Show Notes: linuxactionnews.com/251

The post Linux Action News 251 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/459

The post Better than Butter | LINUX Unplugged 459 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/439

The post Double Server Jeopardy | LINUX Unplugged 439 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/373

The post Your New Tools | LINUX Unplugged 373 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/56

The post Podcasting Basics: Joe Ressington | Jupiter Extras 56 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Massive cyberattack hits Europe with widespread ransom demands

• New Ransomware Variant Compromises Systems Worldwide

• some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc

• MDDoc posts about a virus

• notes at SANS ISC InfoSec Forums

Google Says It Will No Longer Read Users’ Emails To Sell Targeted Ads

• Google will no longer scan emails in Gmail accounts in order sell targeted advertising, the company said Friday.

• Google’s blog post

• more than 3 million paying companies that use G Suite

• Bloomberg post on same topic

Does US have right to data on overseas servers? We’re about to find out

Feedback

• AES-256 encryption keys cracked by hands-off hack from Shawn via Twitter

• workflow and backup strategy advice

• Regarding DNS, I think Dan mentioned that he didn’t have any of the books he used to learn about it. Any suggestions about some good reading material on that topic? Thanks for the awesome show. – DNS and BIND is the name of the book

Round Up:

• How LZ4 works

• Know your Times Tables, but… do you know your “Hash Tables”?

• AWS Security Primer

The post Google Reads Your Email | TechSNAP 325 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Modified USB ethernet adapter can steal windows and mac credentials

• “Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).”
• Thesis: “If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out”
• “The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it’s connected to.”
• “The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. This means that even if a system is locked out, the device still gets installed”
• “Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
• “When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the PC credentials needed to install the device. Fuller’s modified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology. The researcher’s modified device also includes a LED that lights up when the credentials have been recorded.”
• So, just like in a spy movie, you plug in the device, wait until the light comes on, and you have stolen the credentials
• “An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.”
• The attack was tested against versions of Windows as far back as Windows 98 SE, and as modern as Windows 10 Enterprise and OS X El Capitan
• The device pretends to be an ethernet adapter, and provides access to a ‘network’, where a DHCP server tells you to install this proxy configuration
• “This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others”
• It gives you the hashes password for the logged in user, which you can then crack offline, and return later and login with the known password
• Researcher blog

Zstandard, a new compression algorithm from Facebook

• Unlike the new Dropbox algorithm that is designed specifically for jpeg images, this is a general purpose algorithm, designed to replace gzip
• “Today, the reigning data compression standard is Deflate, the core algorithm inside Zip, gzip, and zlib. For two decades, it has provided an impressive balance between speed and space, and, as a result, it is used in almost every modern electronic device (and, not coincidentally, used to transmit every byte of the very blog post you are reading). Over the years, other algorithms have offered either better compression or faster compression, but rarely both. We believe we’ve changed this.”
• There are three standard metrics for comparing compression algorithms and implementations:
  • Compression ratio: The original size (numerator) compared with the compressed size (denominator), measured in unitless data as a size ratio of 1.0 or greater.
• Compression speed: How quickly we can make the data smaller, measured in MB/s of input data consumed.
• Decompression speed: How quickly we can reconstruct the original data from the compressed data, measured in MB/s for the rate at which data is produced from compressed data.
• “The type of data being compressed can affect these metrics, so many algorithms are tuned for specific types of data, such as English text, genetic sequences, or rasterized images. However, Zstandard, like zlib, is meant for general-purpose compression for a variety of data types. To represent the algorithms that Zstandard is expected to work on, in this post we’ll use the Silesia corpus, a data set of files that represent the typical data types used every day.”
• The post compares the best of the modern compression algorithms, lz4 (what ZFS uses), zstd (Facebook’s new thing), libz (gzip, what your browser uses for webpages), and xz (what most unix distros have switched to for compressing tar and log files)
• In the comparison, LZ4 does not compress the data as much, but does so at almost 450 MB/s, while zlib compresses more, but only 23 MB/s. XZ compresses even better, but at only 2.3 MB/s
• zstd gets about the same compression as zlib, but at almost 6 times the speed (136 MB/s)
• Decompression is similar: LZ4: 2165 MB/s, zstd: 536 MB/s, zlib: 281 MB/s, xz: 63 MB/s
• When comparing the command line tools, zstd is about 5x faster at compression, and 3.6x faster at decompression
• As with gzip and xz, zstd also supports different ‘levels’ of compression. Although instead of having a range from 1 to 9, it instead offers a range of 1-22 (which suggests that additional levels might be added in the future)
• It looks like it can get xz levels of of compression if turned up high enough
• “By design, zlib is limited to a 32 KB window, which was a sensible choice in the early ’90s. But, today’s computing environment can access much more memory — even in mobile and embedded environments.

Zstandard has no inherent limit and can address terabytes of memory (although it rarely does). For example, the lower of the 22 levels use 1 MB or less. For compatibility with a broad range of receiving systems, where memory may be limited, it is recommended to limit memory usage to 8 MB. This is a tuning recommendation, though, not a compression format limitation.”

I forgot the password for my consumer grade NAS

• “I got my WD My Book World Edition II NAS out of the closet. The reason it went in the closet is that I locked myself out of SSH access, and in the meantime I forgot most of its passwords.”
• “I miraculously still remember the password to my regular user, but the admin password is nowhere to be found and you need the old one to change it. So I start poking around to see if there is any way to recover it.”
• “One of the most common vulnerabilities on these thingies is allowing anyone to download a “config backup” that includes all the juicy passwords, and indeed, this screen looks promising”
• The download was just base64 encoded random data. Definitely encrypted
• “Mandatory Open Source releases usually have LICENSE files or some other indication of what libraries are being used, so he’s hoping to find some clue on what they used.”
• Apparently WD releases everything, including the php script that generates the config download
• “Looks like it’s a tarball encrypted with something called encodex and a fixed password”
• “So we got the config file. Is it over? Nope. No passwords in it. This system does everything wrong. it’s unsalted MD5. Then it is stored a second time as a plain MD5 anyway”
• I have never seen anyone do that before. I didn’t even know that would work…
• So they reversed the process and uploaded a new configuration file with the hash of a known password (faster than brute forcing). Why is this allowed by a non-admin user anyway?
• “Great. Fun. Is it enough? No! I locked myself out of ssh access too, by adding an unmatchable AllowUsers directive to my sshd_config.”
• “First realization, the whole webgui runs as root. Look at ChangeWebAdmin above, it calls passwd and reads /etc/shadow!”
• So, when you upload a new config, it just decrypts it and runs the untar, as root
• “plus the fact that it’s probably a BusyBox implementation of tar might mean that the oldest trick in the book works: creating an archive with a fully-qualified /etc/sshd_config file in it and hope it gets extracted directly at the absolute path.”
• “No luck. Second try: we see that it’s extracted in /tmp, what if we call it ../etc/sshd_config? No luck with that neither.”
• “But hey… we can extract as much as we want in /tmp and nothing will get deleted between a run and the next! So let’s try with a convenient symlink :). First we plant a root => / symlink, and now that /tmp/root points to / we try calling our file root/etc/sshd_config and hope it gets extracted inside the symlink”
• And, we’re in. The sshd_config has been replaced with one uploaded by a unprivileged user.
• “This is all nice, but I started from a vantage point: I remembered a user login. Can we do something from scratch?”
• “For example, extracting the config… It didn’t look like that PHP file had any access control, is it possible that… Oh God.”
• “If we can crack any user password from the MD5, we can go from zero to root”
• “All actions are actually unauthenticated. If you are not logged in the NAS will answer with a HTTP 302 Redirect… AND THEN PROCEED HANDLING THE REQUEST and sending the output. As if you were logged in. That’s a first for me.”
• “Let me repeat this: if you are not logged in, the only thing the system will do is add a redirect to the login page in the HTTP Headers and carry on, obeying whatever you are telling it to do.”
• Most browsers will respect the header, and redirect you to the login page, and ignore the excess content that was included in the response (like a config backup, or downloading a file, or doing any action what-so-ever
• “So with the admin password reset trick above, we can get a full escalation from unauth to admin+root. Pwn’d. (The hardest thing was emulating the browser request with curl well enough to upload the file.)”
• “So yeah, don’t expose these thingies on the Internet and don’t worry too much if you lose the passwords ;-)”
• And in the end, the mystery was solved: “Turns out all the password fields except the login form have maxlength=16, so when resetting the password I pasted it from the password manager and it got cut without me knowing”

Feedback:

• When to use a L2ARC or SLOG with ZFS

  • “FreeBSD Mastery: ZFS” and “FreeBSD Mastery: Advanced ZFS”

• Managing multiple pfsense boxes

• Open Source Home Networking

Round Up:

• Sophos AV false positive detection ruins the weekend for some Windows users
• Apple does not have courage, it is stiffling innovation and locking down its walled garden
• Over 40 million usernames, passwords from 2012 breach of Last.fm surface
• Are you part of the DDoS problem?
• Google Online Security Blog: Moving towards a more secure web
• Person who allegedly hacked Kernel.org in 2011 arrested, faces up to 40 years in prison and $2 million in fines
• Intel Sells Majority Stake in McAfee Security Unit to TPG – The New York Times
• Swedish router manufacturer will not patch gaping security hole, says it is up to the ISPs that deploy the routers
• HP To Spin-off And Merge Software Biz With Micro; Q3 Profit Up
• Warner brother’s DMCA bots accidently issue takedown requests for legitimate sources of its films including Amazon, Sky Cinema, and its own website
• Google Removes SmeshApp Allegedly Used by Pakistan’ ISI to Spy on Indian military

The post I Can't Believe It's Not Ethernet | TechSNAP 283 first appeared on Jupiter Broadcasting.

What happens when btrfs goes bad? After rescuing our system from a massive crash, we’ll share what went wrong, how you can prevent problems, reclaim gigabytes of space, and optimize your Linux box for an SSD drive.

Plus a quick look at Ubuntu MATE Remix, the NSA targets Linux users, solving the distro hopping bug….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

How I saved myself from a btrfs nightmare:

Brought to you by: System76

We asked: Do you trust btrfs?

• Do you trust critical data to btrfs?

It really started about three weeks ago, when I was doing a big package upgrade. The upgrade installs started to fail reporting out of space.

df reported more than 30GBs free on / partition. Despite df’s optimized summarization of my situation I cleared my package cache, deleted some unneeded VMs , and about 20 Steam games that I had stashed in /opt.

Fast forward to this Friday and my system won’t boot. I knew it was a risk, but I was desperate. I decided to compress all the things. Based on my quick reading of a few wiki pages, I could compress files on demand but necessarily compress the entire file system all the time. IE compress a lot of crap small libraries, reduce the amount of blocks they take up, and free up some space.

btrfs has built in support for doing this. I have ran compression on my /home file system since day one of this install. I opt for LZO compression. The ration of compression is lower than other options, but the performance is fantastic. I set off compressing the messy areas of my / (like /var /usr/lib).

But after a sanity check reboot, and many errors about failing to find a file, it was clear my understanding was wrong, and the mount options in my /etc/fstab needed to be updated.

I dd’ed the latest Antergos ISO onto a USB 3.0 thumb drive and booted the Bonobo into the live environment, fired up gparted to remind my self which physical device my rootfs was on (hey it’s been over a year!) and then promptly created a mount point for it under /mnt/fix.

I jumped into my /mnt/fix folder and immediately was back at home on my Bonobo’s root file system. A quick nano (YES) of my /mnt/fix/etc/fstab file and I added the compress flag to my root file system’s mount options.

Unmounted and rebooted the Bonobo, and the 1+ year Arch install fired right up.

I then set off to figure out how to better use btrfs on my system, and specifically tune the file system for my SSD drives.

Why btrfs?

“a new copy on write (CoW) filesystem for Linux aimed at implementing advanced features while focusing on fault tolerance, repair and easy administration.”

• Early days still, but its getting a lot closer and I wanted to have some real time under my belt with it.
• The features it brings to Linux are going to be seen as minimum requirements in the future. CoW, snapshot, checksum, volume management.
• SSD (Flash storage) awareness (TRIM/Discard for reporting free blocks for reuse) and optimizations.
• Background scrub process for finding and fixing errors on files with redundant copies.
• Online file system defragmentation.

• **Compression **with modern hardware (like SSDs, multi-core CPUs) is a serious solution. It not only offers more value out of your SSD drive, but because the disk has to read less data overall, and the CPU is generally just waiting for I/O you can actually see an improvement on transfer speeds.

• btrfs Stability Status

The filesystem disk format is no longer unstable, and it’s not expected to change unless there are strong reasons to do so. If there is a format change, file systems with a unchanged format will continue to be mountable and usable by newer kernels.

It kept telling me my device was full, but I had 30GB free. btrfs balance to the rescue.

• Package updates would fail, reporting no space left on device.
• Checking my system with df -h clearly reported 30GB free on my /
• Checking with btrfs filesystem df showed a different story.
• I used ncdu to sniff out the biggest files I could delete or move to give me some emergency wiggle room.

Why the different DF?

• General linux userspace tools such as df will inaccurately report free space on a Btrfs partition.

• df does not take into account space allocated for and used by the metadata. It is recommended to use /usr/bin/btrfs to query a btrfs partition.

• Run the btrfs command to get a sense of what it can do. You want to perform a filesystem function and show stats about a device.

btrfs filesystem df /

• Also:

btrfs filesystem show /dev/sda3

• Why is free space so complicated?

So, in general, it is impossible to give an accurate estimate of the amount of free space on any btrfs filesystem. Yes, this sucks. If you have a really good idea for how to make it simple for users to understand how much space they’ve got left, please do let us know, but also please be aware that the finest minds in btrfs development have been thinking about this problem for at least a couple of years, and we haven’t found a simple solution yet.

Step 1: Rebalance, it’s not just for RAID arrays anymore!

• Balance does a defragmentation, but not on a file level rather on the block group level. It can move data from less used block groups to the remaining ones, eg. using the usage balance filter.

btrfs balance start / -v

• This will take a while. You can use your system while this happens.

• Do I need to run a balance regularly?

In general usage, no. A full unfiltered balance typically takes a long time, and will rewrite huge amounts of data unnecessarily. You may wish to run a balance on metadata only (see Balance_Filters) if you find you have very large amounts of metadata space allocated but unused, but this should be a last resort. At some point, this kind of clean-up will be made an automatic background process.

Step 2: Defragment that disk

btrfs filesystem defragment -r -v /

• Optional if you’re really hard pressed for space consider defragmenting the metadata too:

find / -xdev -type d -print -exec btrfs filesystem defragment ‘{}’ \;

Step 3: Compress that disk’s file system.

What are the differences between compression methods?

There’s a speed/ratio trade-off:

• ZLIB — slower, higher compression ratio (uses zlib level 3 setting, you can see the zlib level difference between 1 and 6 https://code.google.com/p/lz4/ here).
• LZO — faster compression and decompression than zlib, worse compression ratio, designed to be fast

The differences depend on the actual data set and cannot be expressed by a single number or recommendation. Do your own benchmarks. LZO seems to give satisfying results for general use.

• This is running another defragmentation pass. Yes this means two defragmentation runs. But if you’re really tight on space, you need to free some up first before you can compress. The system will need some temporary space while it writes compressed versions of the files.

btrfs filesystem defragment -r -v -clzo /

• Important: Update your /etc/fstab to include compress=lzo. For example:

LABEL=rootfs / btrfs defaults,compress=lzo 0 1

Step 4: Optimize for SSD

• Best results with Linux 3.14 and up
• I have added these flags to my fstab mount for both my / and my /home

noatime,compress=lzo,ssd,discard,space_cache,autodefrag,inode_cache

Example:

LABEL=homefs /home btrfs defaults,compress=lzo,ssd,discard,space_cache,autodefrag,inode_cache 0 1

btrfs gotchas?

• Gotchas – btrfs Wiki

This page lists problems one might face when trying btrfs, some of these are not really bugs, but rather inconveniences about things not yet implemented, or yet undocumented design decisions.

— Picks —

Runs Linux

This GSM Base Station Powered by the BeagleBone Black, Runs Linux

• Debian Wheezy 7
• Upgraded to the 3.15.2 Linux Kernel
• USRP B200 ($675 USD) The USRP B200 provides a fully integrated, single board, Universal Software Radio Peripheral platform with continuous frequency coverage from 70 MHz –6 GHz. Designed for low-cost experimentation, it combines a fully integrated direct conversion transceiver providing up to 56MHz of real-time bandwidth, an open and reprogrammable Spartan6 FPGA, and fast and convenient bus-powered.
• OpenBTS is the software that provides us with the software part of a cellular station.
• sipauthserve, for cellular subscriber registration

Desktop App Pick

New Linux Podcast App ‘Vocal’

The project’s developer, Nathan Dyer, has made beta builds — still unstable and not feature complete — available for testing through a dedicated PPA for Ubuntu 14.04 LTS and 14.10.

• Code : Vocal

Weekly Spotlight

Tails – Privacy for anyone anywhere

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity

• HTTPS Everywhere | Electronic Frontier Foundation

HTTPS Everywhere is a Firefox, Chrome, and Opera extension that encrypts your communications with many major websites, making your browsing more secure. Encrypt the web: Install HTTPS Everywhere today.

— NEWS —

NSA targets the privacy-conscious | Das Erste – Panorama – Meldungen

The investigation discloses the following:

• Two servers in Germany – in Berlin and Nuremberg – are under surveillance by the NSA.
• Merely searching the web for the privacy-enhancing software tools outlined in the XKeyscore rules causes the NSA to mark and track the IP address of the person doing the search. Not only are German privacy software users tracked, but the source code shows that privacy software users worldwide are tracked by the NSA.
• Among the NSA’s targets is the Tor network funded primarily by the US government to aid democracy advocates in authoritarian states.
• The XKeyscore rules reveal that the NSA tracks all connections to a server that hosts part of an anonymous email service at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) in Cambridge, Massachusetts. It also records details about visits to a popular internet journal for Linux operating system users called “the Linux Journal – the Original Magazine of the Linux Community”, and calls it an “extremist forum”.

If you read Boing Boing, the NSA considers you a target for deep surveillance

Tor and Tails have been part of the mainstream discussion of online security, surveillance and privacy for years. It’s nothing short of bizarre to place people under suspicion for searching for these terms.

One expert suggested that the NSA’s intention here was to separate the sheep from the goats — to split the entire population of the Internet into “people who have the technical know-how to be private” and “people who don’t” and then capture all the communications from the first group.

Another expert said that s/he believed that this leak may come from a second source, not Edward Snowden, as s/he had not seen this in the original Snowden docs; and had seen other revelations that also appeared independent of the Snowden materials.

Schneier on Security: NSA Targets the Privacy-Conscious for Surveillance

Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users — and people who just visit the websites of — Tor, Tails, and other sites. This isn’t just metadata; this is “full take” content that’s stored forever.

Dear NSA, Privacy is a Fundamental Right, Not Reasonable Suspicion | Electronic Frontier Foundation

Even the U.S. Foreign Intelligence Surveillance Court recognizes this, as the FISA prohibits targeting people or conducting investigations based solely on activities protected by the First Amendment. Regardless of whether the NSA is relying on FISA to authorize this activity or conducting the spying overseas, it is deeply problematic.

NSA: Linux Journal is an “extremist forum” and its readers get flagged for extra surveillance | Linux Journal

The Ultra-Simple App That Lets Anyone Encrypt Anything | Threat Level | WIRED

Wired reports that Nadim Kobeissi will release a bet aversion of an all-purpose file encyrption browser plugin called miniLock at the HOPE hacker conference in New York. The free and open source plugin is meant to make it easy to drag and drop files to encrypt so that no one but the intended recipient can unscramble them.

Wayland in Fedora Update

So the summary is that while we expect to have a version of Wayland in Fedora Workstation 21 that will be able to run a fully functional desktop, there are some missing pieces we now know that will not make it. Which means that since we want to ship at least one Fedora release with a feature complete Wayland as an option before making it default, that means that Fedora Workstation 23 is the earliest Wayland can be the default.

The KDE Improv Project Has Announced Its End

Carl Symons on the behalf of Aaron Seigo and the rest of the Improv crew have sent out an email to the backers saying the project is over, they will issue partial refunds, etc. It’s only a partial refund right now as they had already invested some money into buying long lead times with their Chinese manufacturer.

There were also credit card processing fees, etc, but they’re working out a path for full reimbursement. It’s also said Aaron invested $200k USD into the project.

There was simply not enough support to make the project work, despite having fully functional, production ready devices and a strong commitment to succeed. The Free software community does not seem ready at this point to make a concerted stand on the pressing issue of hardware freedom

• KDE team pulls the plug on the Vivaldi tablet, Improv board projects

The group of folks behind the KDE desktop environment have been trying for a few years to deliver a tablet with wouldn’t rely on proprietary software. More recently they unveiled the Improv Board, a small, cheap computer module designed to ship with Mer Linux.

At this point, all the team is promising are partial refunds since part of the money has already been spent. But the goal is to eventually provide full refunds to folks who have put their faith (and money) into the project.

In a statement, the team suggests “the Free software community does not seem ready at this point to make a concerted stand on the pressing issue of hardware freedom,”
the Improv board was expected to sell for around $75

Ubuntu MATE Remix

Objectives

The Ubuntu MATE Remix has the following primary goal:

• Use Ubuntu to create a solid foundation on which to build a pure MATE desktop.

Ubuntu MATE Remix has some secondary objectives:

• Increase both Ubuntu and MATE user adoption.
• Restore the halcyon days of Ubuntu before indicators, Unity and scopes were introduced.
• Be the go to Ubuntu alternative for computers that aren’t powerful enough to run a composited desktop, as well as those that are.
• Make use of existing Ubuntu themes and artwork wherever possible so Ubuntu MATE Remix is immediately familiar.
• When ever possible submit new or revised packages to Debian so both the Debian and Ubuntu communities benefit.
• Package selection will favour functionality and stability over lightness and whimsy.
• Provide a refuge for Linux users who prefer a traditional desktop experience.
• Get adopted as an official Ubuntu “flavour”.

Feedback:

• SeaGL Seattle GNU/Linux Conference October 24-25, 2014

• Ohio LinuxFest 2014 – The Future of Free | Free and Open Software Conference and Expo – Columbus, Ohio – October 24-26, 2014

• Question and software tip

• Fisil.com – Lync Online

• Stop my distro hopping ways.

— Chris’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged
• Why XFCE is the Best Linux Desktop
• Rogue Legacy – Part 1 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Preventing a btrfs Nightmare | LAS 320 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.