Show Notes: linuxactionnews.com/164

The post Linux Action News 164 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/51

The post Brunch with Brent: Peter Adams Part 2 | Jupiter Extras 51 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/134

The post Linux Action News 134 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/395

The post The ACME Era | TechSNAP 395 first appeared on Jupiter Broadcasting.

Show Notes: podcast.asknoahshow.com/82

The post Should We Care About Libre? | Ask Noah Show 82 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Imgur’s blog post Re: notice of data breach

• Imgur Confirms 2014 Breach Of 1.7 Million User Accounts

• Troy Hunt praised Imgur’s “exemplary handling” of the incident

• Firefox to collaborate with HaveIBeenPwned to alert users on data breach

• What’s the correct date? 2013 or 2014?

Contrast Imgur’s breach handling wth that of DJI

• developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub

• Findings of developer: Why I walked away from
  $30,000 of DJI bounty money – PDF

• But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA).

• “At one point… DJI even offered to hire me directly to consult with them on their security,” Finisterre wrote.

• Ultimately, Finisterre received an e-mail containing an agreement contract that he said “did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech.” It seemed clear to Finisterre that “the entire ‘Bug Bounty’ program was rushed based on this alone,” he wrote.

how can I prevent myself from getting hacked?

• not everyone agrees with Motherboard so see also Basic security precautions for non-profits and journalists in the United States, mid-2017. but to be fair, Bruce say’s it’s pretty good

• see also other Motherboard guides

• Do you want to stop criminals from getting into your Gmail or Facebook account? Are you worried about the cops spying on you? We have all the answers on how to protect yourself.

• The Electronic Frontier Foundation guide to Assessing Your Risks

• … if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.

• Use a password manager

• Two factor authentication: You should, if the website allows it, use another 2FA option that isn’t SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator, DUO Mobile, or Authy), or a physical token. If that option is available to you, it’s great idea to use it.

• use an ad blocker (e.g. uBlock Origin). Why? A great deal of malware comes through ads.

• Get an iPhone and don’t jailbreak it

• Use Signal instead of WhatsApp

• Even if you keep your privacy settings on lockdown, social media companies are subject to subpoenas, court orders, and data requests for your information. And often times, they’ll fork over the information without ever notifying the user that it’s happening. For the purposes of social media, assume that everything you post is public. This doesn’t mean you should stop using social media, it just means you have to be mindful of how you use it.

Feedback

• Tape Drives and Jails – FreeNAS jails

• From Samir, based on question from Episode 346 : Linux Containers vs Virtual Machines

• Jonathan Davis mentioned Schrodingers Backup Mug

• I will Miss you Mr. Dan

• Reverse SSH as Poor-Man’s VPN

Round Up:

• Potential impact of the Intel ME vulnerability

• Mostly for ZFS: Policy-driven snapshot management and replication tools. & see also zfstools : OpenSolaris-compatible auto snapshotting for ZFS

• The strongest KASLR, ever?

• Better Random Number Generation for OpenSSL, libc, and Linux Mainline – But what’s really exciting for us is that, in the course of working on libc, we were also able to get traction on another important change, in Linux itself. Last year, we suggested a new madvise() option for the Linux kernel. Based on OpenBSD’s MINHERIT_ZERO, the option marks memory regions as WIPEONFORK, which means that those regions are zeroed in a child process immediately after a fork() call.

• How a single PostgreSQL config change improved slow query performance by 50x

• Troy Hunt testifies before Congress and you should be able to watch it live here

• A minimalist guide to tmux

• Top SSL Issuers

The post A Farewell to Dan | TechSNAP 347 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• GNOME officially on board for the Librem 5 — The GNOME Foundation is committed to partnering with Purism to create hackfests, tools, emulators, and build awareness that surround moving GNOME/GTK onto the Librem 5 phone.
• Replicant expands list of supported devices — A few months have passed since the initial Replicant 6.0 release and it’s time for another one. This release more than doubles the number of supported devices and contains a few important fixes and improvements.
• UBports release OTA 2 — The UBports project is excited to announce the immediate availability of Ubuntu Touch 15.04 OTA-2.
  This is a huge release for the Ubuntu Touch platform, bringing new supported devices, new features, and many bug fixes.
• Launching Pipewire! — Pipewire is the latest creation of GStreamer co-creator Wim Taymans. The original reason it was created was that we realized that as desktop applications would be moving towards primarly being shipped as containerized Flatpaks we would need something for video similar to what PulseAudio was doing for Audio.
• EFF quits W3C over Encrypted Media Extensions — In 2013, EFF was disappointed to learn that the W3C had taken on the project of standardizing “Encrypted Media Extensions,” an API whose sole function was to provide a first-class role for DRM within the Web browser ecosystem. By doing so, the organization offered the use of its patent pool, its staff support, and its moral authority to the idea that browsers can and should be designed to cede control over key aspects from users to remote parties.
• Facebook finally caves on react.js license — Next week, we are going to relicense our open source projects React, Jest, Flow, and Immutable.js under the MIT license. We’re relicensing these projects because React is the foundation of a broad ecosystem of open source software for the web, and we don’t want to hold back forward progress for nontechnical reasons.
• Red Hat Announces Broad Expansion to Open Source Patent Promise — The expanded Patent Promise, while consistent with Red Hat’s prior positions, breaks new ground in expanding the amount of software covered and otherwise clarifying the scope of the promise. Red Hat believes its updated Patent Promise represents the broadest commitment to protecting the open source software community to date.

The post Linux Action News 20 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

ACLU & EFF SUE OVER WARRANTLESS PHONE AND LAPTOP SEARCHES AT U.S. BORDER

• Some folks feel that biometic data is not covered by US 5th Amendment (the right to non-self-incrimination)

• recent Reddit post YSK: Facial scans, iris scans, and your fingerprints are not protected by the fifth amendment and therefore not secure.

• Regent University Law Professor James Duane gives viewers startling reasons why they should always exercise their 5th Amendment rights when questioned by government officials – Don’t Talk to the Police

30 interesting commands for the Linux shell

Equifax is so last week. Everybody go home and take a shower and change your underwear, because… This week’s hair on fire emergency is now upon us, and we’re going to need you fresh, at your desk, for… Well, for all eternity, I guess

• A new attack vector exposes almost every connected Bluetooth device.

Feedback

• re Episode 328 consider iRedMail

• SSL – more than encryption

Round Up:

• The sudden death and eternal life of Solaris

• Boeing 787 In Flight Entertainment System Security fun!

• Lenovo Wasn’t Paying Attention: 750,000 Laptops Had Spyware

• U.S. moves to ban Kaspersky software in federal agencies amid concerns of Russian espionage
  

• Equifax Argentina admin/admin for credentials

• Windows 0-day is exploited to install creepy Finspy malware (again)

• wait…..I can just…make PDFs with whatever want show up on the FCC’s site? – also

The post FCC’s Free Offsite Storage | TechSNAP 337 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Tor 0.3.2.1-alpha is released, with support for next-gen onion services and KIST scheduler

Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It includes support for our next-generation (“v3”) onion service protocol, and adds a new circuit scheduler for more responsive forwarding decisions from relays. There are also numerous other small features and bugfixes here.

Introducing Keybase Teams

But Keybase teamwork is end-to-end encrypted, which means you don’t have to worry about server hacks

An open letter to the W3C Director, CEO, team and membership | Electronic Frontier Foundation

Effective today, EFF is resigning from the W3C.

Firefox, Thunderbird and VLC Are the Most Popular Apps Among Ubuntu Users

Canonical’s Dustin Kirkland attended this year’s UbuCon Europe conference for Ubuntu users and developers in Paris, France, where he revealed the results of the Ubuntu desktop survey and the apps that users want to see by default in future Ubuntu releases.

Dustin Shares Software Survey Results for the First time

Linux Academy

• Linux Academy | Linux and AWS Online Training

Launching PipeWire!

Pipewire, the linux multimedia gamechanger, is here! – https://t.co/ayXhrCF6eu

— Christian Schaller (@Uraeus2) September 19, 2017

We are finally ready to formally launch pipewire as a project and have created a Pipewire website and logo.

• Wim Taymans (@wtaymans) | Twitter

Wim Taymans

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Linux “Journalism” is in a Nose Dive

More than ever I believe very deeply that Linux “journalism” is in a nose dive of quality. Fewer and fewer “reporters” are going to the story or creating anything new, and instead have chosen the easy and lazy route of clickbait, virtue signaling journalism. It’s a well proven business model after all, and saves quite a bit of time.

ACCESS TO THE BATCAVE VIA BATPOLES#AdamWestDay pic.twitter.com/kaaoyIzjpr

— Batman 66 Labels (@BatLabels) September 19, 2017

TING

• Ting – mobile that makes sense

Linux Foundation Head Calls 2017 ‘Year of the Linux Desktop’… While Running Apple’s macOS Himself

Sitting on a plane, watching Jim Zemlin use OS X.

— Matthew Garrett (@mjg59) July 23, 2013

Perhaps I am creating unnecessary controversy. Perhaps this simply should be ignored.

The post Pulse of PipeWire | LINUX Unplugged 215 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages

• Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed

• Spiral Toys xCEO denies voice recordings stolen

• CloudPets left their database exposed publicly to the web without so much as a password to protect it.

• There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

• CloudPets has absolutely no password strength rules

• The CloudPets Twitter account has also been dormant since July last year so combined with the complete lack of response to all communications, it looks like operations have well and truly been shuttered.

Spammers expose their entire operation through bad backups

• Today we release details on the inner workings of a massive, illegal spam operation. The situation presents a tangible threat to online privacy and security as it involves a database of 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Chances are that you, or at least someone you know, is affected. Spammergate: The Fall of an Empire

• The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.

• Vickery also discovered thousands of warm-up email accounts used by RCM to skirt anti-spam measures

• RCM’s data breach also exposed 2,199 IP addresses used for public-faced activities; as well as the group’s internal assets. This is in addition to the 60 IP blocks RCM has identified for activities in the past, as well as current and future operations; and the 140 active DNS servers that are rotated frequently.

• Based on campaign logging documents, the data breach also exposed more than 300 active MX records. In just two spreadsheets alone, RCM recorded nearly 100,000 domains used for their campaigns.

• If an offer doesn’t inbox (meaning it is rejected, or otherwise dumped into a spam or junk folder), or a given domain is blacklisted, RCM goes back to a list of thousands of domains and selects another to restart the process.

Feedback

• Using ZFS mirrors on a motherboard without RAID support

• Rack Noise

• Big heatsink
• Vendor
• IP address question
• Changing volume sizes in bacula?

Round Up:

• Vault 7: CIA Hacking Tools Revealed

• Google: We’re hiking bug bounties because finding security flaws is getting tougher

• Xbox, Skype, Outlook, and more recover from Microsoft Account issues

• Secure computing for journalists – use your phone, use iOS

• EFF to Court: Forcing Someone to Unlock and Decrypt Their Phone Violates the Constitution

• Changes to Ragel in Response to the Cloudflare Incident

• Arbitrary code execution in TeX distributions

• Operation Rosehub

The post Bad Boy Backups | TechSNAP 309 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

House Passes Long-Sought Email Privacy Bill

• The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails.

• This is a very short piece of legislation. You can read it quickly, but it is an amendment. Basically, it’s copy/cut/pasting into the existing act, so you have to read it in context of the OLD act.

• Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

• Based on a 1986 law created in the days when cell phones did not contain email. Back then, the standard was store and forward, not the central storage so common today. There was no cloud.

• EFF’s Surveillance Self-Defense guide.

• This is very important. What is also important is protecting privacy when crossing borders. Your rights must be preserved when crossing borders. Trouble is, it seems we have no rights when doing so.

Here’s What Transport for London Learned From Tracking Your Phone On the Tube

• Advertising? I can see how this is useful for more than just advertising. Traffic flow. Knowing about time from A to B. Mention EZPass and monitoring of badges to determine flow.

• Signs announced trial, opt out by disabling wifi.

• The documents also seem to suggest that if TfL switched on tracking full time it could offer real time crowding information to passengers – so we could see a CityMapper of the not-too-distant future telling us which stations to avoid.

• That sounds simlar to how Waze and Google Maps collect real-time data on traffic congestion.

• Collecting information is one thing. Controlling access to that information is vital. As we’ve seen so many times in the past, it is the use of that data for unintended purposes which is of most concern.

• Rainbow tables

GitLab Postmortem of database outage of January 31

• This came from Shawn. We covered this incident in eposide 305.

• I want to make it clear from the start, we are not mocking GitLab. There is no joy to be taken here.

• On January 31st 2017, we experienced a major service outage for one of our products, the online service GitLab.com. The outage was caused by an accidental removal of data from our primary database server.

• What a horrible feeling that engineer then had. Imagine, for a moment. Production has just been wiped out… OMG.

• Backups could not be found, nor could they be used. It was all gone.

• I can imagine lots and lots of waiting for stuff to finish. Very stressful. Much hope, but very stressful.

• Wow, could not access their own projects. Ouch. Almost want their own repo offline, but then accusations of not dog fooding, etc.

• Prometheus monitorin

• Some places take the approach of making staging the hot backup for production. Exactly the same. Move production onto staging hardware if required.

• “I don’t remember where I saw it (probably hackernews), but someone proposed to constantly recreate staging from production’s backup. This way we would have an up-to-date staging version and frequently tested backup recovery process.”

Feedback:

• Should I convert to FreeNAS

• Follow Up Bacula

• possible malware distributor

Round Up:

• No more ransom – from Alejandro

• Semi-Critical Intel Atom C2000 SoC Flaw Discovered, Hardware Fix Required – from Shawn

• Ticketbleed – from Shawn

• Yahoo, MSN Struck by Advanced Malvertising Campaign

• Factory That Made Exploding Galaxy Note 7 Batteries Catches Fire

• US Judge Ordered Google to Hand Over Emails Stored On Foreign Servers to FBI

• Vizio settles with FTC, will pay $2.2 million and delete user data

• WordPress Kept Users And Hackers In The Dark While Secretly Fixing Critical Zero-Day

• Diehard Coders Just Rescued NASA’s Earth Science Data

• University attacked by its own vending machines, smart light bulbs & 5,000 IoT devices

• Bored with ho-hum cloud backups? Use Usenet (yes, Usenet!) instead

• Unpacking the rack-mount chassis – YouTube

• Moving tower system into rack mount chassis – YouTube

• Yes, an APC AR3100 rack can fit into a Subaru Outback

• APC AR3100 rack assembly – YouTube

• Moving the rack into place – YouTube

The post Metadata Matters | TechSNAP 306 first appeared on Jupiter Broadcasting.

Find out about another hospital that accidentally took advantage of free encryption, researchers turn up a DDoS on the root DNS servers & the password test you never want to take.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Researchers at VeriSign investigate DDoS on root DNS servers

• Researchers from VeriSign, the company that runs the .com and .net registries, and operations 2 of the 13 critically import root DNS servers, will be giving a talk at a conference detailing their investigation into the attack
• Their findings suggest the attack, which took place in November of 2015, was not directed at the root name servers directly, but was an attempt to down two chinese websites
• The attack had some interesting patterns, likely caused by design decisions and mistakes made by the programmer of the botnet that was used in the attack
• The provide a video showing a breakdown of the attack
• It was interesting to learn that Randall Munroe (of XKCD fame) actually came up with the best way to visualize the distribution of IP addresses, with a grid where sequential numbers are in adjacent squares
• Only IP addresses in the first 128 /8 netbooks were used. The use of 128/8 specifically suggests an less than or equal, rather than an equal was used during the comparison of IP addresses
• It is not clear why a larger set of addresses were not used
• The attack seemed to use 3 or 4 different groups of bots, sending spoofed DNS requests
• Two of the larger groups of bots sequentially cycled through the 2.0.0.0/8 through 19.0.0.0/8 subnets at different speeds
• Attacks were not seen from the 10.0.0.0/8 and 127.0.0.0/8 networks, for obvious reasons
• However, a delay in the attacks sourced from 11.0.0.0/8 suggests that the botnet attempted to use the entire 10 block, but the packets just never left the source networks
• “The researchers also note that Response Rate Limiting was an effective mitigation in countering up to 60 percent of attack traffic. RRL is a feature in the DNS protocol that mitigates amplifications attacks where spoofed DNS queries are used to target victims in large-scale DDoS attacks.”
• “In addition to RRL, the researchers said attack traffic was easily filterable and through filtering were able to drop response traffic for the attack queries, leaving normal traffic untouched. One of the limitations with this approach is that it’s a manual process”

Virus hits Medstar hospital network, Hospital forced to shutdown systems

• “The health system took down some its computers to prevent the virus from spreading, but it’s not clear how many computers — or hospitals — are affected”
• “A statement by the health system said that all facilities remain open, and that there was “no evidence of compromised information.””
• “The not-for-profit healthcare system operates ten hospitals across the Washington and Baltimore region, with more than a hundred outpatient health facilities. According to the system’s website, it has more than 31,000 employees and serves hundreds of thousands of patients annually.”
• “One visitor to the hospital told ZDNet that staff switched the computers off after learning about the virus. The person, who was visiting a patient in one of the healthcare system’s Washington DC hospital, said the computers were powered off for more than an hour, with all patient orders lost, the person said.”
• “It’s not clear exactly what kind of malware was used in Monday’s cyberattack. A spokesperson for MedStar Health did not immediately respond to a request for comment.”
• An FBI spokesperson confirmed that it was “aware of the incident and is looking into the nature and scope of the matter.”
• Additional Coverage: Threat Post
• After a few days, the medical network was recovering
• “The healthcare provider said the attack forced it to shut down its three main clinical information systems, prevented staff from reviewing patient medical records, and barred patients from making medical appointments. In a statement issued Wednesday, it said that no patient data had been compromised and systems were slowly coming back online.”
• “Clinicians are now able to review medical records and submit orders via our electronic health records. Restoration of additional clinical systems continues with priority given to those related directly to patient care”
• “While the hospital still won’t officially confirm the attacks were ransomware related, The Washington Post along with other news outlets are reporting that employees at the hospital received pop-up messages on their computer screens seeking payment of 45 Bitcoins ($19,000) in exchange for a digital key that would decrypt data”
• “The MedStar cyberattack is one of many hospitals in recent months targeted by hackers. Last week, Kentucky-based Methodist Hospital paid ransomware attackers to unlock its hospital system after crypto-ransomware brought the hospital’s operations to a grinding halt. Earlier this year Los Angeles-based Hollywood Presbyterian Medical Center paid 40 Bitcoin ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.”
• As long as hospitals continue to pay out, this will only grow to be a worse problem
• “Medical facilities don’t give security the same type of attention that other verticals do,” said Craig Williams, senior technical leader for Cisco Talos. “They are there to heal people and cure the sick. Their first priority is not to take care of an IT environment. As a result it’s likely the hackers have been out there for quite some time and realized that there are a lot (healthcare) sites that have a lot of base vulnerabilities.”
• As you might expect: 1400 vulnerabilities to remain unpatched in medical supply system
• Additional Coverage
• In related news:
• Canadian hospital website compromised serves up the Angler malware kit to visitors
• The site is for a hospital in a small city that serves a mostly rural area. Happens to be where I grew up, and the hospital I was born in
• The hospital site is run on Joomla, and is running version 2.5.6, which has many known vulnerabilities. The latest version of Joomla is 3.4.8
• “Like many site hacks, this injection is conditional and will appear only once for a particular IP address. For instance, the site administrator who often visits the page will only see a clean version of it, while first timers will get served the exploit and malware.”
• The obvious targets are “staff, patients and their families and visitors, as well as students”
• The hospital became a teaching facility for McMaster University’s Faculty of Health Sciences in 2009
• “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”

CNBC Password Tester — How not to do it

• CNBC has a post about constructing secure passwords
• The basic idea was that you submit your password, and it tells you how strong it is
• There are obvious problems with this idea. Why are you giving out your password anyway?
• Of course, the CNBC site is served in plain text (which is fine for a news site), but it means your password is sent to them in the clear
• Worse, they had the site adding all of the submitted passwords to a google spreadsheet, also in the clear
• Because the password was submitted as a GET variable, and was in the URL, it was also included in the referral information sent to all of the advertising networks in the CNBC site, including DoubleClick, ScoreCardResearch, something hosted at Amazon AWS, and any other widgets on the site (Facebook, Gigya)
• If you actually did want to build a tool like this, at least use javascript to perform the calculations on the users’ device and never transmit their passwords
• Of course, users should never type the password into another website. This is the definition if a phishing attack
• The page has since been removed
• Additional Coverage

Feedback:

• pfSense question ALERT!
• OpenVPN vs IPSec VPN
• leaky DNS

Round Up:

• Finnish supercomputer suffers largest unplanned outage in years, provides post mortem
• Mattel hit by fake CEO scam, for $3 million. Managed to get it back because the next day was a bank holiday in China
• Google offers a free DDoS shield to news papers and other sites that seek to expose corruption, and may face state-level DDoS attacks attempting to silence them
• EFF Proposes “DRM Non-Aggression Pact” as part of W3C standard for DRM. Asks signatories to agree not to go after security researchers or those making ‘compatible’ technologies
• Amazon Updates Its Policies To Ban USB Type-C Cables That Are Not Fully Spec Compliant
• TrendMicro A/V software accidently exposes debugging console that can be exploited
• US Federal court warns of scammers trying to get people to pay hefty fines for missing fake jury duty
• HID Networking Door Controllers have remote root vulnerability, hilarity ensues
• A Romanian ex-minister faces jail time after embezzling the windfall from the 47% discount Microsoft gave the government for a 5 year deal to use MS Office in all Schools and Public Institutions
• New SideStepper exploit allows Man-in-the-Middle attacks against iOS devices, requires phishing or otherwise tricking the user
• Enders Analysis ad blocker study finds ads take up 79% of mobile data transfer
• Operating Blockbuster, an investigation into the Sony Pictures Entertainment wiper hack
• How Wi-Fi Works

The post Holding Hospitals Hostage | TechSNAP 261 first appeared on Jupiter Broadcasting.

The worst & best from CES in our estimation, the Valve backed HTC Vive VR gets ready for pre-order & T-Mobile’s CEO binges on the EFF.

Plus Netflix’s global expansion is astonishing, account sharing is cool & the secret of the codes.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Watch U.S. Marshals Raid Chinese Hoverboard Booth at CES – YouTube
• Intel’s next NUC will be a quad-core mini PC with Iris Pro and Thunderbolt 3 | Ars Technica
• HTC Vive pre-orders to start on February 29 – Telegraph
• John Legere asks EFF, “Who the f**k are you, and who pays you?” | Ars Technica
• EFF Confirms: T-Mobile’s Binge On Optimization is Just Throttling, Applies Indiscriminately to All Video | Electronic Frontier Foundation
• T-Mobile CEO Apologizes For “Offending” EFF And Its Supporters | TechCrunch
• AT&T brings back unlimited data plans for its DirecTV and U-verse subscribers | The Verge
• Netflix’s Global Expansion Is Suddenly Near Completion — The Motley Fool
• Netflix CEO Says Account Sharing Is OK | TechCrunch
• Netflix’s Plan for Global Domination – YouTube
• Netflix CEO Says Account Sharing Is OK
• Netflix Search Code Directory

Kickstarter of the Week:

• PACE lid. Be prepared for whatever life throws your way. by Chris Way

The post Wolf in Hipster Clothing | TTT 229 first appeared on Jupiter Broadcasting.

We start from a town that has no internet and reflect on how quickly the last 8 years of progress feel very distant, then discuss the recent extreme examples of companies challenging Net Neutrality. Ballmer says Windows Phones should run Android apps & maybe he’s right?

Google’s Chromebooks make up half of US classroom devices. As parents, are we comfortable with Google having a lifetime of history on our kids?

Plus some follow up on a previous Kickstarter of the week with a special guest, the likely conclusion to a five year old tech story & the inside scoop on the Jupiter Broadcasting SWAG for the Holidays giveaway!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Town that has no cell phone service loses its primary Internet provider | Ars Technica
• AT&T vs. FCC, net neutrality: AT&T says it’s had to kill ideas | BGR
• Comcast Tests Net Neutrality By Letting Its Own Streaming Service Bypass Usage Caps | Techdirt
• Windows Server 2016 moving to per core, not per socket, licensing | Ars Technica
• Ballmer: Microsoft Mobile Should Focus On Android Apps Not Universal Apps – Slashdot
• Google’s Chromebooks make up half of US classroom devices
• Sticky disc makes any watch a smartwatch – BBC News
• Samsung finally agrees to pay Apple $548 million, with a few caveats | The Verge
• PopcornTimeCE/desktop · GitHub

The post Children of the Chromebook | TTT 225 first appeared on Jupiter Broadcasting.

Behind the scenes on Ubuntu MATE’s new features pushing the Ubuntu platform forward for traditional desktops, why Apple’s latest court case proves Richard Stallman was right about owning your own software & there is real debate about Xiaomi’s new Linux laptop.

Plus the big EFF win that’s great for Linux users, the big problems facing x86 that are a wake up call to distro makers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• World Without Linux Episode 2: Are We There Yet? – YouTube

Feedback:

• Ubuntu MATE 15.10 Press Kit

• I was not satisfied with podcatchers for the command line, so i build my own – podfox

• EFF Wins Petition to Inspect and Modify Car Software

Linux Academy

• Linux Academy | Linux and AWS Online Training

Intel x86 considered harmful (new paper)

So, today I’m releasing this first paper, finally. You can get the PDF
_here, and also the EPUB version
here._

_As mentioned, the paper is mostly a (hopefully systematic) survey of the various
problems and attacks presented against the x86 platform over the last 10 year_s.

• Qubes 3.0

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

DOJ dismisses Apple’s arguments against decrypting iOS communications

Federal courts should require Apple to unlock encrypted data because the operating system is “licensed, not sold,” to customers, the Justice Department argued in a reply brief in the U.S. District Court for the Eastern District of New York.

• Richard Stallman is the hero the internet needs

But suddenly he doesn’t seem crazy anymore. After the Snowden revelations, and all the other major and minor privacy breaches of the past few years, his paranoia now seems justified — even rational:

• He warned of the growing danger of DRM in his great short story The Right to Read (1997).
• He refuses to own a cellphone, on the grounds that it might be used as a tracking or covert listening device. This still sounds slightly paranoid, but looks increasingly possible.
• Stallman considers cloud computing dangerous. In 2008 I thought this was alarmist; now nobody trusts the cloud.
• He’s always held that proprietary software cannot be trusted. Windows 10’s shady behaviour proves that he has a point.

TING

• Ting – mobile that makes sense

Xiaomi’s Linux Laptop To Enter Production ‘Early Next Year’

The model with a 12.5-inch screen will be manufactured by Inventec (who make laptops for Acer, Toshiba and HP), with an initial order of 250,000 units.

The slightly larger device is to be made by Compal Electronics (known for manufacturing Apple devices, and various PlayStation, Xbox and Nintendo games consoles), with Xiaomi placing an order for 300,000 units.

Support Jupiter Broadcasting on Patreon

The post What's New MATE | LINUX Unplugged 116 first appeared on Jupiter Broadcasting.

The Jolla Tablet goes up for funding & rocks it. We discuss what excites us about the initiative. The EFF and Mozilla want SSL Certificates to get easier, a new Lighting adapter is on the way, Netflix goes down under & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Jolla Tablet – world’s first crowdsourced tablet | Indiegogo

• Jolla Crowdfunds $380K+ To Build An iPad Alternative | TechCrunch

Jolla’s Indiegogo campaign to build an open source iPad alternative — taking its Sailfish OS onto the tablet form factor — has passed its initial funding target of $380,000 with around 2,450 backers putting in cash. And it did so in double-quick time, taking just over two hours from the campaign’s launch. There’s still another 21 days left on the campaign so expect Jolla to flesh out some stretch goals.

Mostly a pitch for pre-orders right now, with the price-tag starting at $189 for the first 2,000 pledgers, and stepping up thereafter to $199 for another thousand backers.

EFF, Mozilla back new certificate authority that will offer free SSL certificates | PCWorld

A new organization supported by Mozilla, the Electronic Frontier Foundation and others is working to set up a new certificate authority (CA) that will provide website owners with free SSL/TLS certificates.

The new CA will be called Let’s Encrypt and is expected to become operational in the second quarter of next year. It will be run by the Internet Security Research Group (ISRG), a new California public-benefit corporation.

The goal of this effort is to get as many people as possible to use the TLS (Transport Layer Security) protocol—the more secure successor of SSL (Secure Sockets Layer)—said Josh Aas, executive director of ISRG. Aas is also a senior technology strategist at Mozilla.

The new CA will not only provide certificates for free, but will also automate the certificate issuance, configuration and renewal processes in order to encourage widespread TLS adoption.

The goal is to make getting a certificate as easy as possible

Apple will soon let third-party products use its Lightning port, opening up new possibilities for accessories

Apple unveiled new Lightning connectors and specs for Lightning receptacles that will soon be available for implementation in MFi accessories. The new Lightning receptacle, scheduled to start shipping next year, will allow accessory makers to build new types of accessories that include a port for Apple’s proprietary Lightning connector previously reserved for its own iOS devices (pictured above).

The Lightning receptacle will arrive alongside a new Lightning connector (C68) that accessory makers say is a slimmed down, low profile version of previous implementations that can be used in a wide range of accessories from docks to form fitting cases. Apple has several variations of its Lightning connectors for use in accessories. The only one consumers ever see is the C48 connector (pictured right), which is only available for use in cables. For other accessories, however, Apple previously required a much bulkier solution than the C48 that paired with other components to provide more than just power to an accessory. The new connector will provide features other than just power in a much tighter package (around the same size as C48) than previous solutions. The result will be an easier implementation of Lightning connectors into accessories with a slimmer overall design, but no change for consumers in terms of compatibility since it’s just the housing and not the actual tip of the connector that is changing.

Apple plans to begin shipping the new Lightning connector and receptacle to accessory makers in early 2015.

Netflix to launch in Australia and New Zealand in March 2015

Netflix the leading Internet movie and TV subscription service, is heading down under, announcing today it will expand into Australia and New Zealand in March 2015.

The post Holla For Jolla! | Tech Talk Today 94 first appeared on Jupiter Broadcasting.

The FBI creates a fake Seattle Times website to trap a bad guy, but does this cross the line? We debate. The FTC goes after AT&T’s claims of “unlimited” data.

Plus more details surface in the NFC payments “war”, Windows 10 “borrows” more features, our kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI created fake Seattle Times Web page to nab bomb-threat suspect

The FBI in Seattle created a fake news story on a bogus Seattle Times web page to plant software in the computer of a suspect in a series of bomb threats to Lacey’s Timberline High School in 2007, according to documents obtained by the Electronic Frontier Foundation (EFF) in San Francisco.

The deception was publicized Monday when Christopher Soghoian, the principal technologist for the American Civil Liberties Union in Washington, D.C., revealed it on Twitter.

The EFF documents reveal that the FBI dummied up a story with an Associated Press byline about the Thurston County bomb threats with an email link “in the style of The Seattle Times,” including details about subscriber and advertiser information.

The link was sent to the suspect’s MySpace account. When the suspect clicked on the link, the hidden FBI software sent his location and Internet Protocol information to the agents. A juvenile suspect was identified and arrested June 14.

The revelation brought a sharp response from the newspaper.

“We are outraged that the FBI, with the apparent assistance of the U.S. Attorney’s Office, misappropriated the name of The Seattle Times to secretly install spyware on the computer of a crime suspect,” said Seattle Times Editor Kathy Best.

“Not only does that cross a line, it erases it,” she said.

“Our reputation and our ability to do our job as a government watchdog are based on trust. Nothing is more fundamental to that trust than our independence — from law enforcement, from government, from corporations and from all other special interests,” Best said. “The FBI’s actions, taken without our knowledge, traded on our reputation and put it at peril.”

MCX Confirms Retailer Exclusivity for CurrentC Mobile Payments, but No Fines for Leaving Consortium

Much of the Apple news in recent days has centered around Apple Pay and what Tim Cook referred to on Monday as a “skirmish” in which several retailers backing a competing mobile payments initiative known as CurrentC have shut down NFC payment functionality in their stores to prevent customer use of Apple Pay, Google Wallet, and other similar services.

Numerous sources have indicated that retailers backing CurrentC are contractually prohibited from accepting alternative forms of mobile payments, and sources told The New York Times that retailers breaking those contracts would “face steep fines.”

Importantly, if a merchant decides to stop working with MCX, there are no fines.

FTC sues AT&T over ‘deceptive’ throttling of unlimited data customers | The Verge

The Federal Trade Commission is suing AT&T because the second-largest US carrier throttles speeds of its unlimited data customers, a policy that the FTC describes as “deceptive” and “unfair.” In a press release, the FTC said AT&T has “misled millions of its smartphone customers” by slowing down their data speeds after they’ve used up a certain amount of data in a single month. AT&T has failed to make its throttling policies clear enough, according to the complaint. “The issue here is simple: ‘unlimited’ means unlimited,” said FTC Chairwoman Edith Ramirez.

Update 11:15 AM PT: AT&T has given a statement to MacRumors in response to the FTC’s “baffling” complaint, stating that the allegations are “baseless” and that it has been “completely transparent” with customers.

“The FTC’s allegations are baseless and have nothing to do with the substance of our network management program. It’s baffling as to why the FTC would choose to take this action against a company that, like all major wireless providers, manages its network resources to provide the best possible service to all customers, and does it in a way that is fully transparent and consistent with the law and our contracts.

“We have been completely transparent with customers since the very beginning. We informed all unlimited data-plan customers via bill notices and a national press release that resulted in nearly 2,000 news stories, well before the program was implemented. In addition, this program has affected only about 3% of our customers, and before any customer is affected, they are also notified by text message.”

Microsoft borrows Mac trackpad gestures for Windows 10 | The Verge

n a keynote speech at TechEd Europe today, Microsoft’s Joe Belfiore demonstrated new trackpad features that will soon be available to Windows 10 testers. “In the past touch pads on Windows have really been done very differently because OEMs do them,” explained Belfiore. Microsoft introduced precision trackpads with the help of Intel in Windows 8 to improve the hardware situation, and now the focus is on gestures in software. “With Windows 10 we’re adding support for power users in a touch pad, where multiple finger gestures — which all of you power users learn — can make you really efficient.”

The new gestures include a three finger swipe down action to minimize all active Windows and three finger swipe up to bring them back. An interesting addition is the ability to use a three finger swipe up gesture to activate the new Task View feature of Windows 10. Not only does Task View look like OS X’s Mission Control (Exposé) feature, the three finger swipe up is the same gesture. Microsoft is also borrowing the three finger swipe left and right to activate switching between apps, something Apple uses to move between fullscreen Mac applications.

Kickstarter of the week: The Undress

The post The Cost of Unlimited | Tech Talk Today 82 first appeared on Jupiter Broadcasting.

A major Xen flaw forces the “cloud” to reboot, we share the details. ComputerCop malware pitched as saving the children turns out to be major spyware.

Plus a big Adobe Linux support rant, the Mac botnet that reads reddit & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Rackspace Joined Amazon in Patching, Rebooting Cloud Servers

About a quarter of Rackspace’s 200,000-plus customers were impacted when the cloud provider had to patch a flaw in the Xen hypervisor.
Rackspace, like cloud competitor Amazon Web Services, was forced to reboot some of its servers after patching them to fix a security flaw in some versions of the XenServer hypervisor.

The cloud provider had to patch an untold number of servers in its global data centers over the weekend and then reboot them, which caused disruption to about a quarter of Rackspace’s more than 200,000 customers, according to President and CEO Taylor Rhodes. The issue was further complicated by a tight deadline—the vulnerability was first discovered early last week, and a patch wasn’t worked out with Xen engineers until late Sept. 26.

AWS started sending out letters to its customers Sept. 24 informing them that there was an issue, but assured them that the problem was not related to the Bash bug that arose last week as a threat to systems running Unix and Linux. Officials instead let them know that the problem was with the Xen hypervisor, and that a patch was being worked on.

• Security bug in Xen may have exposed Amazon, other cloud services [Updated] | Ars Technica

The bug, introduced in versions of Xen after version 4.1, is in HVM code that emulates Intel’s x2APIC interrupt controller. While the emulator restricts the ability of a virtual machine to write to memory reserved specifically for its own emulated controller, a program running within a virtual machine could use the x2APIC interface to read information stored outside of that space. If someone were to provision an inadvertently buggy or intentionally malicious virtual machine on a server using HVM, Beulich found that VM could use the interface to look at the physical memory on the physical machine hosting the VM reserved for other virtual machines or for the virtualization server software itself. In other words, an “evil” virtual machine could essentially read over the shoulder of other virtual machines running on the same server, bypassing security.

• XSA-108 – Xen Security Advisories

EFF: Security software distributed by cops is actually spyware in disguise

Various schools, libraries and ordinary American families might have been using a “security” software called ComputerCOP for years. After all, they probably got their copy from cops, attorney’s offices or other branches of law enforcement, which tout it as a way to protect children online.

One of the main feature of ComputerCop is a keylogger called KeyAlert. Keyloggers record all keystrokes made on a computer keyboard, including credit card information and username and password combinations. KeyAlert’s logs are stored unencrypted on Windows computers, and on Macs they can be decrypted with the software’s default password. The software can also be configured so that trigger words email an alert to the computer’s owner.

KeyAlert must be installed separately from the rest of the ComputerCop software, but not all versions of ComputerCop have been distributed with it. There’s no way to configure KeyAlert for a particular user, so it’s possible to use it against anybody using the computer — not just kids.

“When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email,” the EFF report said.

According to the foundation, law enforcement agencies typically buy between 1,000 and 5,000 copies of ComputerCOP for a few dollars per piece — and yes, they use taxpayer dollars for the purchase. Within the past two years for instance, several Attorney’s Offices, including San Diego’s, bought 5,000 pieces for 25 grand.

• ComputerCOP: The Dubious ‘Internet Safety Software’ That Hundreds of Police Agencies Have Distributed to Families | Electronic Frontier Foundation

Adobe Pulls Linux PDF Reader Downloads From Website – OMG! Ubuntu!

As flagged by a Reddit user who visited the Adobe site to grab the app, Linux builds are no longer listed alongside other ‘supported’ operating systems.

Adobe is no stranger to giving penguins the brush off. The company stopped releasing official builds of Flash for Linux in 2012 (leaving it to Google to tend to), and excluded Tux-loving users from its cross-platform application runtime “Air” the year before.

All is not lost. While the links are no longer offered through the website the Debian installer remains accessible from the Adobe FTP server.

China pre-orders 2 million iPhone 6 handsets in just 6 hours

The iPhone 6 and 6 Plus were delayed in China as the result of trouble for Apple securing the necessary regulatory approvals from the country’s Ministry of Industry and Information Technology. In its absence, rival company Samsung rushed to release their new flagship handset in the country.

Despite China’s absence, however, Apple’s eagerly-anticpated handsets sold 10 million+ units in their opening weekend alone.

According to new reports coming out of China, both retailers and carriers have taken in a massive 2 million reservations just six hours after putting the iPhone 6 and 6 Plus on earlier-than-expected pre-order.

New Mac botnet malware uses Reddit to find out what servers to connect to

Mac users should beware of some new malware spreading, that tries to connect infected machines with a botnet for future exploitation. As detected by Dr Web, the malicious worm (dubbed Mac.BackDoor.iWorm) first checks whether any interfering applications are installed on the Mac.

If it is clear, it calls out to Reddit posts to find the IP addresses of possible servers to callback too. Although these posts have been deleted, it’s not hard for the people behind the exploit to repost them at a later time. Once connected to the botnet, the infected Mac can be literally instructed to perform almost any task the hackers want, such as redirect browsing traffic to potentially steal account credentials for instance.

Dr.Web estimates over 15,000 distinct IP addresses have been connected to the botnet already. Although 15,000 IPs does not directly translate into 15,000 separate infected users, it is indicative of a rather large base for a Mac worm.

The post ComputerCop Malware | Tech Talk Today 69 first appeared on Jupiter Broadcasting.

A new cybersecurity bill is working its way through the system looks a lot like previous attempts and raises the same privacy concerns, we’ll cover the details.

Plus Samsung gets into VR and the Potato Salad Kickstarter that’s already earned $70k USD.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Senate Panel Passes Cybersecurity Bill Despite NSA Fears

The Cybersecurity Information Sharing Act, advanced in a 12-3 vote, would make it easier for businesses and the government to share information with each other about cyberattacks. Business groups argue that legal barriers are preventing them from getting the information they need to stop hackers.

But the privacy groups are still worried that the legislation could encourage a company such as Google to turn over vast batches of emails or other private data to the government. The information would go first to the Homeland Security Department, but could then be shared with the NSA or other intelligence agencies.

“Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA,” the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, and dozens of other privacy groups wrote in a letter to senators last month.

Exclusive: Samsung’s virtual reality headset will be called Gear VR, launch at IFA 2014 | SamMobile

A month ago, Engadget exclusively reported on Samsung’s upcoming VR device, which is being developed in collaboration with Facebook’s Oculus VR. Today, we can confirm that Samsung is indeed working on a virtual reality device, and it’s called the “Gear VR”. Samsung will be announcing the device, alongside the Galaxy Note 4, at IFA 2014.

Instead of making a completely standalone virtual reality headset, Samsung has developed a modular design, which allows the user to dock in a Galaxy device into the Gear VR using USB 3.0. Virtual reality effect is achieved through head tracking, and instead of equipping the headset with sensors, Gear VR makes use of the smartphone’s accelerometer, gyroscope and processing power to track head motion.

You might say that this is exactly like Google’s Cardboard VR headset, which was handed out to I/O 14 attendees, and you would be right! The main concept behind Gear VR is the same. However, the Gear VR is much more comfortable to wear, thanks to the elastic head band and soft padded cushions on each side of the device, and Samsung’s implementation is also much better than that of Google’s Cardboard.

The hardware of the device is being developed by Samsung alone, but the software is being developed in cooperation with Oculus VR

Potato Salad by Zack Danger Brown — Kickstarter

• Potato salad on Kickstarter: The project has raised more than $40,000.

Last week, Zack Brown posted a Kickstarter page titled simply “Potato Salad.”

“I’m making potato salad,” Brown wrote. Then, in case anybody was confused or skeptical or more inclined to support the preparation of a German-style potato salad than a mayo-heavy American version, he clarified: “Basically I’m just making potato salad. I haven’t decided what kind yet.”

His goal: $10.

Manjaro Linux Developers Experience A Mass Exodus

• Follow up: Manjaro Linux Developers Experience A Mass Exodus

Feedback:

• Waze claiming anonymize user data is probably arguably laughable.

The post Return of CISPA | Tech Talk Today 23 first appeared on Jupiter Broadcasting.

It’s a big show this week! We’ll be interviewing Marc Espie about OpenBSD’s package system and build cluster. Also, we’ve been asked many times “how do I keep my BSD box up to date?” Well, today’s tutorial should finally answer that. Answers to all your emails and this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called “FreeBSD, looking forward to another 10 years” by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn’t on the page… how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven’t given us an interview yet… well you know what’s going to happen
• Why aren’t the videos up from last year yet? Will this year also not have any?

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• “One is pleasantly functional; the other continues devolving during a journey of pain” – uh oh, who’s the loser?

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects’ funding efforts
• A lot of people don’t realize just how widespread open source software is – TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish’s funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, “Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software”
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users’ computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that…)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It’s got all the details you need to set up a VPN-like system and bypass those pesky geographic filters

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

OpenBSD’s package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they’re going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless – we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time!

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is “a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution.”
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with “bsd-cloudinit”
• The author of the article is a regular listener and emailer of the show, hey!

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The “call for papers” was issued, so if you’re around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Just a reminder for those who don’t check the website, you’ll also find contact information for every guest we’ve ever had in the show notes – so if you have follow up questions for them, it’s easy to get in touch
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Congrats to Matt Ahrens for getting FreeBSD commit access – hopefully lots of great ZFS stuff to come
• A special 21st happy birthday to FreeBSD

The post Package Design | BSD Now 43 first appeared on Jupiter Broadcasting.