook or digital publication.
• Duration for which the book was read: This information is collected to facilitate limited or metered pricing models where publishers or distributors charge readers based on the duration a book is read. For example, a reader may borrow a book for a period of 30 days. While some publishers/distributers charge for 30-days from the date of the download, others follow a metered pricing model and charge for the actual time the book is read.
• Percentage of the book read: This information is collected to allow publishers to implement subscription models where they can charge based on the percentage of the book read. For example, some publishers charge only a percentage of the full price if only a certain percentage of the book is read.

Additionally, the following data is provided by the publisher as part of the actual license and DRM for the ebook:

• Date of purchase or download
• Distributor ID and Adobe content server operator URL
• Metadata of the book provided by publisher (including title, author, publisher list price, ISBN number)

Complain About Comcast, Get Fired From Your Job – Slashdot

When you complain to your cable company, you certainly don’t expect that the cable company will then contact your employer and discuss your complaint. But that’s exactly what happened to one former Comcast customer who says he was fired after the cable company called a partner at his accounting firm. Be careful next time when you exercise your first amendment rights.

• From the article:

At some point shortly after that call, someone from Comcast contacted a partner at the firm to discuss Conal. This led to an ethics investigation and Conal’s subsequent dismissal from his job; a job where he says he’d only received positive feedback and reviews for his work.

Comcast maintained that Conal used the name of his employer in an attempt to get leverage. Conal insists that he never mentioned his employer by name, but believes that someone in the Comcast Controller’s office looked him up online and figured out where he worked.
When he was fired, Conal’s employer explained that the reason for the dismissal was an e-mail from Comcast that summarized conversations between Conal and Comcast employees.

But Conal has never seen this e-mail in order to say whether it’s accurate and Comcast has thus far refused to release any tapes of the phone calls related to this matter._

The post Comcast Carries Grudge | Tech Talk Today 72 first appeared on Jupiter Broadcasting.

We’ll tell you about a major German hack that lasted 12 years, and struck over 300 business. Plus researchers discover a nasty Android bug that impacts over 70% of users.

Then it’s a great big batch of your networking questions, our answers & much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Operation Harkonnen, a 12 year long intrusion to over 300 businesses

• “From 2002 a German cybercrime network performed numerous targeted penetrations to over 300 organizations, including tier one commercial companies, government institutions, research laboratories and critical infrastructure facilities in the German speaking countries. The attackers planted Trojans in specific workstations in the organizations, gained access to sensitive confidential documents and information and silently exfiltrating them to the organizations who ordered the attack”
• “Once embedded in the system the files started to send data from the target computer to an external domain. The analysis revealed the domain was registered by a UK company, with the exact address and contact details of 833 other companies, most of which are already dissolved”
• “The British relatively tolerant requirements to purchasing SSL security certificates were exploited by the network to create pseudo legitimate Internet service names and to use them to camouflage their fraudulent activity”
• Specifically, it is quite easy to establish a new company in England
• It is estimated that the attackers spent as much as $150,000 establishing fake companies, and arming them with domains and SSL certificates in order to make their spear-phishing campaign appear more legitimate
• “The discovery happened at a leading, 30 year old, 300 employees’ German organization that holds extremely sensitive information with a strategic value to many adverse organizations and countries. The organizational network contains 5 domains with complex architecture of multiple network segments and sites, connected through VPN.“
• Additional Coverage: TheHackerNews

Researcher finds same-origin-policy bypass for Android browser, allows attacker to read your browser tabs

• Android versions before 4.4 (75% of all current Android phones) are vulnerable
• CVE-2014-6041, and was disclosed on September 1, 2014 by Rafay Baloch on his blog.
• By malforming a javascript: URL handler with a prepended null byte, an attacker can avoid the Android Open Source Platform (AOSP) Browser’s Same-Origin Policy (SOP) browser security control.
• What this means is, any arbitrary website (say, one controlled by a spammer or a spy) can peek into the contents of any other web page.
• The attacker could scrape your e-mail data and see what your browser sees.
• Or snag a copy of your session cookie and hijack your session completely, and read and write webmail on your behalf.
• As part of its attempts to gain more control over Android, Google has discontinued the AOSP Browser.
• Android Browser used to be the default browser on Google, but this changed in Android 4.2, when Google switched to Chrome.
• The core parts of Android Browser were still used to power embedded Web view controls within applications, this changed in Android 4.4, when it switched to a Chromium-based browser engine.
• Users of Android 4.0 and up can avoid much of the exposure by switching to Chrome, Firefox, or Opera, none of which should use the broken code.
• Update: Google has offered the following statement:

We have reviewed this report and Android users running Chrome as their browser, or those who are on Android 4.4+ are not affected. For earlier versions of Android, we have already released patches (1, 2) to AOSP.

• Additional Coverage: ThreatPost
• Additional Coverage: Rapid7, includes metasploit module

Feedback:

• Where do you Apply Network Qos?

• Where are packets going?

• Double Trouble NAT

• Unsafe internet of things (IoT) devices

Round Up:

• Yet Another Reason Containers Don’t Contain: Kernel Keyrings
• Micron announces new 16nm SSD chips, only $0.45/GB, dynamically programmable as SLC or MLC
• What Exactly Is the Facebook Messenger App for iOS Tracking?
• Citadel banking trojan repurposed in attack against middle eastern oil companies
• Apple’s “warrant canary” disappears, suggesting new Patriot Act demands
• Details emerge about Home Depot hack, malware attempted to look like McAfee PoS protection system, looks like different attackers than Target
• The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) disclosed four different remotely exploitable vulnerabilities in IntegraXor, a popular SCADA server
  

The post Bait and Phish | TechSNAP 181 first appeared on Jupiter Broadcasting.

Satya Nadella makes his first big move as Microsoft’s CEO and announces their year long plan to cut 18,000 jobs. Netflix takes the first for net neutrality straight to the FCC, Google starts to embrace Bitcoin, and a classic game getting a new life.

Plus why we might see more mobile spectrum soon, and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Microsoft Will Cut up to 18,000 Jobs | Re/code

Microsoft on Thursday announced it plans to cut up to 18,000 jobs this year–its deepest-ever cuts–as the company looked to digest its Nokia acquisition and reposition itself for the future.

The company is “moving now” on 13,000 of the job cuts, with the vast majority of the overall cuts coming in the next six months and fully implemented over the next 12 months.

Some 12,500 of the cuts are coming from the Nokia Devices and Services unit–roughly half that unit’s workforce.

• Starting to Evolve Our Organization and Culture

<

p>
Microsoft CEO Satya Nadella wrote:

“The first step to building the right organization for our ambitions is to realign our workforce,” Nadella said in a note to employees Thursday. “It’s important to note that while we are eliminating roles in some areas, we are adding roles in certain other strategic areas. My promise to you is that we will go through this process in the most thoughtful and transparent way possible.”

• Microsoft announces massive layoffs, kills Nokia X phones

Not unsurprisingly, Nadella specifically announced the end of the Nokia X Android endeavour.

In addition, we plan to shift select Nokia X product designs to become Lumia products running Windows. This builds on our success in the affordable smartphone space and aligns with our focus on Windows Universal Apps.

Microsoft stock hits decade high ahead of layoffs – Neowin

• MSFT: 44.08 +1.63 (+3.84%) : Microsoft Corporation – Yahoo! Finance
• Microsoft Corporation: NASDAQ:MSFT quotes & news – Google Finance

Sprint, T-Mobile Look to Raise $10 Billion for Spectrum Auction – WSJ

The Federal Communications Commission is seeking to buy airwaves used by television broadcasters in a reverse auction, and then resell them to wireless carriers in a forward auction. It is a complicated process and the first time such an idea has been tried, the FCC said.

Sprint and T-Mobile are working on a plan to raise roughly $10 billion to spend in an auction of wireless airwaves, people familiar with the matter said.

If Sprint and T-Mobile jointly spend $10 billion as currently envisioned, it would exceed the $9 billion outlay AT&T Inc. has earmarked for the auction.

The companies, which have been discussing a possible merger since last year, are planning to form a joint venture that will bid in a 2015 auction of airwaves held by television broadcasters, the people said.

The funds are part of a roughly $45 billion financing package being put together by SoftBank to finance Sprint’s acquisition of T-Mobile, the people said. SoftBank acquired Sprint last year for $22 billion.

T-Mobile would oversee the venture, a concession from Sprint’s Chairman during the merger talks, people familiar with the matter said.

An announcement of the merger could come this summer, people familiar with the matter said.

Google Search Integrates Bitcoin Price Calculator

The news comes roughly one month after Google Finance partnered with Coinbase to launch a bitcoin price tracker that enabled BTC-to-fiat price conversions across a wide range of global currencies.

A representative from Google confirmed the update to CoinDesk, noting that the tool works on Google Search’s smartphone app as well.

How it works

Google search engine users can now type in basic queries such as “bitcoin price” or “price of BTC” in order to instantly access the tool.

The update also handles more complex queries including “price of 3 bitcoin” or “5 BTC”, and responds by showing the current price of bitcoin along with a chart illustrating the currency’s history dating back before 2011.

Investors should note, however, that per Google’s disclaimer policies, the resulting search may not reflect real-time value.

Netflix to FCC: reclassify Comcast and Verizon so they can’t choke the internet

Netflix came out swinging in its submission to the FCC over proposed internet “fast lanes,” arguing Wednesday that this would be a bad idea and that the agency should instead focus on forcing broadband providers to deliver the speeds they promise to their customers.

In its 28-page filing, which coincides with the close of an initial public comment period, Netflix singled out Comcast and Verizon for degrading its movie streams to “nearly VHS quality” and for holding subscribers ransom in a battle over who should pay for upgrades to internet infrastructure.

The company also took aim at the FCC’s “fast lane” proposal, arguing that it creates a perverse incentive for the ISPs to create congestion so that they can then turn around and demand money for traffic to pass through. Arguing that “no rule is better than a bad rule,”

Project AM2R – “Another Metroid 2 Remake”: AM2R runs on Linux!

The developer recently transitioned to Game Maker Studio. In the process, many features had to be redone from scratch, so Linux support was written in too. Early builds show very good promise, and an offical build should be avaiable soon.

The post The Great Microsoft Purge | Tech Talk Today 28 first appeared on Jupiter Broadcasting.

We’ve got the definitive report on the Target breach, a flaw in single sign used all over the net, Level3 calls out broadband monopolies, and tech giants unite to save net neutrality.

Plus a huge batch of your question, our answer, and much much more!

Thanks to:

— Show Notes: —

Kill-Chain analysis of the Target breach

• A report was prepared for the Senate Committee on Commerce, Science, and Transportation
• Kill-Chain analysis involves looking at all of the things that could have been done to stop the attack from succeeding, and how or why they were not done. Kill-chain analysis was developed by security researchers at Lockheed Martin in 2011
• “This analysis suggests that Target missed a number of opportunities along the kill chain to stop the attackers and prevent the massive data breach.“
• “Target gave network access to a third-party vendor, a small Pennsylvania HVAC company, which did not appear to follow broadly accepted information security practices. The vendor’s weak security allowed the attackers to gain a foothold in Target’s network.”
• “Target appears to have failed to respond to multiple automated warnings from the company’s anti-intrusion software that the attackers were installing malware on Target’s system.”
• “Attackers who infiltrated Target’s network with a vendor credential appear to have successfully moved from less sensitive areas of Target’s network to areas storing consumer data, suggesting that Target failed to properly isolate its most sensitive network assets.”
• “Target appears to have failed to respond to multiple warnings from the company’s anti-intrusion software regarding the escape routes the attackers planned to use to exfiltrate data from Target’s network”
• “According to reports by Brian Krebs, a tailored version of the “BlackPOS” malware – available on black market cyber crime forums for between $1,800 and $2,300 – was installed on Target’s POS machines.“
• “This malware has been described by McAfee Director of Threat Intelligence Operations as “absolutely unsophisticated and uninteresting.””
• “Target’s FireEye malware intrusion detection system triggered urgent alerts with each installation of the data exfiltration malware. However, Target’s security team neither reacted to the alarms nor allowed the FireEye software to automatically delete the malware in question. Target’s Symantec antivirus software also detected malicious behavior around November 28, implicating the same server flagged by FireEye’s software”
• The phases in the kill-chain:
  • Recon – Research, identify and select targets
  • Weaponize – Pair remote access malware with exploits (PDF files, Office files, Flash or Java exploits)
  • Deliver – Transmission of weapon to target (email attachment/phishing, website/watering hole, USB drive)
  • Exploit – Once delivered, weapon code is triggered, exploiting the vulnerable application or system
  • Install – The weapon installs a backdoor allowing persistent access
  • Command & Control – Outside server communicates with the weapon, allowing attackers inside the network
  • Action – Attacker works to achieve objective, maybe exfiltration of data (credit cards, plans/designs, intelligence data), destruction of data, or further intrusion/island hopping
• Background on Kill-Chain Analysis
• Paper: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

Serious vulnerability in OAuth and OpenID could leak information

• A vulnerability in the OAuth and OpenID protocols has been found that count be used to trick a user into being redirected to a malicious site.
• OAuth and OpenID are commonly used to allow a user to login or authenticate on a site using credentials from another site. For example many websites allow you to login using your existing Facebook, Google or Microsoft ID, rather than registering separately
• OAuth is also used to authorize 3rd parties to perform actions on your behalf, such as allowing an application access to your Twitter account
• The flaw could allow attackers to steal personal data from users and redirect them to questionable sites
• This is especially dangerous, since a user on a trusted site, such as Facebook, could be tricked into loading content from an unsafe site, and doing so may also leak private data from Facebook to that unsafe site
• “for OAuth 2.0, the attacks could primarily jeopardize the token of site users. If a user were to authorize the login the attackers could then use that to access that user’s personal data. When it comes to OpenID, the attacker could get a user’s information directly, as it’s immediately transferred from the provider upon request”
• “An attacker could exploit the affected protocols and via a pop-up message through Facebook for example and trick users into giving up their information on otherwise legitimate websites”
• Thus the attacker makes it look to the user as if the request is from Facebook, not the attacker
• Researcher Blog
• Researcher site about the vulnerabilties

Mozilla recommends a new approach to net neutrality to the FCC

• Mozilla filed a petition with the FCC suggesting a new approach to net neutrality
• PDF: Petition
• The new approach involves looking at the entire question from the opposite direction
• Rather than Comcast providing Netflix, Amazon, Youtube etc access to its customer, Carol, Comcast is instead providing its customers, Alice, Carol, David, etc access to ‘remote services’, like Netflix and Dropbox
• Under this new ‘understanding’ of the shape of the Internet, Mozilla believes that the FCC already has the authority to impose strong net neutrality rules, resolving the question of authority raised when the courts struck down the old net neutrality rules
• Level 3 Blog Post – ISPs play chicken with the future of the Internet
• Level 3 Blog Post – Observations from an Internet Middleman
• There are “six peers with congestion on almost all of the interconnect ports between us. Congestion that is permanent, has been in place for well over a year and where our peer refuses to augment capacity. They are deliberately harming the service they deliver to their paying customers. They are not allowing us to fulfil the requests their customers make for content.”
• “All six are large Broadband consumer networks with a dominant or exclusive market share in their local market. In countries or markets where consumers have multiple Broadband choices (like the UK) there are no congested peers.”
• Level 3 claims 6 big ISPs purposely degrading traffic
• Level 3 and Cogent ask FCC for protection from ISP “Tolls”
• “While ISPs say the traffic loads are too heavy, Level 3, Cogent, and Netflix argue that ISPs are abusing their market power, since customers often have little to no choice of Internet provider. That means there’s only one path for Netflix traffic to reach consumers, at least over the last mile”
• Level 3 and Cogent both filed comments with the FCC
• Level 3 said “the Commission should require last-mile ISPs to interconnect on commercially reasonable terms, without the payment of an access charge.”
• Cogent proposed much harsher terms, reclassifying ISPs to be subject to common carrier rules, and requesting that “When interconnection points become congested, the FCC should have authority to intervene, Cogent said. This would force the broadband provider “to show cause why it should not be required to implement prompt remedial measures to relieve the sustained state of congestion”
• Cogent claims Comcast should have to pay for network connections
• In 2010, Internap network architecture manager Adam Rothschild said, “Comcast runs its ports to Tata at capacity, deliberately, as a means of degrading connectivity to networks which won’t peer with them or pay them money”

Feedback:

• Essential software for digital ocean droplet
• How to deal with incompetent ISP sysadmin
• Event wifi setup recommendations
• Recomendation about server setup for a local kindergarden
• Why didn’t openBSD tell OpenSSL?
• Podcasts
• Testing Gigabit Broadband Speed?
• How I “Hacked” My ISP’s Router

Round Up:

• Huge coalition led by Amazon, Microsoft, and others take a stand against FCC on net neutrality
• Compilers love messing with benchmarks – avoid comparing the wrong thing
• Researcher: iOS 7 no longer encrypting email attachments
• Improving the Mac OS X SSH Agent
• Antivirus software is dead, says security expert at Symantec
• James Mickens of Microsoft Research on choosing your zombie apocalypse gang
• 79 Percent of IT Administrators Want to Quit Due to Stress
• Another hilarious article by James Mickens
• VHS era law that protected the privacy of your video rentals may apply to streaming video, law suit filed against Hulu
• If users use insecure passwords, make them change it every 3 days, eventually they’ll use a better password
• Apple issues guidelines for Police to know what data Apple can extract from a locked phone
• Symantec says anti-virus is no longer effective, but still makes lots of money
• Proof of concept tool for exploiting OpenSSL Heartbleed issue on the client side
• Why Clang, static analysis, and dynamic analysis failed to find heartbleed

The post Internet Over Packet Loss | TechSNAP 162 first appeared on Jupiter Broadcasting.

The FCC wants to carve out a fast lane for those who can afford it, is this the end of Net Neutrality, or are we all over reacting? We’ll analyze the situation.

Pro-Russian militants overtake more Ukraine Government buildings, and the new government is calling uncle.

Plus Colorado re-thinks their edible Cannabis rules, but something smells fishy, our follow up, and much much more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is Crazy

Snowden hired an Espionage Act defense lawyer to work on a U.S. plea deal

Whistleblower Edward Snowden reportedly hired a lawyer in an attempt to cut a plea deal with the U.S. government.

Plato Cacheris, regarded as an expert in the Espionage Act—violation of which is the main charge brought against Snowden—has been working for Snowden since he leaked a host of National Security Agency documents last summer, according to the New York Times.

The End of Net Neutrality

F.C.C., in a Shift, Backs Fast Lanes for Web Traffic

The Federal Communications Commission said on Wednesday that it would propose new rules that allow companies like Disney, Google or Netflix to pay Internet service providers like Comcast and Verizon for special, faster lanes to send video and other content to their customers.

FCC’s new net neutrality proposal: What do we really know?

FCC Chairman Tom Wheeler’s proposal is scheduled to be released to the public on May 15, when the commission plans to vote on the first step in a long process to reinstate net neutrality rules shot down by an appeals court in January.

The first criticisms of Wheeler’s proposal came shortly after the Wall Street Journal broke a story Wednesday saying the FCC proposal would allow broadband providers to charge Web businesses for access to their fastest service.

FCC chairman Tom Wheeler.

The 1,300-word story was short on details, with only one or two paragraphs describing the proposal, and most of the rest of the story focused on reactions and on the history of the net neutrality fight.

• Franken says FCC Net neutrality proposal would “destroy” open Internet

Sen. Al Franken criticized as “misguided” a plan being considered by the FCC’s head to let companies pay for preferential access to ISPs, warning that it would “destroy” the concept of an open Internet.

In a letter sent to FCC Chairman Tom Wheeler on Tuesday, Franken said that the idea would constitute “an affront to Net neutrality and have no place in an online marketplace that values competition and openness.”

“Your proposal would grant Verizon, Comcast, and other ISPs the power to pick winners and losers on the Internet, which violates core Net neutrality principles that you have publicly supported in the past. Although you claim that this proposal is not a ”turnaround,“ it is difficult to understand how it does not flatly contradict your own Commission’s Open Internet Order.”

• FCC Chairman Tom Wheeler Hits Back at ‘Net Neutrality’ Critics

In a strongly-worded and occasionally defensive blog post published Tuesday, Wheeler declared that he is a “strong believer in the importance of an Open Internet,” and said that his priority is to quickly craft new net neutrality rules that would withstand legal challenges.

What will happen at the FCC meeting on May 15?

The FCC is scheduled to vote on a notice of proposed rulemaking, or NPRM, addressing the new net neutrality plan. In an NPRM, the commission releases a set of proposals and asks for public comment on them. It’s the first step in a long process for the FCC to pass new regulations.

Because of the controversy over the proposal, the FCC has already begun taking email comments at openinternet@fcc.gov.

After Comcast, Netflix signs traffic deal with Verizon

Netflix just confirmed that it will pay Verizon for direct access through the carrier’s network, allowing for improved streaming video for customers. According to a brief statement, “We have reached an interconnect arrangement with Verizon that we hope will improve performance for our joint customers over the coming months.” The announcement mirrors a similar peering deal inked earlier this year made by Netflix and Comcast, and likely won’t be the last of its kind.

• Netflix US & Canada Blog: The Case Against ISP Tolls

For a content company such as Netflix, paying an ISP like Comcast for interconnection is not the same as paying for Internet transit. Transit networks like Level3, XO, Cogent and Tata perform two important services: (1) they carry traffic over long distances and (2) they provide access to every network on the global Internet. When Netflix connects directly to the Comcast network, Comcast is not providing either of the services typically provided by transit networks.

– Thanks for Supporting Unfilter –

*– Mark R

• Thanks to our 378 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

Ukraine

Ukrainian President Says Security Forces ‘Helpless’ Against Militias in East – NYTimes.com

As pro-Russian gunmen seized another city in eastern Ukraine on Wednesday, the country’s acting president said that the government’s police and security officials were “helpless” to control events in large swaths of the region, where at least a dozen cities are now in the hands of separatists.

With the admission by the country’s acting leader, Oleksandr V. Turchynov, that major chunks of the country had slipped from the government’s grasp, the long-simmering conflict in Ukraine seemed to enter a new and more dangerous phase.

Kerry: U.S. Taped Moscow’s Calls to Its Ukraine Spies

Recording “Obtained” by the Daily Beast

The United States has proof that the Russian government in Moscow is running a network of spies inside eastern Ukraine because the U.S. government has recordings of their conversations, Secretary of State John Kerry said in a closed-door meeting Friday.

“Intel is producing taped conversations of intelligence operatives taking their orders from Moscow and everybody can tell the difference in the accents, in the idioms, in the language. We know exactly who’s giving those orders, we know where they are coming from,” Kerry said at a private meeting of the Trilateral Commission in Washington. A recording of Kerry’s remarks was obtained by The Daily Beast.

• Republicans Launch New Push To Arm Ukraine

Senate Republicans are pressing the Obama administration to do more to help Ukraine and hurt Russia and are introducing a new bill that would provide for weapons, sanctions, and more aid.

• The Obama Administration pushing hard to have us belive Russia is hurting from sanctions

Russia’s foreign exchange reserves were drained of a record $63 billion in the first quarter of the year, Economic Development Minister Alexei Ulyukayev said Wednesday in an address to the lower house of the parliament.
If that pace continues, losses this year would surpass the $120 billion Russia lost in 2008 at the height of the global recession.

• But Russia’s Economy was already slowing

Last year, Russia’s economy grew 1.3 percent, its weakest rate in the past 13 years with the exception of 2009, when the country suffered in the global downturn. The growth slowed further this year as investors pulled money out of the county amid concerns over Russia’s policy in Ukraine.

Supreme Court Considers Limits On Warrantless Cellphone Searches

At Tuesday’s Supreme Court argument, Riley’s lawyer, Jeffrey Fisher, told the justices that the Founding Fathers never intended to allow such wide-ranging searches without a warrant. The warrantless search at the time of arrest, he noted, was to protect the officer’s safety and to prevent the destruction of evidence.

• Initial impressions from the oral argument in the Supreme Court cell phone search cases

This morning, I attended the Supreme Court arguments in the cell phone search cases, United States v. Wurie and Riley v. California. Here are some initial impressions of the argument

Weed Wackers:

Colorado eyes regulating marijuana edibles serving size after two deaths

Two recent Colorado deaths have been associated with legal edible marijuana products, and state regulators may now step in to better regulate portion sizes.

A 19-year-old student visiting the state on spring break jumped to his death off of a hotel balcony in March after eating 65mg of THC in a pot cookie. In April, a 47-year-old man fatally shot his wife in the head while high from candy marijuana edibles.

• Marijuana-infused-food rules in Colorado examined after deaths

Ten milligrams of THC is considered a serving size of the drug, but Colorado has no requirement that edibles be packaged in single servings, at least for now.

• State group debating THC levels in retail marijuana products, ‘edibles,’

10mg of THC is considered roughly equivalent to the amount in a medium-sized joint.

In Washington state, where retail sales don’t begin until July, edible pot products will have the same 10mg serving size, with a maximum of 10 servings per package, said Brian Smith of the Washington State Liquor Control Board, which is regulating recreational pot sales.

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase on Twitter

The post Net Neutrality Doomed | Unfilter 95 first appeared on Jupiter Broadcasting.

Is it time to replace openSSL? We’ll follow up on the Heartbleed story, discuss how attackers got read access to Google’s production servers and then it’s a great batch of your questions and our answers.

All that and much much more…

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Heartbleed followup

• The developer who introduced the heartbeat feature, that lead to the heartbleed flaw, claims it was an honest mistake and denies the involvement of any intelligence agencies or other mischief
• An investigation and some insider info has allowed the construction of a more much accurate timeline of the events leading up to heartbleed and the breakdown of responsible disclosure
• 2014-03-21 (or earlier): Neel Mehta of Google Security discovers Heartbleed vulnerability
• 2014-03-21: Bodo Moeller and Adam Langley of Google commit a patch for the flaw (based on timestamp of the patch sent to OpenSSL and Redhat)
• 2014-03-31 (or earlier): CloudFlare is notified about the flaw under a non-disclosure agreement
• 2014-04-01: Google notifies OpenSSL of the flaw. OpenSSL was going to release a patch that week, but changed the planned release to April 9th to allow more coordination
• 2014-04-02: Researchers at Codenomicon find the same bug
• 2014-04-03: Codenomicon notifies NCSC-FI
• 2014-04-04: Akamai finds out about the bug from an undisclosed source and patches their servers
• 2014-04-04: Rumors begin about a flaw in OpenSSL, but no details are available
• 2014-04-05: Codenomicon purchases the heartbleed.com domain, OpenSSL team commits the Google patch to their private git repo
• 2014-04-06: NCSC-FI (CERT-FI) requests that CERT/CC (Computer Emergency Response Team Coordination Center) allocate a CVE for the bug, no details given. Mark Cox of OpenSSL notifies Redhat about the issue and asks them to coordinate with the other operating systems since Mark is on holiday. RedHat security engineer sends the email to the private distributions list with no details, distros that agree to the embargo (no notification until April 9th) are given the details. These distros include SuSE (Monday, April 7 at 01:15), Debian (01:16), FreeBSD (01:49) and AltLinux (03:00). Other operating systems, Ubuntu (asked at 04:30), Gentoo (07:14) and Chromium (09:15), request details during the night, but by time the RedHat engineer gets up in the morning, the flaw has become public
• 2014-04-07 (or earlier): Facebook is notified and patches their servers
• 2014-04-07: NCSC-FI notifies OpenSSL that Codenomicon has discovered a flaw. OpenSSL team decides that \”the coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages [later] that day.\”
• 2014-04-09: Facebook and Microsoft donate $US15,000 to Neel Mehta via the Internet Bug Bounty program for finding the OpenSSL bug. Mehta gives the funds to the Freedom of the Press Foundation
• In summary, those who knew about the issue before it was public: Google (March 21 or prior), CloudFlare (March 31 or prior), OpenSSL (April 1), Codenomicon (April 2), National Cyber Security Centre Finland (April 3), Akamai (April 4 or earlier) and Facebook (no date given)
• Those who had a few hours of advanced warning: SuSE, Debian, FreeBSD and AltLinux
• There is also a timeline from the perspective of the OpenSSL team
• Researchers at Lawrence Berkeley National Laboratory find No evidence that heartbleed was exploited before it became public
• Meanwhile, researchers at the University of Michigan setup a honeypot and monitored who tried to heartbleed it. Of the 41 groups that attacked the honeypot, the majority of those groups — 59 percent — were in China.
• What is worse than heartbleed? Bugs in heartbleed detection scripts
• Akamai claimed to be protected from heartbleed by their own patches
• They were proven wrong
• Akamai updated their blog post explaining the fault
• Akamai was forced to rekey all of their customers’ SSL certificates

• The Akamai post raises an interesting questions about EV-SSL certificates, and how much longer they might take to re-key

• Is the IETF to blame for allowing the heartbeat feature to be added to the standard in the first place?

• See BSD Now episode 033 for news on the OpenBSD fork of OpenSSL
• Why I quit writing Internet standards
• Statement by the CRA about 900 SIN numbers leaking due to heartbleed
• RCMP arrests 19 year old from London, Ontario for using heartbleed against the CRA
• CloudFlare launched a challenge to see if anyone could capture their private key
• two or more people were successful, and the certificate has since been revoked
• ACM Queue – PHK: Putting OpenSSL out of its misery
• PHK shares his experience making a living while working on open source in “Raking in the dough on Free and Open Source Software”
• Open source is a thankless job, we do it anyway
• Does the OpenSSL flaw alter the “open source is safer” equation?
• Coverity report finds open source software to be higher quality Coverity\’s analysis found an average defect density of .59 for open source C/C++ projects that leverage the Scan service, compared to an average defect density of .72 for proprietary C/C++ code
• 863 CIOs surveyed, 18% said their orgs are unaffected by Heartbleed because they use anti-virus

How we got read access to Google’s production servers

• A group of researchers decided to target Google
• Looking at the trends in the industry, flaws are most often found in:
• Old and deprecated software
• Unknown and hardly accessible software
• Proprietary software that only a few people have access to
• Alpha/Beta releases and otherwise new technologies
• So they did their homework
• They used the Google search engine, to search for software and companies that Google had acquired, antique systems, and products with very few users
• They found the Google Toolbar button gallery
• The product allows users to customize the toolbar by uploading XML that controls the style etc
• They quickly managed to perform an XXE attack
• They were then able to read files on Google’s production servers, including /etc/passwd, and some custom init scripts that Google uses to manage their cluster of servers
• They likely could have escalated the attack, and possibly accessed Google’s internal servers
• The team reporting the issue to Google, and was awarded a $10,000 bug bounty

Feedback:

• LastPass

• Automated bare-metal backups for a physical server?

• SLAs and Daylight Savings

• pfsense and logs

• Heartbleed

• Memory allocation in OpenSSL

Round Up:

• PSA: Fraudulent Crypto Kickstarter Campaign
• weev (AT&T iPad data incident) conviction vacated, the information was not protected by a password or other security mechanism, so accessing it was not “misuse”
• HAM Radio operators accidently tripping arc fault circuit interrupters, American Radio Relay League labs working with manufacturer on fix
• When Azure breaks: Lessons for every cloud programmer
• Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA
• Canadian Government publishes guidelines for staying safe online
• Comcast PAC gave money to every senator examining Time Warner Cable merger | Ars Technica
• 7 Habits of highly successful UNIX admins
• Over $100K in Bitcoin Was Stolen in a Ridiculously Low-Tech Heist

The post Time to Kill openSSL | TechSNAP 158 first appeared on Jupiter Broadcasting.