Show Notes: linuxunplugged.com/466

The post The Night of a Thousand Errors | LINUX Unplugged 466 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/389

The post Harder Butter Faster Stronger | LINUX Unplugged 389 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

• Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.

• The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident.

How I Socially Engineer Myself Into High Security Facilities

• A few months ago, a client had hired me to test two of their facilities. A manufacturing plant, plus data center and office building nearby.

• I scour profiles of employees who work at these facilities, and cross-reference them to other social media sites.

• This is not an advanced investigation. I’m not a private investigator and I don’t have the resources of the NSA. But I can do a lot of damage with simple methods.

• X could have saved the company a lot of heartache by simply verifying that I was who I claimed to be.

• I’ve been doing this job for a couple years now, and almost every job is a variant of this story. Very rarely do I go through an entire assessment without some sort of social engineering.

Crippling crypto weakness opens millions of smartcards to cloning

• Yubico not aware of any security breaches due to this issue

Millions of smartcards in use by banks and large corporations for more than a decade have been found to be vulnerable to a crippling cryptographic attack. That vulnerability allows hackers to bypass a wide range of protections, including data encryption and two-factor authentication.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

Feedback

• Workaround for the WPA2 exploit – from Jonathan

• SNAPs for… Windows?

• Server Layout for Linux System with LXC – There is an interesting project kind of related to this idea called CloudABI – CloudABI for FreeBSD

• IT Land before time COMPUTERS THAT NEVER WERE Software Emulator for the Cardboard Illustrative Aid to Computationn

Round Up:

• Android getting “DNS over TLS” support to stop ISPs from knowing what websites you visit

• Mercedes handles the competition because it knows how to handle data, too

• IT TAKES JUST $1,000 TO TRACK SOMEONE’S LOCATION WITH MOBILE ADS

• Encryption chip flaw afflicts huge number of computers

• Canada’s ‘super secret spy agency’ is releasing a malware-fighting tool to the public

• Writing a Bootloader Part 1

The post Cloudy with a chance of ABI | TechSNAP 342 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tales of an IT professional sailing around the Antarctic loop – sent in by Eric Miller

• CTD device – A CTD or Sonde is an oceanography instrument used to measure the conductivity, temperature, and pressure of seawater (the D stands for “depth,” which is closely related to pressure). The reason to measure conductivity is that it can be used to determine the salinity.

• Had to reinstall software for a winch to get it working

• Registered a new website and webmail and created a custom email solution so scientists would remotely access their email

security.txt – an RFC in the making

• Based on /.well-known/ of RFC5785 and similar in nature to robots.txt

• JSON was discussed, but dismissed

• CWE (Common Weakness Enumeration) will be used

• Versioning of security.txt by third parties

• Generation utilities have been created](https://github.com/EdOverflow/security-txt/issues/10)

Dumping Data from Deep-Insert Skimmers

• Deep-insert skimmers

• Romanian links to US crime

• European data skimmed from cards, then used in US because chip technology is not widely deployed there

• ‘wands’ inserted deep into the ATM to retrieve data

Feedback

• re Database migrations in Episode 332 jungle boogie writes in to mention Sqitch github by David Wheeler. JB says “This is a program written in perl and looks to have support for many databases”. JB also mentioned [pgBackRest](https://www.pgbackrest.org/] github

• Gary Foard writes in about a command line utility called shred. He uses to erase laptops from a live Linux disc. I checked the FreeBSD manual pages to check it’s there also, and it is – although I had to search for gshred instead of shred to find shred which I find weird. – See sysutils/coreutils in the FreeBSD Ports tree. – Dan notes: not recommended for erasing files any more. Not feasible for COW filesystems.

• prime62 mentioned on the TechSNAP sub-reddit mentioned some password hashing/salting resources: Salted Password Hashing – Doing it Right and The definitive guide to form-based website authentication

• Also seen on Reddit: There is no point [on max password lengths] since the field is hashed.

Round Up:

• Mobile operators deploying portable Cell-On-Wheels/Cell-On-Truck units along eclipse path to handle huge data usage of photos and streaming

• Security Keys

• 83601 is a supervisor number

• Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices

• Random Thoughts – next release of OpenSSL see Password Strength

• Create randomly insecure VMs

• This algorithm cleverly recreates 3D objects from tiny 2D images

The post Rsync On Ice | TechSNAP 333 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researchers demonstrate how PINs and other info can be gathered through phone movement

• Team was able to crack four digit-PINs with 70 percent accuracy on the first try, with 100 percent accuracy by try number five

• A site accessed with malicious code can open the device to such sensor-based monitoring working in the background when browser tabs are left open.

• The team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting out of any apps not currently in use

• Dan suggests: Simple way around this: randomize the display of numbers on the keypad. I think this should be standard for all PIN entry. I recall seeing this somewhere, years ago, but I don’t recall where. I’ve always wondered why I’ve never seen it again. If the numbers have a narrow field of vision, nobody can watch over your shoulder.

• A better article on the issue

• The PDF of the study

• From the PDF: . In the latest Apple Security Updates for iOS 9.3 (released in March 2016), Safari took a similar countermeasure by “suspending the availability of this [motion and orientation] data when the web view is hidden”x

Computer security is broken from top to bottom

• Robert Watson spoke at the very first BSDCan

• There are three main fundamental causes of insecurity: technology complexity, culture, an the economic incentives of the computer business.

Deep Dive starts with Dan’s first blog post about PostgreSQL

• PostgreSQL

• PostgreSQL < 9.6 has DATADIR is the same for all versions

• PostgreSQL 9.6+ on FreeBSD, each major version has it’s own DATADIR

• Installing in a FreeBSD jail means you can easily upgrading another jail, then start using it

Feedback

• 10 messages this past week. Requests for deep dives on PostgreSQL, DNS, ZFS, Jails.

• The guy who asked us about that free DNS service, wrote in to say he has no connection with them.

• Building pfsense box

• Suggestion for a Simple Inventory & Change Management Software

• Raidz-1 with hotspare vs raidz-2

Round Up:

• Hacker sets off all 156 emergency sirens in Dallas

• Allan Jude Interview with Wendell

• The TP-Link M5350 has a XSS exploit via text message. Responds with admin password in clear text. Original article in German

• Building a NAS

The post Cyber Liability | TechSNAP 314 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

House Passes Long-Sought Email Privacy Bill

• The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails.

• This is a very short piece of legislation. You can read it quickly, but it is an amendment. Basically, it’s copy/cut/pasting into the existing act, so you have to read it in context of the OLD act.

• Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

• Based on a 1986 law created in the days when cell phones did not contain email. Back then, the standard was store and forward, not the central storage so common today. There was no cloud.

• EFF’s Surveillance Self-Defense guide.

• This is very important. What is also important is protecting privacy when crossing borders. Your rights must be preserved when crossing borders. Trouble is, it seems we have no rights when doing so.

Here’s What Transport for London Learned From Tracking Your Phone On the Tube

• Advertising? I can see how this is useful for more than just advertising. Traffic flow. Knowing about time from A to B. Mention EZPass and monitoring of badges to determine flow.

• Signs announced trial, opt out by disabling wifi.

• The documents also seem to suggest that if TfL switched on tracking full time it could offer real time crowding information to passengers – so we could see a CityMapper of the not-too-distant future telling us which stations to avoid.

• That sounds simlar to how Waze and Google Maps collect real-time data on traffic congestion.

• Collecting information is one thing. Controlling access to that information is vital. As we’ve seen so many times in the past, it is the use of that data for unintended purposes which is of most concern.

• Rainbow tables

GitLab Postmortem of database outage of January 31

• This came from Shawn. We covered this incident in eposide 305.

• I want to make it clear from the start, we are not mocking GitLab. There is no joy to be taken here.

• On January 31st 2017, we experienced a major service outage for one of our products, the online service GitLab.com. The outage was caused by an accidental removal of data from our primary database server.

• What a horrible feeling that engineer then had. Imagine, for a moment. Production has just been wiped out… OMG.

• Backups could not be found, nor could they be used. It was all gone.

• I can imagine lots and lots of waiting for stuff to finish. Very stressful. Much hope, but very stressful.

• Wow, could not access their own projects. Ouch. Almost want their own repo offline, but then accusations of not dog fooding, etc.

• Prometheus monitorin

• Some places take the approach of making staging the hot backup for production. Exactly the same. Move production onto staging hardware if required.

• “I don’t remember where I saw it (probably hackernews), but someone proposed to constantly recreate staging from production’s backup. This way we would have an up-to-date staging version and frequently tested backup recovery process.”

Feedback:

• Should I convert to FreeNAS

• Follow Up Bacula

• possible malware distributor

Round Up:

• No more ransom – from Alejandro

• Semi-Critical Intel Atom C2000 SoC Flaw Discovered, Hardware Fix Required – from Shawn

• Ticketbleed – from Shawn

• Yahoo, MSN Struck by Advanced Malvertising Campaign

• Factory That Made Exploding Galaxy Note 7 Batteries Catches Fire

• US Judge Ordered Google to Hand Over Emails Stored On Foreign Servers to FBI

• Vizio settles with FTC, will pay $2.2 million and delete user data

• WordPress Kept Users And Hackers In The Dark While Secretly Fixing Critical Zero-Day

• Diehard Coders Just Rescued NASA’s Earth Science Data

• University attacked by its own vending machines, smart light bulbs & 5,000 IoT devices

• Bored with ho-hum cloud backups? Use Usenet (yes, Usenet!) instead

• Unpacking the rack-mount chassis – YouTube

• Moving tower system into rack mount chassis – YouTube

• Yes, an APC AR3100 rack can fit into a Subaru Outback

• APC AR3100 rack assembly – YouTube

• Moving the rack into place – YouTube

The post Metadata Matters | TechSNAP 306 first appeared on Jupiter Broadcasting.

Why a stolen healthcare record is harder to track than you might think, Security pros name their must have tools & blame as a service, the new Cybersecurity hot product.

Plus great questions, a huge Round Up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

A day in the life of a stolen healthcare record

• “When your credit card gets stolen because a merchant you did business with got hacked, it’s often quite easy for investigators to figure out which company was victimized. The process of divining the provenance of stolen healthcare records, however, is far trickier because these records typically are processed or handled by a gauntlet of third party firms, most of which have no direct relationship with the patient or customer ultimately harmed by the breach.”
• “I was reminded of this last month, after receiving a tip from a source at a cyber intelligence firm based in California who asked to remain anonymous. My source had discovered a seller on the darknet marketplace AlphaBay who was posting stolen healthcare data into a subsection of the market called “Random DB ripoffs,”
• “Eventually, this same fraudster leaked a large text file titled, “Tenet Health Hilton Medical Center,” which contained the name, address, Social Security number and other sensitive information on dozens of physicians across the country.”
• “Contacted by KrebsOnSecurity, Tenet Health officials said the data was not stolen from its databases, but rather from a company called InCompass Healthcare. Turns out, InCompass disclosed a breach in August 2014, which reportedly occurred after a subcontractor of one of the company’s service providers failed to secure a computer server containing account information. The affected company was 24 ON Physicians, an affiliate of InCompass Healthcare.”
• “The breach affected approximately 10,000 patients treated at 29 facilities throughout the U.S. and approximately 40 employed physicians,” wrote Rebecca Kirkham, a spokeswoman for InCompass.
• So who was the subcontractor that leaked the data? According to PHIprivacy.net (and now confirmed by InCompass), the subcontractor responsible was PST Services, a McKesson subsidiary providing medical billing services, which left more than 10,000 patients’ information exposed via Google search for over four months.
• Think about that for a minute. The information must have just been laying around on their website for it to be able to be found by Google search
• “Still, not all breaches involving health information are difficult to backtrack to the source. In September 2014, I discovered a fraudster on the now-defunct Evolution Market dark web community who was selling life insurance records for less than $7 apiece. That breach was fairly easily tied back to Torchmark Corp., an insurance holding company based in Texas; the name of the company’s subsidiary was plastered all over stolen records listing applicants’ medical histories.”
• “Health records are huge targets for fraudsters because they typically contain all of the information thieves would need to conduct mischief in the victim’s name — from fraudulently opening new lines of credit to filing phony tax refund requests with the Internal Revenue Service. Last year, a great many physicians in multiple states came forward to say they’d been apparently targeted by tax refund fraudsters, but could not figure out the source of the leaked data. Chances are, the scammers stole it from hacked medical providers like PST Services and others.”
• As we have previously discussed, a stolen credit card may be worth a few dollars, even high end corporate cards rarely fetch more than $10 or $15 each. Health care records are worth upwards of $100 each.
• “Sensitive stolen data posted to cybercrime forums can rapidly spread to miscreants and ne’er-do-wells around the globe. In an experiment conducted earlier this month, security firm Bitglass synthesized 1,568 fake names, Social Security numbers, credit card numbers, addresses and phone numbers that were saved in an Excel spreadsheet. The spreadsheet was then transmitted through the company’s proxy, which automatically watermarked the file. The researchers set it up so that each time the file was opened, the persistent watermark (which Bitglass says survives copy, paste and other file manipulations), “called home” to record view information such as IP address, geographic location and device type.”
• “The company posted the spreadsheet of manufactured identities anonymously to cyber-crime marketplaces on the Dark Web. The result was that in less than two weeks, the file had traveled to 22 countries on five continents, was accessed more than 1,100 times. “Additionally, time, location, and IP address analysis uncovered a high rate of activity amongst two groups of similar viewers, indicating the possibility of two cyber crime syndicates, one operating within Nigeria and the other in Russia,” the report concluded.“

Security pros name their must have tools

• Network World asked some “security pros” from around the industry to name their must have tools
• Lawyers Without Borders uses Intralinks VIA to securely share files
• Yell.com (a yellow pages site) uses Distil Networks’ bot detection and mitigation service to prevent content theft and avoid excess load from web scraper bots
• SureScripts.com (online perscription service) uses Invincea FreeSpace Enterprise for endpoint security. “stops advanced end user attacks (spear phishing, drive-by downloads, etc.) via containment, and stops our machines from getting infected
• a biotechnology company uses EMC Syncplicity to secure and distribute content to mobile devices. “It is an amazing mobile app that offers a great user experience and also offers the security and control we need as a therapeutics company with lots of sensitive information”
• A private health insurance software application provider uses Forum Sentry API gateway to protect its API from malactors. “Forum Sentry enabled us to securely expose our APIs to our private health insurance funds, third parties and internal clients and has provided a policy-based platform that is easy to maintain and extend – all while reducing development time and resources”
• Firehouse Subs, a large restaurant chain uses Netsurion’s Managed PCI to manage their Payment Card Industry Data Security Standard compliance. “Netsurion simplifies PCI for myself, and our franchisees, allowing us to maintain focus on other portions of our business”
  • A software vendor that makes heavy uses of Software as a Service (SaaS) relies on Adallom for SaaS to monitor, provides visibility into, and protection of SaaS applications.
  • Iowa Vocational Rehabilitation Services, raved about the configurability and reliability of NCP’s enterprise VPN solution
• I am sorry, when I started writing this news item for TechSNAP, I thought the list was going to be useful
• These were not the kinds of tools I was expecting
• Instead it just shows a random reporter who knows nothing about Cyber Security, asking a bunch of random businesses who know nothing about Cyber Security and just buy magic software and services what they think
• If your approach to cyber security is: buy some magic software, then you’re in trouble
• Cyber Security is a mindset, and requires defense in depth. It is about doing as much as can be done, and more importantly, planning for when that turns out to not be enough.
• What you really need is a cyber security disaster kit, like the one you have in your house in the event of a nature disaster. All of the things you need to survive until the mess is cleaned up.
• What companies really need, is to do cyber security fire drills, and have better fire alarms
• Software can’t solve everything, but it can help automate the task of getting the attention of a human at the right time

Intel launches new line of E7 v3 Haswell-EX processors

• Intel has announced its new E7-8800 and E7-4800 line of processors, featuring:
• 20% more cores/threads
• 20% more Last-Level Cache
• Benchmarks show actual 15-20% gains over the E7-4890 v2
• Support for DDR3 or DDR4 memory (not at the same time). “Support for the two differing memory types comes by way of Intel’s C112 and C114 scalable memory buffers.”
• 1.5 TB of ram per socket, quad channel, 102 GB/s memory bandwidth
• This means a 4 socket motherboard can have 6TB of ram, and an 8 socket board can have 12TB of ram
• 32 PCI-E 3.0 lanes per socket
• The highest end versions also feature QPI links at 9.6 GT/s (the previous maximum was 8.0 GT/s)
• E7-4xxx models are designed for 4 socket motherboards, while the E7-8xxx models are for 8 socket motherboards
• Models include:
  • E7-4809 v3 – 8x 2.00 GHz + HT, 20MB LLC
  • E7-4820 v3 – 10x 1.90 GHz + HT, 25MB LLC
  • E7-4830 v3 – 12x 2.10 GHz (Turbo: 2.70 GHz) + HT, 30MB LLC
  • E7-4850 v3 – 14x 2.20 GHz (Turbo: 2.80 GHz) + HT, 35MB LLC
  • E7-8860 v3 – 16x 2.20 GHz (Turbo: 3.20 GHz) + HT, 40MB LLC
  • E7-8880 v3 – 18x 2.30 GHz (Turbo: 3.10 GHz) + HT, 45MB LLC
  • E7-8890 v3 – 18x 2.50 GHz (Turbo: 3.30 GHz) + HT, 45MB LLC
  • E7-8891 v3 – 10x 2.80 GHz (Turbo: 3.50 GHz) + HT, 45MB LLC
  • E7-8893 v3 – 4x 3.20 GHz (Turbo: 3.50 GHz) + HT, 45MB LLC
• “Want!”

Feedback:

• Looking for a better/different back-up solution.

• Question about NAS versus SAN

• A response to the docker criticism in Episode 212 “Dormant Docker Disasters”

• The concept of a Virtual/Logical DMZ?

Round Up:

• Actively exploited WordPress bug puts millions of sites at risk
• Learn about how Windows kernel exploits work with the “HackSys Extreme Vulnerable Driver”
• PillPack.com online pharmacy vulnerability could have allowed anyone to view your entire perscription history, with only your name a birthdate
• Network reconnaissance without actually probing the network, using DNS
• Hospira Lifecare PCA infusion pump has telnet enabled with no password, allows anyone to root it with a tcp connection
• Boeing 787 dreamliner generator control units contain software bug that causes them to fail after 248 days of uptime
• Microsoft bangs the cybersecurity drum with Advanced Threat Analytics
• How to make two C binaries with the same MD5 hash – Why you shouldn’t trust MD5
• Understanding Docker Security and Best Practices
• Netflix open sources FIDO – Fully Integrated Defense Operation
• Docker vs the container world: Techies rally around CoreOS-led spec
• Lab of a Pen Tester — Dumping Windows 8.1 passwords in plain text
• System Crash for Starbucks Leads to Free Coffee for Some
• L3 cache mapping on Sandy Bridge CPUs
• Google Can’t Ignore The Android Update Problem Any Longer
• Researcher finds another method of bypassing Google’s password alert feature
• Windows 10 to do away with Patch Tuesday
• “unnamed FreeBSD Developer: OMG!!! I found a place where an ex-employee went to the repo, checked out the distribution tarball of freeipmi… unpacked it… edited the Makefiles, re-tarred it up and checked it back in under same name…”

The post Blame as a Service | TechSNAP 213 first appeared on Jupiter Broadcasting.

What’s really the key to detecting a breach before its become much too late? We’ll share some key insights, plus a technical breakdown of China’s great cannon & the new New French Surveillance Law that should be a warning to us all.

Plus a great round up, fantastic questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security analytics: The key for breach detection

• “Although security spending is at an all-time high, security breaches at major organizations are also at an all-time high, according to Gartner, Inc. The impact of advanced attacks has reached boardroom-level attention, and this heightened attention to security has freed up funds for many organizations to better their odds against such attacks.”
• “Breach detection is top of mind for security buyers and the field of security technologies claiming to find breaches or detect advanced attacks is at an all-time noise level,” said Eric Ahlm, research director at Gartner. “Security analytics platforms endeavor to bring situational awareness to security events by gathering and analyzing a broader set of data, such that the events that pose the greatest harm to an organization are found and prioritized with greater accuracy.”
• The approach that seems to be in favour at the moment is: security information and event management (SIEM)
• “While most SIEM products have the ability to collect, store and analyze security data, the meaning that can be pulled from a data store (such as the security data found in a SIEM) depends on how the data is reviewed. How well a SIEM product can perform automated analytics — compared with user queries and rules — has become an area of differentiation among SIEM providers.”
• “User behavior analytics (UBA) is another example of security analytics that is already gaining buyer attention. UBA allows user activity to be analyzed, much in the same way a fraud detection system would monitor a user’s credit cards for theft. UBA systems are effective at detecting meaningful security events, such as a compromised user account and rogue insiders. Although many UBA systems can analyze more data than just user profiles, such as devices and geo-locations, there is still an opportunity to enhance the analytics to include even more data points that can increase the accuracy of detecting a breach.”
• “As security analytics platforms grow in maturity and accuracy, a driving factor for their innovation is how much data can be brought into the analysis. Today, information about hosts, networks, users and external actors is the most common data brought into an analysis. However, the amount of context that can be brought into an analysis is truly boundless and presents an opportunity for owners of interesting data and the security providers looking to increase their effectiveness.”
• “Analytics systems, on average, tend to do better analyzing lean, or metadata-like, data stores that allow them to quickly, in almost real-time speed, produce interesting findings. The challenge to this approach is that major security events, such as breaches, don’t happen all at once. There may be an early indicator, followed hours later by a minor event, which in turn is followed days or months later by a data leakage event. When these three things are looked at as a single incident that just happens to span, say, three months, the overall priority of this incident made up of lesser events is now much higher, which is why “look backs” are a key concept for analytics systems.”
• “Ultimately, how actual human users interface with the outputs of large data analytics will greatly determine if the technology is adopted or deemed to produce useful information in a reasonable amount of time,” said Mr. Ahlm. “Like other disciplines that have leveraged large data analytics to discover new things or produce new outputs, visualization of that data will greatly affect adoption of the technology.”
• It will be interesting to see where the industry goes with these new concepts

China’s Great Cannon

• “This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.”
• “On March 16, GreatFire.org observed that servers they had rented to make blocked websites accessible in China were being targeted by a Distributed Denial of Service (DDoS) attack. On March 26, two GitHub pages run by GreatFire.org also came under the same type of attack. Both attacks appear targeted at services designed to circumvent Chinese censorship. A report released by GreatFire.org fingered malicious Javascript returned by Baidu servers as the source of the attack. Baidu denied that their servers were compromised.”
• “Several previous technical reports have suggested that the Great Firewall of China orchestrated these attacks by injecting malicious Javascript into Baidu connections. This post describes our analysis of the attack, which we were able to observe until April 8, 2015.”
• “We show that, while the attack infrastructure is co-located with the Great Firewall, the attack was carried out by a separate offensive system, with different capabilities and design, that we term the “Great Cannon.” The Great Cannon is not simply an extension of the Great Firewall, but a distinct attack tool that hijacks traffic to (or presumably from) individual IP addresses, and can arbitrarily replace unencrypted content as a man-in-the-middle.”
• The report is broken down into a number of sections
• Section 2 locates and characterizes the Great Cannon as a separate system;
• Section 3 analyzes DDoS logs and characterizes the distribution of affected systems;
• Section 4 presents our attribution of the Great Cannon to the Government of China;
• Section 5 addresses the policy context and implications;
• Section 6 addresses the possibility of using the Great Cannon for targeted exploitation of individual users.
• I wonder what the next target of the Great Cannon of China will be

New French Surveillance Law

• “The new French Intelligence Bill has provoked concern among many of the country’s lawmakers, as well as international NGOs.”
• “According to French Human Rights Defender Jacques Toubon, the legislation contravenes the rulings of the European Court of Human Rights”
• “Despite boasting the support of France’s two major political parties, the Union for a Popular Movement (UMP) and the Socialist Party (PS), the Intelligence Bill has come in for some strong criticism in France, and it is now also beginning to raise eyebrows abroad.”
• “Many international NGOs, have condemned the vague and general nature of the bill. Designed to legalise certain surveillance practices, the bill would also broaden the powers of the security services, giving them the authority to ask private operators to follow and report on the activity of internet users. The debate over using terrorism as an excuse for internet surveillance is already raging in France, since Paris decided to “block” access to certain sites in the wake of the 7 January attacks.”
• “But the new bill goes even further. If adopted, it will allow investigators and government agents to intercept private emails and telephone conversations in the name of security, if they are directly linked to an investigation. Agents would be allowed to use new technologies wherever they deem necessary, including microphones, trackers and spy cameras. They would also be able to intercept conversations typed on a keyboard in real time. All these interceptions would be authorised by the Prime Minister, without the prior approval of a judge, and would be authorised after the fact by a new administrative authority, the National Commission for the Control of Intelligence Techniques (CNCTR).”
• “Seven companies, including web hosting and technology companies OVH, IDS, and Gandi have said in a letter to the French prime minister Manuel Valls that they will be pushed into de facto “exile” if the French government goes ahead with the “real-time capture of data” by its intelligence agencies.”
• Letter to French Prime Minister (in French)
• This has caused a very large backlash from the IT community
• Especially some of the large Internet and Server providers like Gandi, OVH, IDS, Ikoula and Lomaco who have threatened to leave France if the law passes
• OVH and Gandi threaten to move their operations, customers, tax revenue, and most importantly, 1000s of high tech jobs
• Hopefully this sends a clear warning to the US and other countries who are considering or proposing similar legislation, or who’s intelligence agencies have run amok
• “The companies argued that being required by the law to install “black boxes” on their networks will “destroy a major segment of the economy,” and if passed it will force them to “move our infrastructure, investments, and employees where our customers will want to work with us.” Citing a figure of 30-40 percent of foreign users, the companies say their customers come to them “because there is no Patriot Act in France,” France’s surveillance bill (“projet de loi relatif au renseignement”) allows the government’s law enforcement and intelligence agencies to immediately access live phone and cellular data for anyone suspected of being linked to terrorism. These phone records can be held for five years.”
• Tech firms threaten mass exodus from franch of new mass suveillance law
• Additional Coverage
• Hacker News

Feedback:

• hardening SSH? on your server and port forwarding email SPAM mail attack analysis….

• Chaining SSH connections | BSD Now

• Creating a snapshot in the middle of file being written.

• An Allan cameo

• FreeBSD Mastery: ZFS (in-progress draft) | Tilted Windmill Press

Some twitter comics:

• A population study of companies identifying the phenotype of a next generation
• An examination of strategic play versus action, concluding that action whilst important was not the key
• An examination of predictability, demonstrating that there was many knowable things which often failed to exploit
• Using weak signals to identify when ‘war’ (i.e. industrialisation) was likely to start in different tech fields
• Not one of my graphs but a neat profile from @DanHushon which make my top list

Second Set:

• Everything you need to know about Knowledge & Expertise
• The Enterprise IT Adoption cycle
• The Entire History of Cloud in one handy 2 x 2
• Build or use? Everything you need to know about Cloud in a handy 2×2
• The Entire history of product development in a handy table
• The future history of technology with helpful hints

Round Up:

• Cash register maker used same password – 166816 – non-stop since 1990
• When the security community eats its own — How the hype around intrusions and compromises can cause problems
• United Airlines prevents security analyst from boarding after tweet
• US Blocks Intel from selling Xeon chips to Chinese Supercomputer Project over concerns they are being used in nuclear tests
• Match.com uses HTTP only login page exposing millions of users’ passwords to those sniffing traffic
• Chinese hacker group going after air gapped computers
• Privilege Escalation via Docker
• US Arms Export restrictions cause Rapid7 to have to manually verify licenses for Metasploit for users outside of the US and Canada. All foreign governmental agencies are no longer allowed to be issued licenses.
• NASA asks to keep an unencrypted options in HTTP/2 because scientific data needs to be cachable
• Adversaries need credentials more than malware. Deny them by avoiding the sins of Windows credential administration

The post The French Disconnection | TechSNAP 211 first appeared on Jupiter Broadcasting.

Christina is the community manager for rethinkdb and discusses the various tools and experiences she’s had with its global community!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• RethinkDB
• RethinkDB – Shirts for stories
• Hootsuite
• Tweetdeck
• Slack
• Stack Overflow
• Meetup.com
• Women Who Code
• Code Academy
• Hackbright Academy
• Community Leadership Summit
• Stitch Fix

The post Christina Keelan | WTR 9 first appeared on Jupiter Broadcasting.

Annie came to rethinkdb without much technology knowledge but has picked up a few things after being hired as an illustrator making storyboards and graphics!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• buddhify
• The Five Minute Journal
• FitBit
• Instagram
• RethinkDB
• Redis
• Annie Ruygt Illustration and Design
• Code Academy

The post Annie Ruygt | WTR 8 first appeared on Jupiter Broadcasting.

This time on the show, we’ll be sitting down to talk with Craig Rodrigues about Jenkins and the FreeBSD testing infrastructure. Following that, we’ll show you how to roll your own OpenBSD ISOs with all the patches already applied… ISO can’t wait!

This week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

pfSense 2.1.4 released

• The pfSense team has released 2.1.4, shortly after 2.1.3 – it’s mainly a security release
• Included within are eight security fixes, most of which are pfSense-specific
• OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
• It also includes a large number of various other bug fixes
• Update all your routers!

DragonflyBSD’s pf gets SMP

• While we’re on the topic of pf…
• Dragonfly patches their old[er than even FreeBSD’s] pf to support multithreading in many areas
• Stemming from a user’s complaint, Matthew Dillon did his own work on pf to make it SMP-aware
• Altering your configuration‘s ruleset can also help speed things up, he found
• When will OpenBSD, the source of pf, finally do the same?

ChaCha usage and deployment

• A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
• This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
• OpenSSH offers it as a stream cipher now, OpenBSD uses it for it’s random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
• Both Google’s fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
• Unfortunately, this article has one mistake: FreeBSD does not use it – they still use the broken RC4 algorithm

BSDMag June 2014 issue

• The monthly online BSD magazine releases their newest issue
• This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, “saving time and headaches using the robot framework for testing,” an interview and an article about the increasing number of security vulnerabilities
• The free pdf file is available for download as always

Interview – Craig Rodrigues – rodrigc@freebsd.org

FreeBSD’s continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

• Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
• In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end – this had the advantage of not requiring any extra disk space, but raised some security concerns
• With signify, now everything is fully downloaded and verified before tar is even invoked
• The pkg_add utility works a little bit differently, but it’s also been improved in this area – details in the post
• Be sure to also read the original post from Adam, lots of good information

FreeBSD 9.3-RC2 is out

• As the -RELEASE inches closer, release candidate 2 is out and ready for testing
• Since the last one, it’s got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
• The updated bsdconfig will use pkgng style packages now too
• A lesser known fact: there are also premade virtual machine images you can use too

pkgsrcCon 2014 wrap-up

• In what may be the first real pkgsrcCon article we’ve ever had!
• Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
• Unfortunately no recordings to be found…

PostgreSQL FreeBSD performance and scalability

• FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
• On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
• Lots of technical details if you’re interested in getting the best performance out of your hardware
• It also includes specific kernel options he used and the rest of the configuration
• If you don’t want to open the pdf file, you can use this link too

Feedback/Questions

• James writes in
• Klemen writes in
• John writes in
• Brad writes in
• Adam writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• There, you’ll also find a link to Bob Beck’s LibReSSL talk from the end of May – we finally found a recording!
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Next week Allan will be at BSDCam, so we’ll have a prerecorded episode then

The post Base ISO 100 | BSD Now 44 first appeared on Jupiter Broadcasting.

We double down on your follow up. Working remotely, scratching your itch while at your current job, why we missed Heartbleed & the video that will make you never again complain about how hard something is.

Plus why you should write code every day, the hard numbers about mobile games & more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Follow up / Feedback

• Database Versioning
• Career Course Correction
• Remote work
• About Working Remotely
• Reading the OpenSSL Code base
• In House Github
• Tips for hiring?
• PHP to PDF Options (Question from Episode 98)

Dev Hoopla

• Weaving software into core memory by hand – YouTube
• Episode 100 plans

The post Is That a Weave? | CR 99 first appeared on Jupiter Broadcasting.

Oren Eini from Hibernating Rhinos joins us to discuss their second generation document database written in .NET.   We have an insightful conversation about RavenDB, a flexible data model designed to address requirements coming from real-world systems.  

Plus our surprising answer to the big certification question, your emails, and more.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• Red Hat
• Agile, Kanban and Trello
• Accepting payments via a web site.

Oren Eini

• Hibernating Rhinos

• RavenDB – 2nd generation document database

RavenDB is a transactional, open-source Document Database written in .NET, and offering a flexible data model designed to address requirements coming from real-world systems. RavenDB allows you to build high-performance, low-latency applications quickly and efficiently.

• RavenDB Conference

RavenConf will be a conference dedicated to RavenDB, featuring speakers from all over the world to give you a new and unique perspective on working with RavenDB. You\’re welcome to explore our speaker list as well as the sessions available in the conference.

• RavenDB Conference Tickets

Promo Code: Jupiter

The post Your Database is Slow | CR 91 first appeared on Jupiter Broadcasting.

Grab the popcorn it’s special occasion and were throwing out the playbook and doing it live. Unfilter is bringing you play-by-play coverage of Obama’s 2014 Station of the Union.

Plus we’ll fact checking the talking points, take your live calls, our follow up, and much much more.

On this week’s episode of, Unfilter.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

State of the Union

• Obama invites guests to State of the Union

• President Obama lauds partnership with Apple, other tech firms in ConnectED program

• The State of Obama’s Past SOTU Proposals

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Matt R

• Jason T

• James E

• Chresten C

• Mike G

• Kenneth L

• Mike

• Jason G

• Jordan E

• Thanks to our 341 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

NSA is Crazy:

• Angry Birds and ‘leaky’ phone apps targeted by NSA and GCHQ for user data

Exploiting phone information and location is a high-priority effort for the intelligence agencies, as terrorists and other intelligence targets make substantial use of phones in planning and carrying out their activities, for example by using phones as triggering devices in conflict zones. The NSA has cumulatively spent more than $1bn in its phone targeting efforts.

The disclosures also reveal how much the shift towards smartphone browsing could benefit spy agencies’ collection efforts.

A May 2010 NSA slide on the agency’s ‘perfect scenario’ for obtaining data from mobile apps. Photograph: Guardian

One slide from a May 2010 NSA presentation on getting data from smartphones – breathlessly titled “Golden Nugget!” – sets out the agency’s “perfect scenario”: “Target uploading photo to a social media site taken with a mobile device. What can we get?”

The question is answered in the notes to the slide: from that event alone, the agency said it could obtain a “possible image”, email selector, phone, buddy lists, and “a host of other social working data as well as location”.

• Snowden-Interview in English

Whistleblower Edward Snowden leaked the documents about US mass surveillance. He spoke about his disclosures and his life to NDR journalist Seipel in Moscow.

• Edward Snowden tells German TV that NSA is involved in industrial espionage | World news | The Guardian

“If there’s information at Siemens that’s beneficial to US national interests – even if it doesn’t have anything to do with national security – then they’ll take that information nevertheless,” Snowden said in the interview conducted in Russia, where Snowden has claimed asylum.

Snowden also told the German public broadcasting network he no longer had possession of any documents or information on NSA activities and had turned everything over to select journalists. He said he did not have any control over the publication of the information.

Top Story in the unfilter Subreddit

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post Unfiltering the State of the Union | Unfilter 83 first appeared on Jupiter Broadcasting.

President Obama has outlined his so called reforms of America’s controversial surveillance tactics. But as expected the reforms are light on real change, and leave many of the worst policies in place and unabated. We’ll dig into the most egregious.

Plus: It’s new round of character assassination for Edward Snowden, and this time the claims are even more ridiculous. Is Snowden a double agent for the FSB? We’ll debunk.

Then it’s your feedback, our followup, and much much more.

On this week’s Unfilter.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is CRAZY

• Michael Morell joins CBS News

Michael Morell, who retired as deputy director of the CIA last summer, has joined CBS News as an intelligence, national security and counterterrorism contributor, the network announced this week.

• Obama’s proposed NSA ‘reform’ changes nothing

The Washington Post has already identified the five big takeaways from Obama’s speech:

1. US intelligence agencies will no longer hold Americans’ phone call records.

2. There will, nevertheless, be some system for those records to be accessible when required.

3. The US will no longer monitor the communications of the heads of state or government of “close friends and allies”.

4. A new panel will be created to provide additional input into the secret court that oversees the Foreign Intelligence Surveillance Act (FISA), including privacy specialists and other non-government folks.

5. There will be new rules to extend some of the privacy provisions applying to US citizens to foreigners, unless there’s a “compelling national security purpose”.

6. ’The USA knows that for us spying is a crime’

“The German justice system will not stand idly by if the efforts of the NSA blithely continue here,” he told Bild newspaper on Monday.

• New documents: NSA provided 2–3 daily “tips” to FBI for at least 3 years | Ars Technica

Hours after President Barack Obama finished his speech last Friday on proposed intelligence and surveillance reforms, the Office of the Director of National Intelligence (ODNI) declassified a number of documents from the nation’s most secretive court.

The new documents are heavily redacted orders from FISC to the FBI. These items request that the court order an entity (likely a business) to provide “tangible things” under Section 215 of the PATRIOT Act. The documents do not refer to who the target is, nor which company or organization they apply to.

“The Court understands that NSA expects that it will continue to provide on average approximately three telephone identifiers per day to the FBI,” reads a footnote in a 2007 court order (PDF) authored by FISC Judge Frederick Scullin, Jr.

• Rating Obama’s NSA Reform Plan: EFF Scorecard Explained | Electronic Frontier Foundation

We’ve put together a scorecard showing how Obama’s announcements stack up against 12 common sense fixes that should be a minimum for reforming NSA surveillance. Each necessary reform was worth 1 point, and we were willing to award partial credit for steps in the right direction. On that scale, President Obama racked up 3.5 points out of a possible 12.

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Kai

• AmazonReviewPolice

• Jonathan M.

• Niklas V.

• Michael O. ← 333rd Subscriber!

• Thanks to our 333 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

Snow Job:

• Snowden Denies Suggestions That He Was a Spy for Russia – NYTimes.com

Mr. Rogers said on the NBC News program “Meet the Press” on Sunday that Mr. Snowden should be seen not as a whistle-blower but as “a thief, who we believe had some help.”

Officials at both the N.S.A. and the F.B.I. have said their investigations have turned up no evidence that Mr. Snowden was aided by others.

• Snowden Calls Russian-Spy Story ‘Absurd’ in Exclusive Interview : The New Yorker

Speaking from Moscow, where he is a fugitive from American justice, Snowden told The New Yorker, “This ‘Russian spy’ push is absurd.”

“It’s not the smears that mystify me,” Snowden told me. “It’s that outlets report statements that the speakers themselves admit are sheer speculation.” Snowden went on to poke fun at the range of allegations that have been made against him in the media without intelligence officials providing some kind of factual basis: “ ‘We don’t know if he had help from aliens.’ ‘You know, I have serious questions about whether he really exists.’ ”

Snowden went on, “It’s just amazing that these massive media institutions don’t have any sort of editorial position on this. I mean these are pretty serious allegations, you know?” He continued, “The media has a major role to play in American society, and they’re really abdicating their responsibility to hold power to account.”

• Before Snowden, Nixon Admin Pioneered Evidence-Free ‘Russian Spy’ Smears Against Daniel Ellsberg | Techdirt

Ellsberg is commonly looked at as the quintessential whistleblower today, but shortly after he leaked the top secret Vietnam War study, the Nixon administration made a concerted effort to paint him as a Soviet spy in the press, using anonymous quotes and non-existent ‘secret’ evidence.

• Live Q&A with Edward Snowden: Thursday 23rd January, 8pm GMT, 3pm EST | Free Snowden](https://freesnowden.is/_2476.html)

Top Story in the unfilter Subreddit

• NSA collects millions of text messages daily in ‘untargeted’ global sweep

The National Security Agency has collected almost 200 million text messages a day from across the globe, using them to extract data including location, contact networks and credit card details, according to top-secret documents.

The untargeted collection and storage of SMS messages – including their contacts – is revealed in a joint investigation between the Guardian and the UK’s Channel 4 News based on material provided by NSA whistleblower Edward Snowden.

The documents also reveal the UK spy agency GCHQ has made use of the NSA database to search the metadata of “untargeted and unwarranted” communications belonging to people in the UK.

The NSA program, codenamed Dishfire, collects “pretty much everything it can”, according to GCHQ documents, rather than merely storing the communications of existing surveillance targets.

The NSA has made extensive use of its vast text message database to extract information on people’s travel plans, contact books, financial transactions and more – including of individuals under no suspicion of illegal activity.

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post Obama’s NSA Reform Ruse | Unfilter 82 first appeared on Jupiter Broadcasting.

SSDs in your Network Attached Storage? Maybe! We’ll share our thoughts. Two Million passwords stolen by Keylogging malware, but the data is where the fun is at.

Plus a great batch of your questions, our answers!

Thanks to:

Show Notes:

D-Link finally released fix for some vulnerable routers, over a month late

• In TechSNAP 132 (October 17 2013) we told you about a flaw in D-Link routers that allowed an attacker to entirely bypass the authentication system
• Any user accessing a vulnerable device with the string “xmlset_roodkcableoj28840ybtide” (backwards: edit by 04882 joel backdoor) as their useragent is granted administrative privileges
• D-Link promised to issue fixed firmware by the end of October
• That updated firmware has finally be released, in December
• Newer firmware does not seem to be available for all of the devices

2 Million passwords stolen by Key logging malware

• Spider Labs managed to take over a Pony botnet controller
• The botnet of infected machines was harvesting passwords with a keylogger
• Total Haul:
• ~1,580,000 website login credentials stolen
• ~320,000 email account credentials stolen
• ~41,000 FTP account credentials stolen
• ~3,000 RDP credentials stolen
• ~3,000 SSH account credentials stolen
• Top Domains:
  • 325,000 Facebook
  • 70,000 Google
  • 60,000 Yahoo
  • 22,000 Twitter
  • 8,000 Linkedin
• While the statistics make it look like many of the compromised machines were from the Netherlands, it seems most of the traffic was from a few IP addresses that seem to have been acting as reverse proxies for the infected machines
• Strength of the observed passwords:
  • 6% Terrible
  • 28% Bad
  • 44% Medium
  • 17% Good
  • 5% Excellent
• Conclusion: Even have years of being told to pick good unique passwords, and after multiple breaches like MySpace, Gawker, LinkedIn, and Adobe etc, people still choose terrible passwords
• Additional Coverage

• GoDaddy ad: https://hostcabi.net/hosting_infographic Godaddy hosts one of the largest proportion of the 100,000 most popular websites on the Internet

Hackers courted by Governments for Cyber Warfare jobs

• Rolling Stone does profiles and Interviews at HackMiami, a meetup for hackers to show off their skills to corporate and government recruiters. There is also a ‘Cyber War Games’, where hackers simulate attacks against various targets and networks
• One recruiters pitch: “We built an environment that allows people to legally do the things that would put them in jail”
• “A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on. “
• Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”
• In one profile, Rolling Stone looks at ‘Street’, an expert at social engineering. “Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.”” — The digital equivalent to a clipboard
• “To see what the front line of cyberwar really looks like, I visit the National Cybersecurity and Communications Integration Center in Arlington, Virginia, the Department of Homeland Security’s mission control. It’s one of our most important hubs in digital warfare, alongside the FBI and NSA. A wall of video screens show online the attacks on the IRS and NASA – both agencies were compromised by a Distributed Denial of Service Attack, a technique that floods a site with access requests, slowing or downing it completely. “

Feedback:

• Dedup in ZFS is a bad implementation

• Using SSD drives for storage?

  • Enterprise Drive Pricing:
  • Intel DC S3700 100, 200, 400 and 800GB: $2.50/GB
  • WD NL SAS: 1TB: $0.135/GB
  • WD NL SAS: 2TB: $0.115/GB
  • WD NL SAS: 3TB: $0.106/GB
  • WD NL SAS: 4TB: $0.092/GB
  • Seagate Barracuda SATA (Desktop): 3TB: $0.030/GB

• Forward Secrecy

• Web Site Hosting

• Google and DNS reflection attacks

• Worst leak in Icelands history

• Contact Server?

Round Up:

• Hack on JPMorgan website exposes data for 465,000 card holder
• Brazilian ISP appears to be suffering DNS poisioning or hijack causing users to received malware instead of Google Analytics
• USB 3.1 connector will be square, fit either way up
• Ways the NSA might break SSL/TLS
• Microsoft blogs about their renewed commitment to privacy and security, expanded encryption
• A paper describing DANE to augment or replace SSL CAs using DNSSEC
• Court: Open Source Project Liable For 3rd Party DRM-Busting Coding
• Why people are so bad at picking passwords
• US Nuclear launch code was 00000000
• Yet Another PoS Skimmer
• OCZ the SSD and computer peripheral manufacturer going out of business

The post SSD Powered NAS? | TechSNAP 139 first appeared on Jupiter Broadcasting.

A compromise at Apple turns Mike’s week upside down. Reeling from the setback we dig into Mike’s concerns with Canonical’s crowd sourced Ubuntu Edge phone.

Why we\’re a bit dismayed at Firefox OS’ attempts to kill the app store…

And we answer your hard questions.

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• ZOMG, MIKE! Crypto is NOT broken… except that it is….
• Patrick’s Email
• Kyle was inspired by our Pomo love and wrote this web app
• Cary’s email: [In defense of Apple(https://slexy.org/view/s216d3rIzI)
• David is working on a project for a school system and though the law does not require that he encrypt the data itself in the database (make it not human readable that is) he wonders if he should anyway.
• Matty’s email: Could talk about \”environments\”
• Chris asks if we believe that devs who focus on langs that are run by corps are hurting their careers long term.
• Isak’s email: Working on a Game

Dev World Hoopla

• Apple Dev Center Down

• Apple Developer Website Hacked: Developer Names, Addresses May Have Been Taken

In an email to developers today, Apple revealed that its Developer Center website was breached by unknown hackers and was taken offline last Thursday as a precaution.

• UPDATE: Turkish hacker posts video of Apple Dev Centre breach | ITProPortal.com

\”This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did notwanted to damage [sic],\” writes the user Ibrahim Baliç.

He has since told the Guardian, \”My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.\”

• FireFox wants to kill App Stores

• How Firefox OS plans to kill — not reinvent — the app store | VentureBeat

\”In essence, with Firefox OS, we made app discovery as easy as browsing the web, and we give you a very good reason to brush up the mobile optimised web sites you already have on the web,\” writes Mozillan Chris Heilmann on the company blog.

• Ubuntu Edge | Indiegogo

In the car industry, Formula 1 provides a commercial testbed for cutting-edge technologies. The Ubuntu Edge project aims to do the same for the mobile phone industry — to provide a low-volume, high-technology platform, crowdfunded by enthusiasts and mobile computing professionals.

Tool of the Week

[asa]B005JN9310[/asa]

Hard Drives for Jupiter:

• Hard Drives for Jupiter

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Sour Apple | CR 59 first appeared on Jupiter Broadcasting.

Rumor has it the playstation network has been hacked again, but we’ve got the real story. Blizzard suffered a nasty database breach, and it might be much worse then they are letting on.

Plus: Automating your server deployments and configurations has never been easier, find out what Allan uses to get the job done!

All that and a lot more, in this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: