Show Notes: techsnap.systems/371

The post They Never Learn | TechSNAP 371 first appeared on Jupiter Broadcasting.

Google’s datacenter secrets are finally being revealed & we’ll share the best bits. Why The US Government is in no position to teach anyone about Cyber Security, how you can still get hacked offline, A batch of great questions, a huge round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

After years of wondering, we can finally find out about Google’s Data Center Secrets

• “Google has long been a pioneer in distributed computing and data processing, from Google File System to MapReduce to Bigtable and to Borg. From the beginning, we’ve known that great computing infrastructure like this requires great datacenter networking technology.”
• “For the past decade, we have been building our own network hardware and software to connect all of the servers in our datacenters together, powering our distributed computing and storage systems. Now, we have opened up this powerful and transformative infrastructure for use by external developers through Google Cloud Platform.”
• ““We could not buy, for any price, a data-center network that would meet the requirements of our distributed systems,” Vahdat said. Managing 1,000 individual network boxes made Google’s operations more complex, and replacing a whole data center’s network was too disruptive. So the company started building its own networks using generic hardware, centrally controlled by software. It used a so-called Clos topology, a mesh architecture with multiple paths between devices, and equipment built with merchant silicon, the kinds of chips that generic white-box vendors use. The software stack that controls it is Google’s own but works through the open-source OpenFlow protocol.“
• “At the 2015 Open Network Summit, we are revealing for the first time the details of five generations of our in-house network technology.”
• “Our current generation — Jupiter fabrics — can deliver more than 1 Petabit/sec of total bisection bandwidth. To put this in perspective, such capacity would be enough for 100,000 servers to exchange information at 10Gb/s each, enough to read the entire scanned contents of the Library of Congress in less than 1/10th of a second.”
• “We use a centralized software control stack to manage thousands of switches within the data center, making them effectively act as one large fabric, arranged in a Clos topology”
• “We build our own software and hardware using silicon from vendors, relying less on standard Internet protocols and more on custom protocols tailored to the data center”
• “Putting all of this together, our datacenter networks deliver unprecedented speed at the scale of entire buildings. They are built for modularity, constantly upgraded to meet the insatiable bandwidth demands of the latest generation of our servers. They are managed for availability, meeting the uptime requirements of some of the most demanding Internet services and customers. Most importantly, our datacenter networks are shared infrastructure. This means that the same networks that power all of Google’s internal infrastructure and services also power Google Cloud Platform. We are most excited about opening this capability up to developers across the world so that the next great Internet service or platform can leverage world-class network infrastructure without having to invent it.”
• ““The amount of bandwidth that we have to deliver to our servers is outpacing even Moore’s Law,” Vahdat said. Over the past six years, it’s grown by a factor of 50. In addition to keeping up with computing power, the networks will need ever higher performance to take advantage of fast storage technologies using flash and non-volatile memory, he said.”
• “For full details you’ll have to wait for a paper we’ll publish at SIGCOMM 2015 in August”
• Official Google Cloud Platform Blog Post

The US Government is in no position to teach anyone about Cyber Security

• “Why should anyone trust what the US government says on cybersecurity when they can’t secure the systems they have full control over?”
• “IRS employees can use ‘password’ as a password? No wonder they get hacked”
• As I have long said, you have to assume the worst until you can prove otherwise: “The effects of the massive hack of the Office of Personnel Management (OPM) continue to ripple through Washington DC, as it seems every day we get more information about how the theft of millions of government workers’ most private information is somehow worse than it seemed the day before. (New rule: if you read about a hack of a government or corporate database that sounds pretty bad, you can guarantee it be followed shortly thereafter by another story detailing how the same hack was actually much, much “worse than previously admitted.”)”
• “It’d be one thing if this incompetence was exclusively an OPM problem, but despite the government trying to scare private citizens with warnings of a “cyber-Armageddon” or “cyber-Pearl Harbor” for years, they failed to take even the most basic steps to prevent massive data loss on their own systems. As OTI’s Robyn Greene writes, 80-90% of cyber-attacks could be prevented or mitigated with basic steps like “encrypting data, updating software and setting strong passwords.””
• Of course, using Multi-Factor Authentication would help a lot too
• “The agency that has been singled out for some of the worst criticism in recent years is the Department of Homeland Security, the agency that is supposedly in charge of securing all other government systems. The New York Times reported this weekend that the IRS’s systems still allow users to set their passwords to “password,” along with other hilariously terrible mistakes. “
• “Instead of addressing their own problems and writing a bill that would force the government to upgrade all its legacy systems, implement stronger encryption across federal agencies and implement basic cybersecurity best practices immediately, members of both parties have been pushing dangerous “info-sharing” legislation that will end with much more of citizens’ private data in the hands of the government. And the FBI wants tech companies to install “backdoors” that would give the government access to all encrypted communications – thereby leaving everyone more vulnerable to hackers, not less. Two “solutions” that won’t fix any of the glaring problems staring them in the face, and which may make things a lot worse for ordinary people.”
• There are plenty of examples of large networks that are fairly well secured, so it isn’t impossible to secure a large network. However, the number of insecure government and corporate networks suggests that more needs to be done.
• The solution isn’t something sold by a vendor, it is the same stuff security experts have been preaching for decades:
  • Need to know — Only those who actually need data should have access to it. Lets not just store everything in a giant shared network drive with everyone having read/write access to it
  • Patching — Software has flaws. These flaws get fixed and then become public (sometimes the other way around, the dreaded Zero-Day flaw). If you do not patch your software quickly, you increase the chance of the flaw being used against you
  • Strong Authentication — Password complexity requirements can be annoying, because they are often too vague. Requiring a number, a lower case letter, an upper case letter, and a symbol isn’t necessarily as secure as a passphrase which is longer. Worse, many systems do not securely store the passwords, making them less secure
  • Multi-Factor Authentication — Requiring more than one factor, to ensure that if an attacker does shoulder surf, key log, phish, or otherwise gain access to someones password, that they cannot access the secure data
  • Encryption — This one is hard, as many solutions turn out to not be good enough. “The harddrive on my laptop is encrypted”, this is fine, except if the attacker gets access while your machine is powered on and logged in. Sensitive data should be offlined when it is not in use, rather than being readily accessible in its decrypted form
  • Logging — Knowing who accessed what, and when is useful after-the-fact. Having an intelligence system that looks for anomalies in this data can help you detect a breach sooner, and maybe stop it before the baddies make off with your data
  • Auditing — A security appliance like the FUDO to only allow access to secure systems when such access is recorded. This way the actions of all contractors and administrators are recorded on video, and there is no way to access the protected systems except through the FUDO.
• As we discussed before in TechSNAP 214, there are other techniques that can be used to help safeguard systems, including whitelisting software, and only allowing approved applications on sensitive systems. The key is deciding which protections to use where, while generating the least amount of ‘user resistance’

Google Project Zero researcher discloses 15 new vulnerabilities

• Researcher Mateusz Jurczyk has disclosed 15 new remote code execution vulnerabilities
• The most interesting of these including a flaw in Adobe Reader and Windows that appears to get past all known exploit defenses.
• “The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
• “Any of the 15 vulnerabilities Jurczyk pulled from this old but seemingly unexplored area could trigger remote code execution or privilege escalation in Adobe Reader or the Windows kernel.”
• Researcher Blog
• Video of Exploit
• PDF of Slides
• Project Zero has also published some other interesting vulnerabilities recently
• Owning Internet Printing — A Case Study in Modern Software Exploitation
• Microsoft’s MemoryProtector feature actually counters Microsoft’s new extended ASLR protections
• “It is possible to use a timing attack on MemoryProtector to reveal the offset used by High-Entropy Bottom-Up Randomization, thus completely bypassing it.”
• Analysis and Exploitation of an ESET Vulnerability — Do we understand the risk vs. benefit trade-offs of security software?
  
• In-Console-Able — Developing a sandbox escape chain for Chrome

Feedback:

• Somewhat nervous: how to mitigate Samsung SSD firmware + Linux major corruption risk?

• To delta sync or not to delta sync

• Changing domain registrars and want to maximize email up-time

• Keys

Round Up:

• Samsung deliberately disabling Windows Update
• Adobe issues out-of-band patch for Flash Player after zero-day exploit is discovered being used in the wild
• Google reveals that it was forced to hand over journalist’s data during wikileaks grand jury investigation
• As many as 1 in 3 servers in data centers are powered on but not doing anything
• Chinese may have had access to US Security Clearance data for over a year
• Bruce Schneier: China and Russia Almost Definitely Have the Snowden Docs
• Default Authorized SSH key found in many Cisco security appliances
• Richard Bejtlich: If you can’t keep hackers out, find and remove them faster
• Snowden leak shows NSA and GCHQ attacked security software vendors
• Stealing your GPG private key using a cell phone and an AM radio
• Secunia will block access to vulnerabilities less than 9 months old for non-members after they “frequently encounter organizations engaged in wrongful use of Secunia Advisories”
• Great tool for building regular expressions, better than most in that it supports lookbehind, which most basic javascript implementations do not
• Many Android apps do HTTPS wrong, or not at all
• US Navy Warfare Systems command paid $9.1 million to get security updates for 100,000 Windows XP and 2003 computers. Contract could be worth up to $30 million and extend to 2017
• Sony has killed off the Aibo robots, making replacement parts hard to come by. This raises questions about the next generation of robots. Softbank is soon to release a “Child” robot called Pepper. What will people do when spare parts for their child can only be gotten by cannibalizing other children?
• Google, Mozilla, Webkit, and Microsoft team up to launch ‘Webassembly’ a new binary format for web applications
• HP’s Adventures with the Zero-Day Initiative and bug bounties
• 5 intrusion vectors that cannot be spotted by going offline
• Cryptography jokes

The post Homeland Insecurity | TechSNAP 220 first appeared on Jupiter Broadcasting.

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How to make secret phone calls

• “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
• “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
• The article sets out the steps required to conduct untraceable phone calls
• The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
• “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
• Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
• Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
• After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
• Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
• Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
• Wipe down and destroy handset.
• “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
• “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
• “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
• “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
• “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
• “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100”
• Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
• “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
• Guide to creating and using One-Time Pads
• John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

• “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
• “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
• “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
• “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
• Level 3 then worked to block the malicious traffic
• “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
• “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
• “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
• “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
• Remote root login should never be allowed anyway
• Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

• A question I often get is “how do I get into InfoSec”
• Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
• Luckily, someone who is in that space, finally wrote it all down
• “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
  • So, keep watching TechSNAP
• Basic Steps:
• Education (Sysadmin, Networking, Development)
• Building Your Lab (VMs, VPSs from Digital Ocean)
• You Are Your Projects (Build something)
• Have a Presence (Website, Blog, Twitter, etc)
• Certifications (“Things have the value that others place on them”)
• Networking With Others (Find a mentor, be an intern)
• Conferences (Go to Conferences. Speak at them)
• Mastering Professionalism (Dependability, Well Written, Good Speaker)
• Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
• Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
• Becoming Guru
• It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
• Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

• Data Delivery/Syncing over WAN

• TOR Question

• Upgrading password hash algorithm

Round Up:

• Announcing Git Large File Storage (LFS)
• Amazon EFS
• One in seven employees will self corporate passwords for $150 or less
• Hidden backdoor API to root privileges in Apple OS X
• Vulnerability in Firefox forced Mozilla to disable opportunistic encryption
• The FBI Has Its Own Secret Brand of Malware
• AT&T Call Center staff sold hundres of thousands of customer records to criminals
• Expired SSL certificate
• Google lets the Root CA certificate that issues the smtp.gmail.com certificate expire
• Congress must end mass NSA surveillance with next Patriot Act vote
• Greenwald criticized universities which open up their campuses to government agencies in exchange for funding
• 8 Ways You Didn’t Know Hackers Could Steal Your Identity
• Apple did not remove CNNIC Root CA from trust lists in latest security update
• Every Wi-Fi Router Should Look Like The USS Enterprise
• IT Security in a nutshell

The post Day-0 of an InfoSec Career | TechSNAP 209 first appeared on Jupiter Broadcasting.

This week we’re on the other side of the Atlantic, attending EuroBSDCon. For now, we’ve got an awesome interview with Peter Wemm about the FreeBSD web cluster and infrastructure. It’s an inside look that you probably won’t hear about anywhere else! We’ll also get to a couple of your emails today, and be back next week with all the usual goodies, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Interview – Peter Wemm – peter@freebsd.org / @karinjiri

The FreeBSD web cluster and infrastructure

Feedback/Questions

• Todd writes in
• Brandon writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We’ll be back next week from EuroBSDCon, hopefully with some great interviews, come and say hi to us!

The post Beastly Infrastructure | BSD Now 56 first appeared on Jupiter Broadcasting.

We chat with Warren Block to discuss BSD documentation efforts and future plans. If you\’ve ever wondered about the scary world of mailing lists, today\’s tutorial will show you the basics of how to get help and contribute back. There\’s lots to get to today, so sit back and enjoy some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD on a Sun T5120

• Our buddy Ted Unangst got himself a cool Sun box
• Of course he had to write a post about installing and running OpenBSD on it
• The post goes through some of the quirks and steps to go through in case you\’re interested in one of these fine SPARC machines
• He\’s also got another post about OpenBSD on a Dell CS24-SC server

Bhyvecon 2014 videos are up

• Like we mentioned last week, Bhyvecon was an almost-impromptu conference before AsiaBSDCon
• The talks have apparently already been uploaded!
• Subjects include Bhyve\’s past, present and future, OSv on Bhyve, a general introduction to the tool, migrating those last few pesky Linux boxes to virtualization
• Lots more detail in the videos, so check \’em all out

Building a FreeBSD wireless access point

• We\’ve got a new blog post about creating a wireless access point with FreeBSD
• After all the recent news of consumer routers being pwned like candy, it\’s time for people to start building BSD routers
• The author goes through a lot of the process of getting one set up using good ol\’ FreeBSD
• Using hostapd, he\’s able to share his wireless card in hostap mode and offer DHCP to all the clients
• Plenty of config files and more messy details in the post

Switching from Synology to FreeNAS

• The author has been considering getting a NAS for quite a while and documents his research
• He was faced with the compromise of convenience vs. flexibility – prebuilt or DIY
• After seeing the potential security issues with proprietary NAS devices, and dealing with frustration with trying to get bugs fixed, he makes the right choice
• The post also goes into some detail about his setup, all the things he needed a NAS to do as well as all the advantages an open source solution would give
• Speaking of FreeNAS…

This episode was brought to you by

Interview – Warren Block – wblock@freebsd.org

FreeBSD\’s documentation project, igor, doceng

Tutorial

The world of BSD mailing lists

News Roundup

HAMMER2 work and notes

• Matthew Dillon has posted some updated notes about the development of the new HAMMER version
• The start of a cluster API was committed to the tree
• There are also links to design document, a freemap design document, that should be signed with a digital signing software from the
  sodapdf esign site

BSD Breaking Barriers

• Our friend MWL gave a talk at NYCBSDCon about BSD \”breaking barriers\”
• \”What makes the BSD operating systems special? Why should you deploy your applications on BSD? Why does the BSD community keep growing, and why do Linux sites like DistroWatch say that BSD is where the interesting development work is happening? We\’ll cover the not-so-obvious reasons why BSD still stands tall after almost 40 years.\”
• He also has another upcoming talk, (or \”webcast\”) called \”Beyond Security: Getting to Know OpenBSD\’s Real Purpose\”
• \”OpenBSD is frequently billed as a high-security operating system. That\’s true, but security isn\’t the OpenBSD Project\’s main goal. This webcast will introduce systems administrators to OpenBSD, explain the project\’s mission, and discuss the features and benefits.\”
• It\’s on May 27th and will hopefully be recorded

FreeBSD in a chroot

• Finch, \”FreeBSD running IN a CHroot,\” is a new project
• It\’s a way to extend the functionality of restricted USB-based FreeBSD systems (FreeNAS, etc.)
• All the details and some interesting use cases are on the github page
• He really needs to change the project name though

PCBSD weekly digest

• Lots of bugfixes for PCBSD coming down the tubes
• LZ4 compression is now enabled by default on the whole pool
• The latest 10-STABLE has been imported and builds are going
• Also the latest GNOME and Cinnamon builds have been imported and much more

Feedback/Questions

• Bostjan writes in (IRC suggests md5deep)
• Don writes in
• kaltheat writes in (We use R0DE Podcast microphones and Logitech C920 HD webcams)
• Harri writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We wanted to give the Bay Area FreeBSD Users Group a special mention, if you\’re in the San Francisco Bay Area, there\’s a very healthy BSD community there and they regularly have meet-ups
• If you listened to the audio-only version of this week\’s episode, you\’re really missing out on Warren\’s fun animations in the interview!

The post Documentation is King | BSD Now 30 first appeared on Jupiter Broadcasting.

Attackers use BGP to redirect and monitor Internet traffic, 42 Million dating site passwords leaked, and the data center that could be coming to a town near you.

Plus a great batch of your questions, our answers, and much much more!

On this week’s TechSNAP!

Thanks to:

Show Notes:

Attackers compromise core routers and redirect internet traffic

• Attackers have managed to compromise some routers running BGP (Border Gateway Protocol), and cause them to inject additional hops into some routes on the Internet, allowing them to execute man-in-the-middle (MitM) attacks and/or monitor some users’ traffic
• Renesys has detected close to 1,500 IP address blocks that have been hijacked on more than 60 days this year
• “[The attacker is] getting one side of conversation only,” Cowie said. “If they were to hijack the addresses belonging to the webserver, you’re seeing users requests—all the pages they want. If they hijack the IP addresses belonging to the desktop, then they’re seeing all the content flowing back from webservers toward those desktops. Hopefully by this point everyone is using encryption.”
• In one attack the hop starting in Guadalajara, Mexico and ending in Washington, D.C., included hops through London, Moscow and Minsk before it’s handed off to Belarus, all because of a false route injected at Global Crossing, now owned by Level3
• “In a second example, a provider in Iceland began announcing routes for 597 IP networks owned by a large U.S. VoIP provider; normally the Icelandic provider Opin Kerfi announces only three IP networks, Renesys said. The company monitored 17 events routing traffic through Iceland”
• Renesys does not have any information on who was behind the route hijacking

Cupid Media Hack Exposed 42M Passwords

• The data stolen from Southport, Australia-based dating service Cupid Media was found on the same server where hackers had amassed tens of millions of records stolen from Adobe, PR Newswire and the National White Collar Crime Center (NW3C), among others.
• Plain text passwords for more than 42 million accounts
• Andrew Bolton, the company’s managing director. Bolton said the information appears to be related to a breach that occurred in January 2013.
• When Krebs told Bolton that all of the Cupid Media users I’d reached confirmed their plain text passwords as listed in the purloined directory, he suggested I might have “illegally accessed” some of the company’s member accounts. He also noted that “a large portion of the records located in the affected table related to old, inactive or deleted accounts.”
• > “The number of active members affected by this event is considerably less than the 42 million that you have previously quoted,” Bolton said.
• The danger with such a large breach is that far too many people reuse the same passwords at multiple sites, meaning a compromise like this can give thieves instant access to tens of thousands of email inboxes and other sensitive sites tied to a user’s email address.
• Facebook has been mining the leaked Adobe data for information about any of its own users who might have reused their Adobe password and inadvertently exposed their Facebook accounts to hijacking as a result of the breach.
• The Date of Birth field is a ‘datetime’ rather than just a ‘date’, and seems to include a random timestamp, maybe from when the user signed up
• Additional Coverage

Feedback:

• Need some help with a HP Server question

• Don\’t be Evil

  • DNS Made Easy

• ZFS on Linux for Production

• Legal mumbo jumbo at the bottom of emails.

Round Up:

• DoctorBeet\’s Blog: LG Smart TVs logging USB filenames and viewing info to LG servers
• Gartner says OpenStack lacks clarity and will be hard to sell
• Swansea police pay ransom to open files locked by hackers
• Allan Jude Interviewed about ScaleEngine on BSD Talk podcast
• Not all USB power is created equal
• Sears teams up with Ubiquity Critical Environments to convert disused Sears Auto Centers into hyper-local data centers

[asa]B00GHME0RE[/asa]

The post Scenic BGP Route | TechSNAP 137 first appeared on Jupiter Broadcasting.

We\’ve got an interview with Henning Brauer about OpenBSD\’s pf firewall, a tutorial on how to follow the -STABLE and -CURRENT branches of FreeBSD, a recap of what happened at vBSDCon this year and.. As always, lots of news to cover, so stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Managed services using FreeBSD

• New York Internet, a huge ISP and service provider, details how they use FreeBSD
• Mentions using BSD technologies: pf, pfsync, carp, haproxy, zfs, jails and more
• Explains FreeBSD\’s role in commercial workloads on a massive scale
• Lots of cool graphs and info, check out the full write-up

OpenBSD boot support for keydisk-based crypto volumes

• So far, only passphrase-based crypto volumes were bootable
• Full disk encryption with key disks required a non-crypto partition to load the kernel
• The bootloader now scans all BIOS-visible disks for RAID partitions and automatically associates key disk partitions with their crypto volume
• No need to re-create existing volumes. Moving the root partition onto the crypto disk and running \”installboot\” is all that\’s needed

More Dragonfly SMP speedups

• Matthew Dillon has been committing lots of various SMP improvements
• Using dports builds on a 48-processor machine as a test
• The machine’s now building more than 1000 packages an hour
• Super technical details in the show notes, check \’em out

Getting to know portmgr

• Start of an ongoing series profiling members of the FreeBSD Ports Management Team
• In the first interview, they talk to longest serving member of the team, Joe Marcus Clarke
• In the second, Bernhard Frölich (who\’s also the creator of redports.org)
• Future segments will include the other members
• Topics include their inspiration for using FreeBSD, first time using it, lots of other interesting stuff

BSD Now at the top of iTunes

• BSD Now is on the front-and-center page of iTunes\’ technology podcast section
• We\’re better than everyone else and Leo is fat

Interview – Henning Brauer – henning@openbsd.org / @henningbrauer

OpenBSD\’s pf firewall, privilege separation, various topics

Tutorial

Tracking -STABLE and -CURRENT

• The BSDs have development branches you can follow
• This guide shows the differences between FreeBSD -RELEASE, -STABLE and -CURRENT
• Will do OpenBSD and NetBSD versions in the future, their methods are all pretty different

News Roundup

OpenBSD gets XBox360 controller support

• Adds support for Microsoft XBox 360 controller as a uhid
• Will make things easier for emulators in OpenBSD
• Are there people who regularly play games on BSD? Email us, might do a segment on it

PCBSD 10-STABLE ISOs available

• Early cut of the new stable/10 branch, not recommended for everyone
• A pkgng repository is available, but is missing a number of packages
• AMD KMS, new text installer, UEFI loader support, much more

Switching from Linux to BSD

• Yet another Linux user switching to BSD makes a thread about it
• Asks the community what some differences and advantages are
• Good response from the community, worth reading if you\’re a Linux guy

Unattended OpenBSD installations

• Unattended installations possible using DHCP and a \”response\” file
• The system gets an IP via DHCP, then fetches a config file with key=value pairs
• Can do automatic network setup, SSH, passwords, etc
• Still a work in progress

Feedback/Questions

• Kjell-Aleksander writes in: https://slexy.org/view/s21hxDpzjO
• Alex writes in: https://slexy.org/view/s21ibNDb5y
• Chad writes in: https://slexy.org/view/s20D6K2NUe
• Joshua writes in: https://slexy.org/view/s20UZLFHAg
• Craig writes in: https://slexy.org/view/s20S15bbZ4

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post -CURRENT Events | BSD Now 9 first appeared on Jupiter Broadcasting.

The shutdown showdown marches on, as both sides double up on the hothead nonsensical rhetoric. But behind the scenes the debate is taking a new direction. A cool analysis of the situation reveals several options are available to settle the standoff. We’ll look at those options, and why big money is preparing for default.

Plus a critical look at the unlimited amounts of money about flow into American politics, the recent military raids in africa, your feedback, our follow up and much much more.

— Complementary Supporters Show: Unfilter 70 Supporters Show MP3 —

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is CRAZY

• Ex-NSA/CIA chief Hayden jokes of putting Snowden on kill list

“I must admit in my darker moments over the past several
months, I’d also thought of nominating Mr. Snowden, but it was
for a different list,” Hayden said during a cybersecurity
panel hosted by the Washington Post.

As the audience laughed, US lawmaker Rep. Mike Rogers, chairman
of the House Intelligence Committee, offered Hayden his support:
“I can help you with that,” he said.

• NSA’s $1.5 Billion Data Center Waylaid by Electrical Nightmare | Wired Enterprise | Wired.com

“The failures that occurred during testing have been mitigated. A project of this magnitude requires stringent management, oversight and testing before the government accepts any building,” an NSA spokeswoman told WIRED by email.

But the Wall Street Journal reports that there is disagreement about whether the proposed solutions will work. The Army Corps of Engineers is overseeing construction of the data center, and the electrical system itself was built by architecture firm KlingStubbins, which is a joint venture of three companies: Balfour Beatty Construction, DPR Construction and Big-D Construction Corp. Although the contractors have a fix in place, the cause of the surges — known as “arc fault failures” — is unknown.

• Obama administration decides NSA spying is ‘essential,’ but oversight of NSA is not

While the National Security Agency (NSA) has largely escaped the government shutdown, the panel investigating NSA spying practices haseffectively been frozen. Politico reports that as of Friday, the five-member Review Group on Intelligence and Communications Technologies lost its staff to the furlough associated with the government shutdown.

The group, which is largely comprised of intelligence community and White House insiders, was initially scheduled to remain running during the furlough. However, former acting CIA director Michael Morell declined to attend a scheduled meeting Tuesday, citing the shutdown: “While the work we’re doing is important, it is no more important than — and quite frankly a lot less important — than a lot of the work being left undone by the government shutdown, both in the intelligence community and outside the intelligence community.”

The U.S. Supreme Court is poised to strike down a law prohibiting unlimited campaign contributions.

• Supreme Court Again Weighs Spending Limits in Campaigns – NYTimes.com

“The latest case would go even further than Citizens United,” he said. “It would say anything goes: there are no rules in terms of how to finance campaigns.”

The challengers take issue with separate overall limits of $48,600 every two years for individuals’ contributions to all federal candidates and $74,600 to political party committees. (Federal law continues to ban direct contributions to candidates or political parties from corporations and unions.)

“These limits,” said Erin E. Murphy, a lawyer for Mr. McCutcheon, “simply seek to prevent individuals from engaging in too much First Amendment activity.”

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Carl M

• Tyler B

• iglun

• Wes M

• Nicholas S

• Karl M

• Curtis J

• Fredrik L

• Tyler T

• Chewbatrij

• Thomas Y

• Alberto B

• Buskivuski

• Jason D

• Thanks to our 202 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Finally a Supporter

Shutdown Showdown

• Back in force: Debt limit deniers

“Tough luck,” these people say. The nation spends too much as it is. Blocking a debt ceiling increase will provide the radical shock therapy the nation desperately needs to start living within its means.

“We have 10 times as much tax revenue as we’ve got annual interest on the debt obligations,” Rep. Mo Brooks (R-Ala.) said in an interview, offering the key talking point of the debt limit denial caucus. “So if the president does not want us to default on our credit or obligations, we won’t.”

Other members say they based entire campaigns on not boosting the borrowing limit.

“I ran on not raising the debt ceiling,” said Rep. Ted Yoho (R-Fla.). “We will not default. And I think it’s a lot of hype that gets spun in the media.”

• China’s Watching: Stop talking about default

If the dollar were suddenly to lose reserve status, the United States of America would face catastrophic inflation. All the dollars that the Federal Reserve has been creating, at about $85 billion each month, would begin to be dumped right on our heads, and the dollar would become virtually worthless.

More importantly, China has moved aggressively to replace the dollar with its Yuan in all its many, many international trades, including those in Saudi Arabia, Russia, South Korea, Australia, and many other traditional U.S. trading partners. China, with vigorous support from Russia and reluctant support from the other mega-economies in Asia, especially India and Japan, is using treaties which require acceptance of payments in their currency, the Yuan.

• John McCain Calls Out Tea Party Lies, Says GOP “Did the American People a Great Disservice”

“To think that we are going to repeal Obamacare, which would have required 67 Republican votes, of course, was a false premise, and I think did the American people a great disservice by convincing them that somehow we could.”

• US House Revives ‘Supercommittee’ as Debt Default Looms | Defense News | defensenews.com

The chamber voted mostly along party lines, 224–197, to create the “Bicameral Working Group on Deficit Reduction and Economic Growth.” The proposed 20-lawmaker panel would comprise 10 members from each chamber and would be tasked with recommending discretionary spending cuts, “changes in the statutory limit on public debt” and identifying other spending cuts.

Republicans want spending cuts and domestic entitlement program changes in return for a debt-ceiling increase. They say most modern presidents, including Obama twice, have negotiated over the borrowing limit.

• The 5 creepiest things about how the Koch brothers engineered the shutdown

This weekend, The New York Times revealed how the Koch Brothers and Reagan Attorney General Ed Meese engineered this here shutdown we’re dealing with right now, and how they’d been planning it ever since Obama was reelected.

• Banks prepare ‘war rooms’ in case US defaults on debt

The Dow slid nearly 160 points Tuesday, wiping out any gains it made in the past month.

Oh no… GMO?

• Look at who is funding the fight against labeling GMO foods

• Whos Funding the YES labling

Feedback:

• Bitmessage Address: BM-GuQ4gqmBeW8CYpSo3Htg2pBrBdHbvpe7

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post The Default Solution | Unfilter 70 first appeared on Jupiter Broadcasting.

An inside look at how hard some Sysadmins had to work to keep their servers running after being hit by Superstorm Sandy!

Plus the final analysis of the Diginotar saga, an epic network debugging war story that will leave you groaning and a huge batch of your questions, and so much more!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show:

   

Support the Show: