Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

New distributed web application vulnerability scanner linked to search engine

• HyperionGray have announced a new project, where they have connected their open source distributed PunkSCAN webapp scanner to an Apache Hadoop Cluster and set it loose on the Internet
• The goal of the project is to highlight the abysmal state of security on the Internet
• The scanner finds sites that are vulnerable to SQL Injection, Blind SQL Injection, and Cross-Site Scripting
• This information is then stored in a database, and is searching using PunkSPIDER
• You can search by keyword in the URL or Title of the site and search by vulnerability types
• PunkSPIDER Search Engine
• PunkSPIDER is similar to another online search engine we have discussed previously, SHODAN is an online index of banner messages and version info
• Additional Coverage

---

How power failures can corrupt Flash SSDs

• Researchers at Ohio State University have conducted extensive testing of Flash SSD drives to determine how they react to unexpected power failures
• By creating a worst case scenario that involves many concurrent writes of incompressible data, and a direct loss of power (cutting power between the PSU and the SSD rather than cutting power to the PSU), the researchers were able to enumerate a number of possible failure scenarios
• The possible failures they looked for were:
  • Bit Corruption – Random bits in the data set incorrectly
  • Flying Writes – The correct data written to the wrong block/sector
  • Shorn Writes – A write is interrupted while overwriting a sector, leaving the sector with some of the new bits and some of the old bits
  • Metadata Corruption – The Flash Translation Layer (FTL, the complex firmware on an SSD that makes the NAND Flash chips appear like a regular hard drive) metadata is corrupted
  • Dead Device – The SSD no longer functions at all
  • Unserializability – The disk is in a state where writes were completed out of order
• Researchers tested 15 different SSDs and 2 regular spinning drives
• They did not release the manufacturer names or model numbers
• Additional Coverage
• Paper
• Erretum Insert
• A case of a similar problem? SSD suddenly only 34kb

---

Source code and possibly private keys for AMI BIOS/Firmware leaked

• Security researchers Brandan Wilson and Adam Caudill found some interesting things on an open FTP server in Taiwan
• On the FTP site they found numerous goodies, including internal emails, system images, high resolution PCB images, and Excel sheets loaded with private data
• In addition, they also found a directory named ‘code’, that contained the source code and a private key for the AMI Firmware
• According to AMI, the FTP site belongs to one of its customers, and the private key that was exposed is a testing key they use for all of their images, but they instruct all of their customers to generate their own keys and not use that testing key in production
• It is not clear if this is the case, one or more manufacturer making use of the AMI Firmware are using that testing key
• If that key is trusted in the wild, it means someone with access to this leaked source code could make a malicious firmware update that would be considered valid, it would also mean that the entire UEFI trust system for the affected machines could be invalid
• “The worst case is the creation of a persistent, Trojanized update that would allow remote access to the system at the lowest possible level,” Caudill said. “Another possibility would be the creation of an update that would render the system unbootable, requiring replacement of the mainboard.”
• “This kind of leak is a dream-come-true for advanced corporate espionage or intelligence operations,” Caudill wrote. “The ability to create a nearly undetectable, permanent hole in a system’s security is an ideal scenario for covert information collection.”

---

Feedback:

• Kasper Needs to Try FreeNAS

• ZFS n00b Questions

• New FreeNAS Release

• Voicemail from Tzvi

• Dammit Chris!!

---

Round-Up:

• Brazilian users unable to boot Windows after botched update
• Exclusive: Ongoing malware attack targeting Apache hijacks 20,000 sites
• 2013 CISPA passes Intelligence Committee, headed to House for vote
• Video streamer Vudu reports physical break-in, customer data stolen
• Advertising networks found ignoring Opt-Out requests
• Exploit for Apple iMessage can cause Denial of Service (crash the app and prevent the user from getting any future messages)
• US Government caught using Stringray (fake cell tower) devices to eaves drop on calls without a warrant
• Developer purposely leaves vulnerable application online, finds it compromised by friendly hacker within 24 hours
• Ubisoft UPlay service hacked, gives access to unreleased title Far Cry 3
• Japanese Crisis Management Office accidently tweets that DPRK Missiles are inbound to Japan, while testing ability to inform the public

The post FTP Treasure Trove | TechSNAP 105 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/26941/lightworks-preview-las-s24e04/ Sun, 04 Nov 2012 14:15:57 +0000 https://original.jupiterbroadcasting.net/?p=26941 We’ve got an exclusive look at Lightworks, one of the most anticipated software launches in desktop Linux history. We’ll share our first thoughts!

The post Lightworks Preview | LAS | s24e04 first appeared on Jupiter Broadcasting.

]]>



We’ve got an exclusive look at Lightworks, one of the most anticipated software launches in desktop Linux history. We’ll share our first thoughts on how this award winning video editor is shaping up.

Plus some good news for those of you not running Ubuntu but still want some Steam, and some highlight clips from the Ubuntu Developer Summit that just wrapped up.

You’ll hear straight from the horse’s mouth why Valve is supporting Linux, how closely Canonical is working with Valve, and why Ubuntu is dropping Alpha’s and a beta!

Then we top that off with some gaming news, Fedora’s challenges, and the climax of the EXT4 corruption drama.

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com


Limited time offer:
SPECIAL OFFER! SPECIAL OFFER! .COMs just $5.99* per year up to 3 domains! Additional .COMs just $7.99* per year! – code: 599linux

BONOUS ROUND PROMO:

Save 20% off your order!
Code: go20off6

Download:

HD Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | Torrent File

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Lightworks for Linux Preview:




Brought to you by: System76

• Editshare Admit ‘Communication Issues’ Over Lightworks Linux Alpha

Runs Linux:

• The UbiCast, Runs Linux

Android Pick:

• AndroVid Video Trimmer
• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Everpad 2.1
• Picks so far
• Madjo

Distro Of The Day

• Pear Linux 6

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Afiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

News:

• Valve Talk ‘Steam for Linux’, Give Beta Access to Attendees

• Steam Linux Beta will have Portal, Team Fortress 2 and Serious Sam 3: BFE

• Valve: Linux More Viable Than Windows 8 for Gaming

• Valve’s Drew Bliss at UDS-R: “Ubuntu was the very obvious choice”

• Drew Bliss from Valve:
  • Status of Steam: https://youtu.be/vNrrpnPlBrk?t=17m2s – 17:18
  • Why Linux & Why Ubuntu: https://youtu.be/vNrrpnPlBrk?t=17m46s – 19:16
  • Valve will not block other distros: https://youtu.be/vNrrpnPlBrk?t=28m35s – 29:18
• Jason Warner Ubuntu Desktop Manager:
  • How is the Ubuntu Desktop team working with Valve? https://youtu.be/Sp4E5iuGJl4?t=2m55s – 4:22

• Jupiter Broadcasting Steam Group

• Ubuntu To Drop Alpha Releases, Promises More Stable Development

• The Reason Ubuntu is Droping Betas: https://youtu.be/iQl6qR9yJzk?t=12m9s

• Ubuntu Contributor Channel – YouTube

• Ext4 bug patched

• Re: Apparent serious progressive ext4 data corruption bug in 3.6.3 and other stable branches?

• Theodore Ts’o – Google+ – UPDATE: See update below; it now looks like this was caused…

• Theodore Ts’o – “Phoronix, alas, has perpetrated another example of irresponsible journalism.”

+Fedora 18 Is Challenged By Yet Another Delay
+ he Top Features Of Fedora 18 “Spherical Cow”

• Kickstarter and Game Development: Highlighting Games Coming to Linux Part 1
• Kickstarter and Game Development: Highlighting Games Coming to Linux Part 2
• Kickstarter and Game Development: Highlighting Games Coming to Linux Part 3

Feedback:

• Join Unfilter LIVE on Election night: 6pm PST / 9pm EST / 2am UTC

• Ohio LinuxFest is looking for a Volunteer Coordinator

• Join the Jupiter Broadcasting Steam Group and play with fellow LAS viewers when Steam is released for Linux

• Starting with the basics and OwnCloud

• Handy Arch Tip

• ZFS on Linux

• Confused about Bootloaders

• F-Droid for free only apps

Proxmox or Ubuntu on the Nexus 7 next week?




Chris’ Stash:

• Unfilter is looking for foreign correspondents!

What’s Matt Doin?

• Protecting Your Ubuntu Desktop
• Writing about Linux, sometimes, even asking tough questions
• Offering newbie centric advice, in my articles

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Lightworks Preview | LAS | s24e04 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/26536/breaking-dkm-techsnap-81/ Thu, 25 Oct 2012 19:41:52 +0000 https://original.jupiterbroadcasting.net/?p=26536 How an aviation blogger unlocked the secrets of the TSA’s barcode, and a serious bug in the Linux Kernel.

The post Breaking DKIM | TechSNAP 81 first appeared on Jupiter Broadcasting.

]]>



How an aviation blogger unlocked the secrets of the TSA’s barcode, if you’re a Barnes and Noble shopper we’ve got a story you need to hear, and a serious bug in the Linux Kernel.

Plus a batch of your questions, and our answers.

All that and so much more, in this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   


Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Barnes and Noble POS Terminals compromised, debit card pin numbers stolen

• Barnes and Noble discovered on Sept 14th that a number of the PIN Pads for its Point of Sales system had been compromised
• Barnes and Noble did not go public with the information until this week at the request of investigators
• Tampered PIN Pads were found in 63 stores all over the country, including California, Connecticut, Florida, Illinois, Massachusetts, New Jersey, New York, Pennsylvania, and Rhode Island
• The retailer reported that only about 1% of their PIN pads had been tampered with, but when the compromise was discovered on Sept 14th, they disconnected all PIN pads at their 700 stores
• It appears that a coordinated criminal enterprise infected PIN pads with malware that would record credit/debit card numbers and PIN numbers
• B&N recommends that you change your debit card PIN number and watch your debit and credit accounts for unauthorized transactions
• Online purchases were not affected
• Official Announcement from Barnes and Noble

---

Avaition Blogger finds that he can determine what security screening he will get from this boarding pass

• Frequent Flyer John Butler wrote a blog post this week, after he was able to determine what level of security screening he was going to be subjected to at the airport by reading the unencrypted barcode on his boarding pass
• This raises the possibility that terrorist or smuggling groups could buy multiple tickets, then check each and use the ones that subjects them to the less intense screening process
• The barcodes also appear to lack any form of MAC (Message Authentication Code), to protect them from unauthorized modification
• It is unclear if a modified barcode would work, or if it is checked against a central database
• It is illegal under US law to tamper or alter a boarding pass
• The vulnerability appears to be confirmed by reading the specifications for the system published by the IATA (International Air Transport Association)
• Every airport I’ve been through (YYZ, YHM, YYC, CDG, WAW, AMS) has not had any way to avoid the screening process, it appears that only the TSA allows you to pass through security without the basic screening. I have been randomly selected for additional screening (chemical residue test) twice

---

Serious bug in Linux kernel results in EXT4 data corruption

• A bug was accidently introduced in Linux Kernel version 3.6.2, and then backported into 3.4 and 3.5
• The bug has to do with the way the superblock and journal are updated, and can result in extensive data corruption, especially if a filesystem is unmounted shorted after it was mounted
• A patch was posted, but was found to not fully solve the problem, so a second patch was posted later
• Kernel 3.4.x is reaching end of life, and may not get an official patch

---

Dreamhost decides to change its SSH keys without notifying customers

• DreamHost, a large shared web hosting provider, generated new SSH keys for all of its servers on Wednesday
• DreamHost claims it is the “result of a security maintenance which we are performing to prevent exploitation of weak or outdated keys”
• It seems like an excessive step, unless one or more of the SSH host private keys were compromised, in which case that is huge security news
• If the keys were compromised, this means that someone could impersonate the DH server and log the login attempts, capturing valid username and password combinations
• DreamHost made a number of mistakes:
• Not giving users a heads up about the change before it happened, no email was sent, just a blog post that users were directed two when they contacted support about the error message
• The blog post encourages users to just delete the old SSH key from their known_hosts and accept the new one, without verifying its authenticity
• DreamHost did not publish a list of the fingerprints of the new keys, so that customers could verify the authenticity of the new keys they are presented with when they connect
• The purpose of SSH fingerprints is to verify the identity of the remote host, they work in much the same way as SSL certificates except that there is no central certificate authority, it is up to the user to verify the identity of the key the first time. The main goal is to notify the user if the key suddenly changes, suggesting that you are not infact connecting to the intended server, but to some other server that may be trying to get your credentials or perform a man-in-the-middle attack on you
• An attacker that is able to perform a man-in-the-middle attack during a time when a user is willing to just ignore the security warning (or even, take the additional steps OpenSSH requires before allowing you to accept a new key), could be very successful

---

Mathematician finds that Google and others were using weak keys for DKIM

• Mathematician Zachary Harris got an email from a Google headhunter for a job as a Site Reliability Engineer
• Seeing as he is not an expert in that field, he assumed that the email was a phishing scam
• He examined the headers, and determined that it was signed with the proper DKIM keys, appearing to actually be from Google
• DKIM (DomainKeys Identified Mail), is a process where all outbound email is cryptographically signed with a private key, that can then be verified against a public key published in DNS, such that only emails that are actually from the domain can be signed with the key, it is a common anti-spam and anti-phishing mechanism
• He noticed that Google was only using 512bit keys for DKIM,
• Harris explored other sites and found the same problem with the keys used by Amazon, Apple, Dell, eBay, HP, HSBC, LinkedIn, Match.com, PayPal, SBCGlobal, Twitter, US Bank and Yahoo
• He found keys in 384, 512 and 768 bits, despite the fact that the DKIM standard calls for a minimum of 1024 bit keys
• A 384-bit key can factor on a laptop in 24 hours, while a 512-bit keys can be factored in about 72 hours using Amazon EC2 for around $75
• In 1998 it was an academic breakthrough of great concerted effort to crack a 512 bit key. Today anyone can do it by myself in 72 hours on AWS

---

Feedback:

• How do you keep your Linux (and BSD) servers (safely) up to date?
• How to host multiple web servers behind a single external IP?
• FreeBSD on the Raspberry Pi?
• How does FreeBSD Jail Networking…. Work?
• ISP birding by routing through a VPS?
• Sean wants to say THANKS!

While having lunch at EuroBSDCon, a FreeBSD developer recognized me from the Linux Action Show. He just so happened to be one of the main USB developers, and proceeded to correct (yell at) me. He recently expended a great deal of effort to improve support for webcams and other USB devices under FreeBSD 9.1 (and therefore PC-BSD as well). As further evidence of this, once we were done talking, someone walked up and handed him a USB ethernet adapter that was not supported, a hardware donation to drive development.

• Allan and Stefan speaking at EuroBSDCon 2012 another
• Shots of the conference: 1 2 3 4

Roundup

• Apple removes Java from all OS X Web browsers
• Facebook publishes modified version of Open Compute hardware spec to work with regular leased datacenter space
• Diigo Emergency Announcement – Domain Hijacked
• Chinese Telco manufacturer Huawei offers access to its source code to allay security concerns
  
• Demo of “serious” networking vulnerabilities cancelled at HP’s request
• US says it will retaliate against cyber attacks, if it can figure out how, and who did it…
• Obama agrees to exclude social networks for new Cyber Security plans
• CyanogenMod Android ROM accidently logged your swipe to unlock gestures

The post Breaking DKIM | TechSNAP 81 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/18207/new-show-pt2-in-depth-look/ Fri, 23 Mar 2012 20:11:24 +0000 https://original.jupiterbroadcasting.net/?p=18207 There is a universal truth that a giant industry exists to filter out our lives make sure we only hear and see what they want us to. So now what? We Unfilter!

The post New Show! Part 2 | In Depth look first appeared on Jupiter Broadcasting.

]]>



One thing everyone around the world now shares is common, is the universal truth that a giant industry exists to filter out our lives make sure we only hear and see what they want us to.

For many of us there have been watershed events that force us to really see this in it\’s entire scope.

Once faced with this hard truth, I was left with only one thing to do. To start a new show, and unfilter our lives. And I\’m going to tell you all about it – In this week\’s episode of an In Depth Look!

Direct Download:

HD Download | Mobile Download | MP3 Download | Ogg Download | YouTube

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | Ogg Feed | iTunes HD Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes

Topics

There is a lot of really interesting things happening in the world, and 2012 is sure to keep that trend going.

We\’ll keep our focus on the technology angle whenever we can, and watch for your feedback to fine tune the topics you like the most.

Special Format

Twice a week. Mini, with headlines and tease for the big show later in the week.
And we want your input.
Open Skype/Google+ during core live segments.

Host

Metalfreak, from the JBLIVE chatroom and an active member in our subreddits will join me, and frequent JB hosts will stop by to share something from their corner of the world.

And maybe a few surprises!

Fundamentals

LIVE.

Pre-recorded segments played live, so live stream experiences the entire show live. And this is recorded, saving editing.

Audio only, with visuals ala SciByte.

When?

When it\’s ready! After we get TORked launched, its the next show out of the gate. We\’re still putting some of the final bits in place, but expect to hear more soon!

The post New Show! Part 2 | In Depth look first appeared on Jupiter Broadcasting.

]]>