Show Notes: techsnap.systems/371

The post They Never Learn | TechSNAP 371 first appeared on Jupiter Broadcasting.

Kronda makes wordpress sites, manages a blog & offers educational resources for learning wordpress!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Interview – Kronda – @kronda

• Life as I Know It – This is my story, and I’m sticking to it.
• Kronda (@kronda) | Twitter
• Tech Journey – Life as I Know It
• Blog – Karvel Digital
• Karvel Digital | Websites That Work
• Karvel Digital (@KarvelDigital) | Twitter
• Xander Oz (@stateofthecat) | Twitter

Are you looking for the transcription? Please let us know you use it and we may bring it back!

• WTR Transcription Poll

The post Impress with Wordpress | WTR 57 first appeared on Jupiter Broadcasting.

Jennifer is the VP of business development at Women Who Code, with over 50k members across 20 countries and 67 cities & growing!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Women Who Code (@WomenWhoCode) | Twitter
• Jennifer Tacheff (@JenniferTacheff) | Twitter
• Welcome | Women Who Code
• Jennifer Tacheff: Becoming Tech Shiny with WWCode | Women Who Code
• AmazonSmile: You shop. Amazon gives.
• Khan Academy
• Girls Inc. |
• Learn to code | Codecademy
• Anybody can learn | Code.org
• Send Better Email | MailChimp
• Build a Website – Squarespace

Are you looking for the transcription? Please let us know you use it and we may bring it back!

• WTR Transcription Poll

The post Authentic Partnership | WTR 49 first appeared on Jupiter Broadcasting.

Jami is a technical writer for Agency Port Software, a web based software for P&C insurance.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Learn to Code by Doing – Code School
• Learn to code | Codecademy
• Agencyport Software
• Meet MadCap Flare | Authoring, Publishing and Content Management

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: So Angela, today we’re joined by Jami. She’s a technical writer with a company in Boston. She does a lot of interesting work trying to translate developers and in her position for developers. So we talk a little bit about that and we get into what it means to be a technical write and kind of dig into that whole career path.
ANGELA: And before we get into this interview, I would just like to say that you can support the network and the ongoingness of this show, Women’s Tech Radio, by going to pateron.com/today. And that is where you will find that we put out a podcast specifically to thank the patrons that are supporting the network. It’s Tech Talk Today. It’s a quick show that we do four days a week of the top headlines. And it’s just a thank you. It’s something that we’re able to launch because we are getting funding that way. So, again, you can support Women’s Tech Radio through patreon.com/jupitersignal.
PAIGE: And to get started, we asked Jami what she’s doing in technology today.
JAMI: I’m currently a tech writer. I work for Agency Port Software in Boston. We are a technology company that offers web-based software and tools to P&C insurance companies, and I’m pretty much responsible for creating and maintaining all of their product documentation and as well as the developer documentation site where all that documentation lives. So mostly my responsibilities are related to actual documentation. So I document any updates to the products and the release notes whenever releases go out. And then the other half is I’m actually dealing with the technical aspects of the site. So we make sure everything is up and running, everything is displaying properly, the styles look good, the features looks good. I”m working mostly in a tool called MadCap Flare. It’s an authoring tool. But I also work heavily in CSS and a little bit of Javascript and now learning a little bit more about Bootstrap.
PAIGE: So are you working in MadCap Flare? Is that like your internal program and then you’re also starting to author some of the stuff for the web and that’s why you’re diving into CSS and HTML and stuff?
JAMI: Yeah. So, MadCap Flare, it’s an external software component that you can use to actually build documentation sites. So you kind of organize everything and it builds HTML files that then compile out that you can build an actual site with. But we wanted something a little bit more modern and that we can customize a lot more than what’s built into the product. So that’s why we kind of bring in the CSS and the Javascript and the Bootstrap so that we can make it a little bit more modern and trendy to kind of meet our company’s branding.
PAIGE: So is this something — technical writing is actually — we haven’t had a technical writer on the show yet.
ANGELA: Uh-uh.
PAIGE: So this is kind of fun. What does it mean to do technical writing? I think you kind of grazed over it, but what do you do as a technical writer, like in the nitty gritty?
JAMI: Well, in my position now you’re working with the developers. You’re working with the engineers to find out exactly what is done on a project as related to a product. So whenever they make changes, we have to make sure that we’re relaying that information to whoever the audience is. So in my current case, our audience is actual developers who are customizing our software for clients. So they need to learn how to customize everything. So those updates go in for the content and we also relay the updates as for release notes. So we’re constantly keeping communication to our clients to what we’re being, what’s being done into the product.
PAIGE: So you’re kind of translating developers, and in your position, for developers?
JAMI: Yes. In prior positions where I’ve worked as a tech writer it was kind of the opposite. Where I was interpreting developers notes and trying to decipher it into a language that any man could understand, like they have no technical background but they need to understand. But in my current case it’s, I’m actually relaying developer information for another developer, if that makes sense.
ANGELA: Yeah.
PAIGE: Totally. So are you super technical? Are you a developer yourself? How does that work for you to kind of translate like that?
JAMI: I’m not really a developer per say. I mean, I’m starting to learn a lot more, especially in the past year or so. But I’m more of the content side of it. So I can understand it, but if you give me something to code completely in Javascript, i don’t know how to do that just yet, but I could at least read it and understand what’s going on.
PAIGE: Well, that’s actually a lot farther than some developers I know. So you’re doing really well.
JAMI: Thanks.
PAIGE: Is that something you went to school for? To be — either to understand Javascript or to be a technical writer?
JAMI: Actually, no. I actually don’t have really any formal training as far as even technical writing. My degree was actually in creative writing and journalism and I started working for a small IT company right out of college kind of helping with their help desk and I just gradually made my way up. And now today, I — since working with developers and having to actually look at code, it’s kind of forced me to learn, but also — I’m mean it’s not like a forcing, but — so it’s interesting to finally learn how to do some of this stuff. And then actually to learn more. I’ve been taking classes on Code School and Codecademy and trying to actually dig into code and try to figure it out so that I can understand what they’re talking about.
PAIGE: Very cool. So you’re self-teaching yourself so you can have more understanding at work?
JAMI: Right. Exactly.
PAIGE: And do cool things. Very cool.
JAMI: Right.
PAIGE: That’s actually how I got started.
JAMI: Very nice.
PAIGE: I always like to ask this sort of question, but how does it flip around? Do you feel like you have this creative writing and journalism background and you’re trying to learn code. Do you feel like any of the developers are actually trying to learn how to write more like humans?
JAMI: In some cases, yes. Yes.
PAIGE: Awesome.
JAMI: Or maybe we wish that they did, I guess.
PAIGE: Maybe somebody should write a Codecademy for technical writing so that we could learn how to write better documentation.
JAMI: That would be nice.
PAIGE: Yeah. I think they’re based out of Boston or New York. I think they’re in New York.
JAMI: I’m not sure. Yeah.
PAIGE: They’re very close. How did you get where you are? It sounds like you started out of college and you had the college degree. Have you always had an interest in tech or was it just kind of that random happenstance?
JAMI: Well, I mean, I’ve always been into computers and tech, and I’m really tech savvy. So just kind of, I kind of fit in right away in the department and I just — I love it. I mean, I’m always learning something new. It’s always evolving. So, I just — I’ve kind of found that happy medium where I’m writing, but I’m also getting the chance to actually work in tech.
PAIGE: I think it’s interesting how the tech — like if we look at it from a broad perspective. It really is a very deep field. It takes a lot of disciplines. You know, we’ve had so many different people on the show; artist, developers, designers, and writers now and there’s really — there’s room for all of us in this field to do good things.
JAMI: Right.
PAIGE: So why tech? You said you’re tech savvy. What does that mean to you and is it — what kind of stokes your fire in the tech end of things?
JAMI: Well, I think it’s kind of — because I have this personality where I like to kind of be a detective and try to figure things out. So I think in tech I kind of get that opportunity. Where it’s like, oh I don’t know why this page isn’t showing up right. Let me see why. Let me try to fix this. Okay, that’s not working. Let me try this. And just trying to find the answer. If it’s either online or talking to people. And it’s like you kind of get the opportunity to see what you did right away.
PAIGE: Yeah. We actually had an interview, a couple of weeks ago by now, where we talked to somebody about failing. And I think that willingness to explore and to fail forward, like oh does this worK? And to break it and then fix it is — that’s that mindset for me. It’s super important.
JAMI: Absolutely. Yeah, and it helps you learn because I mean for me I’m more of a hands on person, so actually digging in and trying to do things is how I’m going to figure out how to do it.
ANGELA: Is there anything tech related that you do outside of work, like hobby wise? Like blogging or?
JAMI: I did for a while. I was — I did blog for a while. I did some side freelance work for Bot.com for a while, for like two years. So I had to maintain their — maintain my — I had my own personal site and I had to do all that stuff. I was into photography for a while. So I was editing photos a lot. Right now I just really — I honestly haven’t had a whole lot of spare time to do a lot of outside tech related stuff, but I mean I’ve been using a computer for the past probably 20 years or so.
ANGELA: Yeah.
J; So it’s like attached to me. It’s just a part of our lives now. Tech is always around me.
PAIGE: Yeah, totally. You can’t get away from it anymore.
JAMI: No. It’s like a — it’s literally attached to you hip.
PAIGE: I guess you could move to Amish country in Pennsylvania.
JAMI: Yeah.
PAIGE: That’s about it.
ANGELA: I heard there’s a really good buffet.
PAIGE: Really?
ANGELA: Yeah, really.
PAIGE: I don’t know. I mean, are they offended-
ANGELA: My mom went to it and so did one of my friends.
PAIGE: I’ve had some of the best pancakes ever in Amish country, so maybe it’s relevant. I don’t know. Very fun. So you’re in the Boston community. How is the — kind of the tech community out there?
JAMI: It’s really booming right now, it seems. I mean, I’ve been here a little over a year, but especially in the area we’re in, we’re kind of near South Boston and just companies are moving in, startups and just everything. It’s very tech heavy right now.
PAIGE: I’m from the Boston area, I will admit.
JAMI: Uh-huh.
PAIGE: What is kind of your favorite thing about — I know you just moved up there. What’s kind of your favorite Boston thing so far?
JAMI: I’d say just being in the city to me is just exhilarating. Because I’m kind of from — I grew up in a small Florida town and kind of moved around Florida a lot where we didn’t really have that metropolitan feel. And of course the weather here. And summer/spring is very nice. Winter is a little bit challenging. But I love public transportation so getting on the train everyday to me is exciting.
PAIGE: Boston public transit, I had no idea how spoiled i was until I moved away from Boston, but it’s pretty much, once you get out of the Boston, New York, DC corridor, once you get out of there the rest of the country does not have the kind of public transport that the northeast has, and I had no idea.
JAMI: No. Yeah.
PAIGE: But I’m surprised you say summer. Well, I guess you’re from Florida. Honestly the worst part of New England weather to me is the hot, sticky summers, but Florida definitely takes the cake on that one.
ANGELA: Yeah.
JAMI: Right. Right. Yeah, it’s not that — I mean it’s been high 80s but it’s not that bad.
PAIGE: We also ask a couple of things that people do. So what else do you do with your free time?
JAMI: Well, I have a little dog named Penny so I like to spend time a lot with her. I like to research old train stations, which is kind of silly, but it’s kind of like a new thing since I’ve moved up here to New England. There’s a lot of — obviously a lot of history, a lot of hold history. But a lot of old train stations that have either been renovated into other things or they’re just kind of missing and you just kind of see pieces of them and you want to know why. Like why, what happened? And things like that.
PAIGE: That’s really fascinating. You should blog about that.
JAMI: It’s such a random thing. I don’t know why I’m so obsessed with it.
ANGELA: Yeah, no, seriously. Yeah, if you started a blog I bet you could get-
PAIGE: I would follow that.
ANGELA: Click revenue, because trains and stuff like that is really a popular thing.
JAMI: Probably.
PAIGE: Even if you’re in a for a casual ride, the Rail to Trail project that has happened through most of New England is fascinating.
JAMI: Yes.
PAIGE: And you get to go by a lot of those old train stations and things.
JAMI: Yes, we have one that actually runs right by our house. We haven’t been since fall, but we take the dog and it’s very interesting. Some of the old signals are even still there. And the old crossover bridges. It’s very cool.
PAIGE: New England is a really fascinating place for history. Definitely. Highly recommend. So you’re teaching yourself right now. What are some of the things that are hardest for you, even just learning like — is it jus getting your head around the logic of it? Like understanding terms? Like what is a variable? What is a function? Like what’s your sticking points and how are you getting over them or how are you not?
JAMI: I think it’s more the logic, because I’m kind of still in the midst of doing some of the online courses for Javascript. And it’s just — I don’t know if it’s the math portion or it’s just kind of all of it at once, like the, you know, if L statements and things like that. Sometimes it kind of throws me around. It’s just trying to figure it out. They give you a sample. Okay. Here’s some code, now try to fix it. Or you’ve got to write this yourself. here’s your variables and write it. So it’s just digging in and trying to figure it out is the best way how I get through it.
PAIGE: I like that. I also usually encourage people who are new to programming to write it out in plain English first.
JAMI: Uh-huh.
PAIGE: And then try to make it into code.
JAMI: Right.
PAIGE: Because if you write the logic in a way that you understand it and then translate, it can kind of help that step. Are you just doing stuff online? Are you going to meetups or anything?
JAMI: I haven’t gone to any meetups yet. I know there are a lot in the Boston area. I know there are couple of, especially for women they’re actually creating — there’s a lot of groups that are actually for women that want to code and you could actually get involved in these groups and they do meetups. And basically at any level you could just want to learn and you could get into the groups and start working with them and learn more. And that’s something I’d love to do. I just haven’t had the chance right now, unfortunately.
PAIGE: I definitely encourage you to check that out. I’m actually the director for Women Who Code Portland and I know that we have a Boston chapter.
JAMI: NIce.
PAIGE: And I think Girl Develop It is out there if you want something more workshoppy.
JAMI: Right.
PAIGE: I highly recommend both of those.
ANGELA: Do you have, at your job, are you the only technical writer or is there somebody else that you — that also does that?
JAMI: No, I am the sole technical writer. I was actually hired on last year to help their documentation section. They were using and old Drupal platform and they wanted something more robust and more modern that could actually kind of help users navigate it through better. So that’s kind of where I came along. I’ve had a little over six years’ experience as a tech writer so I kind of brought my expertise in and helped them find the MadCap Flare tool to build their documentation set. So I’m the sole person on that — in that full team right now.
ANGELA: Job security.
JAMI: Yes.
ANGELA: Have you ever met another technical writer? Like with either a partnering company or a client that has a technical writer?
JAMI: Yes.
ANGELA: Yeah? Is that-
JAMI: Yes.
ANGELA: Are you guys able to like share hidden jokes and — I don’t know.
JAMI: Sometimes. Yeah, so my last job before this one I was actually on a technical writing team. We had — I think at one time we had about five writers and a supervisor that we’d all been — you know, we were all tech writers. So we all knew the jokes, whether it be about a specific programmer or just the logic of things. Of, oh like, oh your authoring tool is doing something weird again. Oh no. You know, things like that. It’s mostly just weird little quirks.
ANGELA: Uh-huh.
PAIGE: Did you ever put easter eggs inside technical documentation like we do with programs?
JAMI: Uh, no I haven’t.
PAIGE: You should consider it.
ANGELA: Yeah. You work on that. We’ll check back with you in six months.
JAMI: Okay. Yeah.
ANGELA: No, just kidding.
PAIGE: So, if someone was listening to the show and is a writer currently, they’re freelance or whatever they’re doing, or maybe they’re finishing a degree or something and they wanted to get into technical writing, what kind of advice would you give them?
JAMI: I would just say to get out there and read as much as you can about it. I mean, from my perspective, I didn’t have an actual formal tech writing training. I didn’t go to school for it. So you kind of have to be tech savvy in some sense, and you have to be willing to learn. You have to be open minded that things are going to change and that you have to kind of be up and current and to — you know, whether it be the current authoring tools platforms that are available or the other kinds of ways that you can make your documentation better. And it’s just to get out there and try to create something. Take online courses or tutorials and just do what you can. Because this is just how you can learn.
PAIGE: Do you have any courses you might recommend for technical writing?
ANGELA: Maybe not yet. I think you’re probably in the early stages of figuring out what it is that would have been helpful?
JAMI: Yeah. And I mean, back when I was starting to learn six years ago there wasn’t — I don’t think there was a whole lot free online, you know, tutorials like there are now. But there are books out there that you could look in technical writing. I believe there’s a site called technicalwriting.com, if that’s still available. I”m not sure. BUt I think that’s a community so you can share ideas and things like that.
PAIGE: We’ve had some people give the advice before of people who are even just looking to get into development to — if they wanted to kind of dip their toes in open source that actually doing documentation work for open source projects is valuable. Do you think that would be valuable for a technical writer as well?
JAMI: Yes, definitely. If you really want to just get your experience, get your foot in the door, and if you’re willing to either volunteer your time or something like that, it definitely — definitely find — or a startup. Or something like that, that really could use some documentation help. ANd if you’re open to learning along the way with them.
PAIGE: So just like development, just get your feet in and do the work and it will pay off.
JAMI: Correct.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Don’t forget you can find the full transcription either in the YouTube description or on JupiterBroadcasting.com. Find the Women’s Tech Radio dropdown and you can also listen to our back catalogs. We have a lot of amazing shows on there.
PAIGE: So many great women have been on this show. You can also find us on iTunes. If you have a moment, leave us a review. We’d love to hear what you think. You can also contact us by dropping us a line at WTR@JupiterBroadcasting.com or followng us on Twitter, @heywtr. Thanks so much for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Technical Writing | WTR 37 first appeared on Jupiter Broadcasting.

Mai is a senior developer at Phase 2 with a masters in Computer & Information Technology.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Phase2 Technology
• Blackboard
• Moodle
• NYC Camp
• Drupal
• Girls Who Code

Full transcription of previous episodes can be found at heywtr.tumblr.com

The post Local Tech Community | WTR 18 first appeared on Jupiter Broadcasting.

Recovering developer, beekeeper, scotch drinker & book author… Emma Jane Westby does it all in this exciting 5th episode of Women’s Tech Radio!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Support Jupiter Broadcasting on Patreon

• Emma Jane Westby – @emmajanehw

Recovering developer, beekeeper, scotch drinker & book author.

• Flowdock
• Drupal
• Drupal Easy
• webgrrls
• LinuxChix
• Git for Teams
  
  Emma’s Book: Drupal Users Guide
  Upcoming: Learning Git for Teams

The post Emma Jane Westby | WTR 5 first appeared on Jupiter Broadcasting.

That tech worker “shortage” Facebook and Microsoft keep telling you about is bogus. We’ll go over the study and reports that back that claim up. Then we dig into the rather understandable reasons why developers wages are being pushed down & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• Markdown website

• Have you heard of Hugo (static site generator written in golang)

• Thx to Wade too for sending in Hugo

• beyere5398 comments on Google’s Objective C | Coder Radio 129

• When Paris Went Dark: The City of Light under German Occupation, 1940-1944 Audiobook | Ronald C. Rosbottom | Audible.com

• The Martian Audiobook | Andy Weir | Audible.com

Dev Hoopla:

The Tech Worker Shortage Doesn’t Really Exist

“There’s no evidence of any way, shape, or form that there’s a shortage in the conventional sense,” says Hal Salzman, a professor of planning and public policy at Rutgers University. “They may not be able to find them at the price they want. But I’m not sure that qualifies as a shortage, any more than my not being able to find a half-priced TV.”

The post Get Back to the '50s | CR 130 first appeared on Jupiter Broadcasting.

A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

• wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
• It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
• It is this mode that is the subject of the vulnerability
• Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
• A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
• This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
• The creation of new symlinks allows files to be overwritten
• An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
• So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
• “If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
• Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
• Redhat Bug Tracker
• Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
• HD Moore Tweets
• HD Moore Blog Post
• Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

• Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
• It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
• “Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
• All users running Drupal core 7.x versions prior to 7.32 need to upgrade
• Drupal Security Advisory
• One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
• Additional Coverage: Threat Post
• It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
• Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
• “Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
• Drupal Public Sevice Announcement
• Additional Coverage: Thread Post
• It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

• NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
• It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
• This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
• However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
• The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
• Researcher Post
• Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
• 2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
• 86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
• 88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
• 88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
• 100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
• Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
• Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

• Why I switched from Puppet to Saltstack

• Salt vs ansible vs puppet

• Possible to Spoof a Source IP Across the Internet

• Solution for SMTP from home lab

• Network throughput/bandwidth Issues.

• Woes with tar

Round Up:

• FBI cut hotel Internet access, sent agents to “fix” it without warrants
• Interview with the developers of the Gopher protocol
• Brazil Is Keeping Its Promise to Avoid the U.S. Internet
• Botnet uses gmail drafts as a “dead drop” for command and control
• Lawyer doesn’t know what Java is, thinks Bill Gates is trying to get out of a question.
• Don’t run the gnu ‘strings’ command on untrusted files
• SQL Injection attack against speed cameras in France
• Paul Vixie: “Abuse of CPE Devices and Recommended Fixes”
• Whitehouse unclassfied network breached by attackers
• Twitter possibly vulnerable to command injection via new ‘card’ URLs
• Researchers publish report investigating the bitcoin theft from CryptoRush.in
• Security is hard
• Computer hardware identification chart

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

Everyone’s beloved password cracker has had a major update, and you won’t believe what it can do now!

The Aerospace industry has a new Advanced Persistent Threat, and a major Microsoft XML flaw already being exploited.

Plus we share some infrastructure wisdom in today’s feedback segment.

All that and more, on this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Support the Show:

   

Show Notes:

New version of John the Ripper targets slow hashes with GPUs

• The new version focuses on adding GPU support, both CUDA (for nVidia) and OpenCL (for AMD and other cards)
• Other interesting new additions:
• Non-hash cracking support for:
  • Mac OS X keychains
  • KeePass 1.x files
  • ODF and MS Office 2007/2010 files
  • Mozilla Firefox/Thunderbird/etc master password files
  • RAR -p and -hp encryption modes
  • WPA-PSK
  • VNC Challenge/response auth
  • SIP challenge/response auth
  • HMAC-SHA1/224/256/384/512
• New hashes supported:
• sha256crypt (CPU or CUDA)
• sha512crypt (CPU/CUDA/OpenCL)
• DragonFly BSD SHA256/512
• Drupal 7 custom PHP SHA–256 hashes
• Raw-SHA1-LinkedIn
• Interestingly, bcrypt (OpenBSDs implementation of blowfish as a password hashing algorithm), even on an AMD 7970, is slower on a GPU than a CPU due to the nature of the algorithm
• Full Release Announcement

---

Unpatched Microsoft XML exploit added to Blackhole toolkit

• An exploit for the unpatched vulnerability is now included in recent versions of the blackhole exploit kit, sold to cyber criminals and installed on infected and compromised websites across the internet
• Numerous attack vectors have been used to exploit this flaw in the Microsoft XML engine, including MS Office documents, Flash, and Internet Explorer it self
• The flaw is present in versions 3, 4 and 6 of MS XML Core Services, and exploitable on all supported versions of windows (XP/Vista/7, 2003/2008/R2 Server)
• Microsoft published the advisory about the flaw on June 12th, after it was already actively being exploited in the wild
• At this time, there is still not a fix for ‘Microsoft XML Core Services’, however Microsoft offers a ‘Fix-It’ that is supposed to mitigate the flaw, but suggests that this may cause application compatibility issues
• The Microsoft EMET Toolkit may prevent the exploitation of this vulnerability, but as discussed previously, is incompatible with AMD Video Drivers
• CVE–2012–1889
• Official Microsoft Announcement

---

New version of trojan used in highly targetted attack

• The Sykipot trojan is not new, however the latest version is being used more successfully than before
• Phishing emails and targeted web advertisements are being used to drive users to sites where they are infected by drive-by-downloading of the trojan using the MS XML exploit
• This requires zero user interaction in order to become infected
• Previous versions of Sykipot have relied on file format exploits (MS Office files, PDFs)
• The latest attack seems to be targeting attendees to the IEEE’s Aerospace Conference (the International Conference for Aerospace Experts, Academics, Military Personnel, and Industry Leaders)
• Researchers have found a Sykipot variant that was programmed to steal credentials from systems using ‘ActivIdentity’s ActivClient’, the smart card application used by the U.S. Department of Defense’s Common Access Card (CAC)
• This could result in the compromise of such smart cards, allowing the attack to gain access to highly sensitive materials

---

A third of top UK Univerisities use weak SSL configurations

• TechWeek Europe used the SSL Labs tool to test the SSL implementations used at the top Univertisities in the UK
• Many of the schools received grades of C or D instead of the expected A
• Such weakness in the implementation of SSL could allow an attacker to inject data into encrypted packets, in order to exploit the user’s machine while they are visiting a trusted site, or to hijack the session or compromise other private data
• Many of the schools responded quickly with configuration changes to upgrade their scores, while others were hesitant to make configuration changes for fear of affecting accessibility for users
• SSL Best Practices Guide
• ScaleEngine.com ‘s Results

---

Feedback:

• Aviad asks How to Scale VMs Fast
• Dale asks If the password is in clear text, is everything?
• Beep’s comment on Token Security

Round Up:

• Cisco Pushing ‘Cloud Connect’ Router Firmware, Allows Web History Tracking
• Cisco appears to be pulling back from its previous attempts to ammend the privacy policy on some of its routers to allow it to collect web history
• Europe declares independence from Hollywood with ACTA vote
• Microsoft silently kills silent, automatic Skype install via Updates
• Microsoft engineer discovers Android spam botnet
• Apple App Store distributing corrupted binaries, breaking app updates
  • Rewrite Bingo
• Remote flaw in KeePass, hard to exploit but serious
• Air raid sirens in Illinois go off unexpectedly, claims they may have been hacked
• Don’t take pictures of your Credit/Debit card, ever

The post Faster GPU Cracking | TechSNAP 65 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/11308/planning-for-failures-techsnap-19/ Thu, 18 Aug 2011 22:05:43 +0000 https://original.jupiterbroadcasting.net/?p=11308 Find out how to plan your servers and network for failure, start building a website for cheap and much more in this packed audience Q&A episode!

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.

]]>

The RSA leak exposes the dirty under-belly of the commercial security industry, it’s a story that sounds like it’s straight out of Hollywood.

Then – We’ve packed this episode full of Audience questions, and our answers. Find out how to plan for failure, start building a website….

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

News

EXCLUSIVE: Leaked “RSA dump” appears authentic

• A massive Pastebin dump of domain names and IP addresses supposedly linked to a cyber espionage ring appears to be the real deal.
• The dump claims the operation targets include private US defence firms.
• The analysis, which was leaked by an attack on HBGary Federal by Anonymous in February this year, identifies each IP address as a callback address for custom malware used in espionage operations, presumably operating out of China.
• The IP addresses serve a configuration file that re-directs infected hosts to an interactive command and control IP based in Hong Kong.
• HBGary codenamed the operation “Soysauce”.
• the HBGary document suggests that each sub-domain of each registered domain name corresponds to a successfully compromised target.
• Pastebin Dump

Feedback

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and give one possible answer each week, for the next few weeks. The first possible solution, is to use something like BSD’s CARP (Common Address Redundancy Pool). With it you assign each server an IP address like normal, then on each, you create a virtual CARP interface, where you assign a shared IP between the servers in your CARP group. The servers will advertise their control of the shared IP address, whichever server does so first, will become the master for that IP. The way you configure multiple hosts to fail over in a specific order, is by setting and ‘advertisement skew’, of 100ms multiplied by the servers position in the pool. So the 3rd server will wait 200ms before advertising, and will only gain control over the IP address if the 1st and 2nd server are no longer advertising. This system basically moves the IP address of the service you are trying to keep up, to whatever machine in the pool is actually up. This CARP system requires that the servers have identical services and static copies of the content. Obviously, you don’t want to failover your webserver to your mail server, if your mail server is not running an HTTP server. CARP works best for ‘stateless’ protocols, one of the most common uses of CARP is for redundant routers. If you are using FreeBSD or a derivative such as pfSense, you can use CARP on the IP your DHCP server gives our as the default gateway, so that if one of your routers is down, the other automatically takes over. pfSense even includes a protocol to sync the NAT tables between the two routers so that open connections are not dropped. This type of setup can be important if the business running behind the router cannot afford downtime for such trivial things as OS upgrades on the routers, with CARP, you can take down one router at a time, upgrade it, and put it back in service, without effecting the end users and servers behind the routers. Another option in carp is called ‘preempt’, this causes CARP to take it’s interface offline is ANY interface on the machine goes offline, not just the one the CARP IP is on. This can be important if your routers are connected to different ISPs, if one of the links goes down, the router will take it self offline, causing traffic to be routed via the backup Internet connection.

---

Q: (Mattias) I have been using the NoScript addon for Firefox and have become aware of just how many sites use Google Analytics. Is it a good way for website admins track visitors, or just a way for google to track everyone?

A: Google Analytics is based on a product called Urchin that Google acquired. Google Analytics is basically just a cloud hosted version of this product. You can still buy a copy of Urchin, but they don’t mention host much it costs. Google Analytics just provides much richer detail than you get from just regular log file analyzers. One of the keys to the success of Google Analytics for e-Commerce is the integration with Adwords and other CPC/CPA sites. Google Analytics allows the store to pass good information about the purchases that are made, and Google correlates these with the keywords the user searched for, and how much was paid for the advertisement. This allow stores to optimize their bids to get the best return for their advertising.

While there are some privacy concerns about what google does with the collected data, they cannot infer all that much from it. Your personal data is never passed from the site you are visiting to Google, and only a small number of sites pass data about what you purchased back to Google, and they do this for the sales/conversion reporting, rather than for Google’s benefit. Usually, the data based back could just be an internal product id, and not provide google with any useful data about your purchase.

Find out who tracks you: Ghostery

---

Q: (Leon) Hi guys,

Thanks for answering my question last time.
I’ve set up a testbox here on my desk with FreeBSD to tinker with spamassassin/amavis. It’s been a long time since I did anything with FreeBSD but Allan/TechSNAP made me curious for it again.

My question: what’s the best way to keep your FreeBSD (ports) up to date? Just checking it manually/reading the security mailing lists or is there some kind of tool that Alan uses for automatically updating his servers?

Thanks again and thanks for the great show(s). The recent comment of Chris convinced me to support Jupiter with a monthly subscription.

Regards,
Leon

A: The built in tool for keeping your ports tree up to date is called portsnap. This tool will use the BSDiff algorithm to only download the changes to the ports tree since your last update, and supports a simple cron method, where it randomly sleeps before starting, so that everyone cron’ing portsnap won’t hit the server at the same time. Once your ports tree is updated, there are a number of tools that you can use to go about upgrading your various packages. The tool I use is called ‘portupgrade’, but there are also others such as ‘portmanager’ and ‘portmaster’. There are also services such as VuXML (Vulnerability and eXposure Markup Language) that provide information about vulnerable ports, and can be used to check against your installed packages, and packages you are about to install.

---

Q: (Dan) I was going to send this email to Chris, but since you guys are doing a Q&A session on Techsnap, I figured I might as well send it here. Do you have any recommendations on sources for building websites? I’ve got a career move pending on a creation of a website, and a deadline of next week. I haven’t done basic HTML for about 6 years, and this site will need a forum and a way to pay for a service. I’m not worried about the hosting, I will be hosting it on my home server until the site is approved and ready to hit the ‘tubes. Any suggestions or information you have would be greatly appreciated!

PS. Been watching for two years, he’s Honclbrif in the IRC Chat room!

A: There are a number of great Open Source CMS (Content Management System) platforms out there. Some of the most popular are WordPress, Drupal and Joomla, all of which have huge support communities, and 1000s upon 1000s of free design templates. They also feature rich plugin architectures that allow you to add functionality such as video embedding or e-commerce. WordPress is designed for a more ‘blog’ like website, and might not fit well depending on the type of site you are building. Drupal is very extensible, but their framework can be a bit frustrating at times. You might want to look at which platform has the plugins that best fit your needs, and then go from there.

---

Bitcoin Blaster:

• Mt.Gox -to Acquire Bitomat.pl, Compensate Loss Of Bitcoins
• GPGPU Bitcoin Mining Trojan
• Bitcoin Conference 2011 – NYC: Aug 19-21

The post Planning for Failures | TechSNAP 19 first appeared on Jupiter Broadcasting.

]]>