Show Notes: linuxunplugged.com/381

The post Secret Modem Sounds | LINUX Unplugged 381 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/393

The post Back to our /roots | TechSNAP 393 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links

• Ubuntu MATE 17.10 Alpha 2 — We’re not happy, proud, pleased or ambivalent to announce this alpha. No, not us. The is our most “Super” alpha ever and we’re ecstatic to present this fine release for your distro delectation. Ubuntu MATE 17.10 is brimming with new toys to play with.
• Uptake of Fedora 26 is really strong — It’s already surpassed F24 and those of you still on F23.
• Boltron preview — Fedora’s Modularity Working Group (and others) have been working for a while on a Fedora Objective.
• openSUSE Leap 42.3 — “By avoiding major version updates in the base system as well as the desktops, the upgrade to Leap 42.3 is a rather unadventurous matter,” said Ludwig Nussel, openSUSE Leap release manager.
• The death of Flash — Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.
• Some people don’t want it to die — Open sourcing Flash spec would be a good solution to keep Flash projects alive safely for archive reasons.
• Update on Debian Reproducible Builds Project — At the start of 2015 it was safe to say that Debian was fairly alone in the quest for reproducible builds, and a relevant number of developers were unconvinced by the effort’s goals. Thankfully, this is not true anymore.
• More on Mozilla’s Project Common Voice — Today’s speech recognition technologies are largely tied up in a few companies that have invested heavily in them.

The post Linux Action News 12 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How I tricked Symantec with a Fake Private Key

• If true, not very good.

• The Baseline Requirements – a set of rules that browsers and certificate authorities agreed upon – regulate this and say that in such a case a certificate authority shall revoke the key within 24 hours (Section 4.9.1.1 in the current Baseline Requirements 1.4.8).

• I registered two test domains at a provider that would allow me to hide my identity and not show up in the whois information. I then ordered test certificates from Symantec (via their brand RapidSSL) and Comodo.

• Comodo didn’t fall for it. They answered me that there is something wrong with this key. Symantec however answered me that they revoked all certificates – including the one with the fake private key

Alert, backup, whatever on DNS NOTIFY with nsnotifyd

• Fair warning: blog post is from 2015, but with Let’s Encrypt all around us, I think this is relevant now.

• “Tony Finch has created a gem of a utility called nsnotifyd. It’s a teeny-tiny DNS “server” which sits around and listens for DNS NOTIFY messages which are sent by authority servers when they instruct their slaves that the zone has been updated and they should re-transfer (AXFR / IXFR) them. As soon as nsnotifyd receives a NOTIFY, it executes a shell script you provide.

• offical repo

• nsnotifyd on GitHub

• man 1 nsnotifyd

• man 1 nsnotify

• man 4 metazone

New details emerge on Fruitfly, highly-invasive Mac malware

• Mysterious Mac Malware Has Infected Victims for Years

• The recently discovered Fruitfly malware is a stealthy, but highly-invasive, malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, keyboard and mouse.

• Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.

• Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

Feedback

• Tell me more on XML vs JSON
• JSON – data format
• XML – language
• Stop Comparing JSON and XML
• Extensible Data Notation
• https://www.compoundtheory.com/clojure-edn-walkthrough/
• Transit is a format and set of libraries for conveying values between applications written in different programming languages.

• https://github.com/cognitect/transit-js

• Thanks for Dan’s recommendations
  +Lee Valley Divider boxes

• Duluth Fire Hose Pants

Round Up:

• Vulnerabilities discovered in Windows security protocols

• With Patch Tuesday imminent, make sure you have Automatic Update turned off + From Matthew Garrett‏ – YOU ARE EVERYTHING WRONG WITH SOCIETY
  

• Post mortums from NASA: flight test & Avionics cooling

• Interesting analysis by Bitdefender suggests Petya/Goldeneye/NotPetya gave Kaspersky AV users a pass

• Adobe to pull plug on Flash, ending an era

• Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

• How the coffee-machine took down a factory control room

The post Teeny Weeny DNS Server | TechSNAP 329 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Chris is Back from Montana

• Beard is sticking around for a bit to Linux with us.

XPS 13 Dev Edition Sweepstakes winner

• Selling Your Soul | User Error 18

Flash & The Future of Interactive Content

Adobe is planning to end-of-life Flash. Specifically, we will stop updating and distributing the Flash Player at the end of 2020 and encourage content creators to migrate any existing Flash content to these new open formats.

• Linux

YUM, TAR.GZ, RPM and APT packages for NPAPI and PPAPI
Latest versions of Firefox or Google Chrome

• Adobe Announces Flash Distribution and Updates to End | WebKit
• Chromium Blog: So long, and thanks for all the Flash

Announcing Boltron: The Modular Server Preview

Largely, the resultant package set can be thought of as virtualized, separate repositories. In other words, the client tooling (dnf) treats the traditional flat repo as if it was a set of repos that are only enabled when you want that version of the component.

“Bad Taste” Vulnerability Affects Linux Systems via Malicious Windows MSI Files

Because Windows executables haven’t wreaked enough damage on Windows computers, now you can use malformed MSI files to run malicious code on Linux systems.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Meet Nitrux: The Most Beautiful Linux Distribution Ever

Nitrux is a new Linux distribution with focus on design. It introduces Nomad desktop which is built on top of KDE Plasma 5 and Qt.

Though Nitrux is based on Ubuntu, it is slightly different from other Ubuntu based distributions because it uses the unstable dev branch. So, the present release Nitrux 1.0 is based on still under development Ubuntu 17.10. Nitrux devs think that “this is close enough to a rolling release model”.

Get Your Middle Fingers Out

We currently have no plans to support Xwayland.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Checking on Ubuntu MATE 17.10

Ubuntu MATE 17.10 Alpha 2

Everything you’re about to read has been funded the Ubuntu MATE crowd funding, you’re all making a significant difference to the development momentum of Ubuntu MATE. Consequently everything that follows will be available in Ubuntu MATE 17.10 Alpha 2 which is due for release on July 27th 2017!

• Ubuntu MATE is creating a retrospective desktop operating system, for everyone | Patreon

TING

• Ting – mobile that makes sense

Adapting GNOME 3 For Users with ADHD

Submitted by /u/MetaNova on the Unplugged Subreddit.

The post Return Of The Distrohopper | LINUX Unplugged 207 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

iOS 10.3.1 update prevents: attacker within range may be able to execute arbitrary code on the Wi-Fi chip

• What is a stack buffer overflow?

• What is a stack?

Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear

• NOT SO LONG ago, enterprising thieves who wanted to steal the entire contents of an ATM had to blow it up. Today, a more discreet sort of cash-machine burglar can walk away with an ATM’s stash and leave behind only a tell-tale three-inch hole in its front panel.

• The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.

• They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules

• In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.

Let’s Encrypt

• Using Let’s Encrypt within FreeBSD.org

Feedback

• Epiosode 311 & future topics

• SQLite

• New laws

• Privacy is Dead? and for FTC vs FCC

• Internet privacy

• Free DNS

Round Up:

• Smart TV hack embeds attack code into broadcast signal—no access required

• Spotify’s Love/Hate Relationship with DNS

• What Killed Adobe Flash?

Dan mentioned these URLs during the podcast:

• Adding a 10Gb NIC to an r610

The post Wifi Stack Overfloweth | TechSNAP 313 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

KDE Neon Developer OS Switches To Plasma Wayland By Default

KDE developers have decided to switch to Wayland by default for KDE Neon’s unstable/developer OS.

• Fedora 25 To Run Wayland By Default

This authorization corrects a bureaucratic mistake: FESCo previously authorized the change for Fedora 24, but the Workstation working group decided to defer the change to Fedora 25, then forgot to request authorization again for Fedora 25 as required. An objection was raised on the grounds that the proper change procedure was not followed, so to sidestep this objection we decided to request permission again from FESCo, which granted the request. Authorization to proceed with the change does not mean the decision to proceed has been made; the change could still be deferred, just as it was for Fedora 24.

• Let’s pretend that by Fedora 25, Wayland becomes the default display server and all of its major bugs are fixed. What tangible benefits would this bring to Linux users — gamers, developers, etc.? : Fedora

ext4 break with 32,000 Files

I ran into a bug with the ext4 filesystem that causes it to fail if there are more than about 32,000 files in a directory. The technical reasons for this are boring and I really don’t care why; I just want to trust that my filesystem will do the right thing.

How to flash Meizu Pro 5 to Ubuntu Touch From the start the Meizu Pro 5

I could have done with this last week Having gone through the process myself, this document is great and all you need

• meizu_pro5_ubuntu.pdf

TING

• Ting – mobile that makes sense

Adobe Flash goes crawling back to Linux for some security

The official announcementsaid: “Today we are updating the beta channel with Linux NPAPI Flash Player by moving it forward and in sync with the modern release branch (currently version 23). We have done this significant change to improve security and provide additional mitigation to the Linux community.”_

FBI Announces Post-Election Attack on Encryption

Comey’s intention to renew the fight against encryption came about because the issue “has dipped below public consciousness now.” The wait to address encryption until 2017 comes because “next year we can have an adult conversation in this country” about it.

KDE Software Store to Soon Offer Downloads in Snap, Flatpak and AppImage Formats

Revealing the fact that users might be able to soon download their favorite open source applications in the new Snap, Flatpak, and AppImage binary formats, which allows you to use those apps on any distro that supports them.

elementary OS has a Countdown

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

FreeBSD Now Has A Port For CentOS 7 Binary Support

As of yesterday, linux_base-c7 landed in ports for installing the CentOS 7 base packages. This will allow running newer Linux binaries built for modern CentOS/RHEL 7 era systems on FreeBSD, assuming the source isn’t available or isn’t compatible natively with FreeBSD. Previously CentOS 6 was the default port used for this Linux binary compatibility with FreeBSD.

KaOS Brings Serious Relevance Back to KDE | Linux.com | The source for Linux information

If you’ve been looking for a distribution to sway you back to the KDE desktop, look no further than KaOS. It’s beautiful, runs with the snap of a much lighter desktop, and feels as reliable as any other option available for Linux. I

I haven’t been this impressed with KDE for a very, very long time.

• KaOS – A Lean KDE Distribution

Linux Academy

• Linux Academy | Linux and AWS Online Training

Multi-process Firefox brings 400-700% improvement in responsiveness

In the coming weeks, Mozilla will push multi-processing to 100 percent of their initial cohort of users. This group represents 40-50 percent of total users. Within the next six months, a majority of users can expect to have the capabilities. Here is a little cheat sheet of upcoming releases:

• Firefox 49: Enabling for a set of add-ons that work well with multi-processing
• Firefox 50 or 51: Sandboxing and enabling for more add ons
• Firefox 52 or 53: Multiple content processes

Post-Show:

• Zodiac FX OpenFlow Switch – Northbound Networks

• Tough Pi by Brett Swann — Kickstarter

The post A Real Pain in the Flash | LINUX Unplugged 161 first appeared on Jupiter Broadcasting.

Project Zero lays into Symantec’s enterprise products, the botnet you’ll never find & the poor security of HTML5 video ads.

Plus your questions, our answers & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google’s Project Zero lays into Symantec’s Enterprise Endpoint Security products

• “Symantec is a popular vendor in the enterprise security market, their flagship product is Symantec Endpoint Protection. They sell various products using the same core engine in several markets, including a consumer version under the Norton brand.”
• “Today we’re publishing details of multiple critical vulnerabilities that we discovered, including many wormable remote code execution flaws.”
• “These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption.”
• “As Symantec use the same core engine across their entire product line, all Symantec and Norton branded antivirus products are affected by these vulnerabilities, including:”
• Norton Security, Norton 360, and other legacy Norton products (All Platforms)
• Symantec Endpoint Protection (All Versions, All Platforms)
• Symantec Email Security (All Platforms)
• Symantec Protection Engine (All Platforms)
• Symantec Protection for SharePoint Servers
• And so on.
• “Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.”
• “Many developers will be familiar with executable packers like UPX, they’re tools intended to reduce the size of executables by compressing them. This causes a problem for antivirus products because it changes how executables look.”
• Packers can be designed to obfuscate the executable, and make it harder for virus scanners to match against their signature database, or heuristically detect bad code
• “Antivirus vendors solve this problem with two solutions. First, they write dedicated unpackers to reverse the operation of the most common packers, and then use emulation to handle less common and custom packers.”
• “The problem with both of these solutions is that they’re hugely complicated and prone to vulnerabilities; it’s extremely challenging to make code like this safe. We recommend sandboxing and a Security Development Lifecycle, but vendors will often cut corners here. Because of this, unpackers and emulators continue to be a huge source of vulnerabilities, we’ve written about examples in Comodo, ESET, Kaspersky, Fireeye and many more.”
• “Let’s look at an example from Symantec and Norton Antivirus. This vulnerability has an unusual characteristic: Symantec runs their unpackers in the Kernel!”
• “Reviewing Symantec’s unpacker, we noticed a trivial buffer overflow when a section’s SizeOfRawData field is greater than SizeOfImage. When this happens, Symantec will allocate SizeOfImage bytes and then memcpy all available data into the buffer.”
• “This was enough for me to make a testcase in NASM that reliably triggered Symantec’s ASPack unpacker. Once I verified this work with a debugger, building a PE header that mismatched SizeOfImage and SizeOfRawData would reliably trigger the vulnerability.”
• “Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it – the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences to Norton and Symantec customers.”
• “An attacker could easily compromise an entire enterprise fleet using a vulnerability like this. Network administrators should keep scenarios like this in mind when deciding to deploy Antivirus, it’s a significant tradeoff in terms of increasing attack surface.”
• There is also a buffer overflow in the Power Point decomposer (used to check for macros etc)
• There is another vulnerability in “Advanced Heuristic Protection” or “Bloodhound Heuristics” mode
• “As with all software developers, antivirus vendors have to do vulnerability management. This means monitoring for new releases of third party software used, watching published vulnerability announcements, and distributing updates.”
• “Nobody enjoys doing this, but it’s an integral part of secure software development. Symantec dropped the ball here.”
• “A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries like libmspack and unrarsrc, but hadn’t updated them in at least 7 years.”
• “Dozens of public vulnerabilities in these libraries affected Symantec, some with public exploits. We sent Symantec some examples, and they verified they had fallen behind on releases.”
• There is “behind” and then there is 7 years, which is pretty much “definitely didn’t bother to look at all”
• “As well as the vulnerabilities we described in detail here, we also found a collection of other stack buffer overflows, memory corruption and more.”
• Additional Coverage: Fortune.com
• Additional Coverage: Ars Technica

Botnet made up to CCTV Cameras and DVRs conducts DDoS attacks

• As we reported in TechSNAP #259 a security research found that 70 different CCTV-DVR vendors are just reselling devices from the same Chinese manufacturer, with the same firmware
• This firmware has a number of critical security flaws that the vendor was notified about, but refused to fix
• Original coverage from March
• Now criminals have exploited one or more of these known vulnerabilities to turn these devices into a large botnet
• Unlike a typical botnet made up of personal computers that are turned on and off at random, and where a user might notice sluggish performance, infected embedded devices tend to be always on, and performance issues are rarely noticed
• A botnet of over 25,000 of these CCTV systems is being used to conduct layer7 DDoS attacks against various businesses
• One of the victims, a Jewelry store, moved their site behind a WAF (Web Application Firewall), to protect it from the attack
• Unlike most attackers, instead of admitting defeat and moving on, the attacker stepped up the attack, and prolonged it for multiple days
• Most botnets lose strength the longer the attack is sustained, because infected machines are shutdown, isolated, reported, or disconnected.
• The fact that this botnet is made up of embedded CCTV devices gives it more staying power, and it is not likely to be considered the source of the problem if abuse reports do come in.

Security of HTML5 Video Ads

• For a long time many have railed against Flash, and accused it of being the root of all evil when it comes to Malvertising
• “For the last several years, Adobe Flash has been an enemy of the online community. In general, the position is well deserved: there were more than 300 vulnerabilities found in Flash Player during 2015 alone, making it the most vulnerable PC software of the year.”
• This study provides a comparison between Flash and HTM5 based advertisements
• Flash ads tend to be smaller. HTML5 ads also on average 100kb larger, using more bandwidth, which on mobile can be a big deal
• Flash ads may be more work to create, since they are not responsive, and a different file must be created for each different ad size
• HTML5 ads do not require a plugin to run, but older browsers do not support them. This is becoming less of an issue the number of aged devices dwindles
• Flash ads tend to provide better picture quality, due to sub-pixel support
• HTML5 provides better mobile support, where Flash on mobile is rare
• There is currently a larger community of Flash developers, but this is changing
• HTML5 is not controlled by a single entity like Adobe
• Flash provides better optimization
• HTML5 provides better usability and semantic support
• This study finds that killing off Adobe Flash will not solve the security problems, HTML5 has plenty of its own security issues
• “Even if Flash is prohibited, malvertising can still be inserted in the first two stages of video ad delivery.”
• “The proponents pushing for Flash to be prohibited from use in an ad creative are saying that HTML5 is the remedy that can handle security threats in the advertising industry. It stands to reason that if the ad unit itself is clean, then the user won’t have any problems. Unfortunately, this is an inaccurate statement. Malvertising attacks using video ads were already occurring in late 2015 and early 2016.”
• A typical flash malvertising campaign, the ad calls the flash externalCall interface, and runs some malicious javascript, creating a popup, that if you user accepts, may infect their computer
• In an HTML5 based attack, the malvertising campaign payload is not in the actual advertisement, but in the VAST/VPAID metadata, as the tracking url. This silently navigates the user to an Angler exploit kit, where they are infected with no required user interaction
• “the second scenario shows how the ad unit itself is not the only piece of the malvertising pie”
• “The main root of the video ad malvertising problem is, unfortunately, fundamental. VAST/VPAID standards, developed in 2012, provide extensive abilities so that ad industry players can create a rich ad experience.”
• “Since these standards allow advertisers to receive data about the user, they allow for third-party codes to be inserted inside the ad. Once a third-party code is allowed, there is an open door for bad actors to perpetrate malicious activities, i.e. insert malicious code.”
• “Now that we have debunked the idea that malvertising would be eliminated if the industry prohibited the use of Flash in their ads, let’s discuss solutions.”
• Even if malicious ads could be eliminated by better screening, malactors can compromise the ad network, and inject the malicious ads there
• In the end, maybe we need to stop allowing advertisements to have the ability to execute code
• Does anyone remember when advertisements were just animated .gif files?

Feedback:

• Jason

• Rob

• Ray –

• TheCloudisaLie

Round Up:

• Google’s giant new trans-Pacific internet cable goes online Thursday
• Vacationing Security Researcher finds skimmer in the wild
• Resold hard drives on eBay, Craigslist are often still ripe with leftover data
• Google CEO Sundar Pichais has Quota account hacked by “OurMine”
• FBI’s use of Tor exploit is like peering through “broken blinds”
• NASCAR team pays ransomware fee of $500 to recover 2 million dollar design files
• Chrome DRM bug makes it easy to download streaming video
• Java, PHP, NodeJS, and Ruby exposed to Swagger vulnerability
• Bits, Please!: QSEE privilege escalation vulnerability and exploit (CVE-2015-6639)
• Video: Lecture 13 – How to Build an Insecure System out of Perfectly Good Cryptography
• DoJ report: less than a quarter of one percent of wiretaps encounter any crypto
• Exfiltrate data from an air-gapped computer by modulating the fan speed — Fansmitter
• Microsoft to make saying no to Windows 10 update easier
• IRS kills off doomed PIN authentication method early. Authentication with your last years adjusted gross income to remain standard
• Javascript 7th edition released
• StartEncrypt had design, get a certificate for dropbox or github by faking API calls

The post Make Ads GIF Again | TechSNAP 273 first appeared on Jupiter Broadcasting.

Google is planning to phase out Flash support in Chrome & how they’re doing it is interesting. Wendy’s is going automated & the future for VR at Google looks bright.

Plus Apple confirms it was deleting music, the day Smart doorbell owners saw video from other houses thanks to a weird bug & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Google to phase out full support for Flash on Chrome
• The FBI Can Neither Confirm Nor Deny Wiretapping Your Amazon Echo
• Wendy’s Serves Up Kiosks As Wages Rise, Hits Fast-Food Group | Stock News & Stock Market Analysis – IBD
• Android VR Placeholder Pops Up In The Google Play Developer Console
• Apple confirms reports of potential bug in iTunes; safeguard patch expected next week | iMore
• Smart doorbell owners saw video from other houses thanks to a weird bug | The Verge

KIckstarter of the Week

• In The Shadows for Steam, PS4, XBox One by Colorspace Studio — Kickstarter

The post Chirping Away at Privacy | TTT 244 first appeared on Jupiter Broadcasting.

Bitcoin’s creator has been found again, we’ll cover what the media thinks they’ve figured out & what we really know.

Then, ‘In Patches We Trust: Why Security Updates have to get better’, a great batch of questions, a huge round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

WIRED thinks they found Bitcoin’s Creator Satoshi Nakamoto

• Since that pseudonymous figure first released bitcoin’s code on January 9th, 2009, Nakamoto’s ingenious digital currency has grown from a nerd novelty to a kind of economic miracle. As it’s been adopted for everything from international money transfers to online narcotrafficking, the total value of all bitcoins has grown to nearly $5 billion.
• Nakamoto himself, whoever he is, appears to control a stash of bitcoins easily worth a nine-figure fortune (it rose to more than a billion at the cryptocurrency’s peak exchange rate in 2014).
• In the last weeks, WIRED has obtained the strongest evidence yet of Satoshi Nakamoto’s true identity. The signs point to Craig Steven Wright.
• Gizmodo thinks it was actually two people
• A monthlong Gizmodo investigation has uncovered compelling and perplexing new evidence in the search for Satoshi Nakamoto, the pseudonymous creator of Bitcoin.

• According to a cache of documents provided to Gizmodo which were corroborated in interviews, Craig Steven Wright, an Australian businessman based in Sydney, and Dave Kleiman, an American computer forensics expert who died in 2013, were involved in the development of the digital currency.

• Wired’s “Evidence”

• An August 2008 post on Wright’s blog, months before the November 2008 introduction of the bitcoin whitepaper on a cryptography mailing list. It mentions his intention to release a “cryptocurrency paper,” and references “triple entry accounting,” the title of a 2005 paper by financial cryptographer Ian Grigg that outlines several bitcoin-like ideas.

• A post on the same blog from November, 2008 includes a request that readers who want to get in touch encrypt their messages to him using a PGP public key apparently linked to Satoshi Nakamoto. This key, when checked against the database of the MIT server where it was stored, is associated with the email address satoshin@vistomail.com, an email address very similar to the satoshi@vistomail.com address Nakamoto used to send the whitepaper introducing bitcoin to a cryptography mailing list.
• An archived copy of a now-deleted blog post from Wright dated January 10, 2009, which reads: “The Beta of Bitcoin is live tomorrow. This is decentralized… We try until it works.” (The post was dated January 10, 2009, a day after Bitcoin’s official launch on January 9th of that year. But if Wright, living in Eastern Australia, posted it after midnight his time on the night of the 9th, that would have still been before bitcoin’s launch at 3pm EST on the 9th.) That post was later replaced with the rather cryptic text “Bitcoin — AKA bloody nosey you be…It does always surprise me how at times the best place to hide [is] right in the open.” Sometime after October of this year, it was deleted entirely.
• In addition to those three blog posts, they received a cache of leaked emails, transcripts, and accounting forms that corroborate the link.

• Another clue as to Wright’s bitcoin fortune wasn’t leaked to WIRED but instead remains hosted on the website of the corporate advisory firm McGrathNicol: a liquidation report on one of several companies Wright founded known as Hotwire, an attempt to create a bitcoin-based bank. It shows that the startup was backed in June 2013 by $23 million in bitcoins owned by Wright. That sum would be worth more than $60 million today.

• Reported bitcoin ‘founder’ Craig Wright’s home raided by Australian police

• On Wednesday afternoon, police gained entry to a home belonging to Craig Wright, who had hours earlier been identified in investigations by Gizmodo and Wired,

• People who say they knew Wright have expressed strong doubts about his alleged role, with some saying privately they believe the publications have been the victims of an elaborate hoax.
• More than 10 police personnel arrived at the house in the Sydney suburb of Gordon at about 1.30pm. Two police staff wearing white gloves could be seen from the street searching the cupboards and surfaces of the garage. At least three more were seen from the front door.
• The Australian Federal police said in a statement that the raids were not related to the bitcoin claims. “The AFP can confirm it has conducted search warrants to assist the Australian Taxation Office at a residence in Gordon and a business premises in Ryde, Sydney. This matter is unrelated to recent media reporting regarding the digital currency bitcoin.”
• The documents published by Gizmodo appear to show records of an interview with the Australian Tax Office surrounding his tax affairs in which his bitcoin holdings are discussed at length.
• During the interview, the person the transcript names as Wright says: “I did my best to try and hide the fact that I’ve been running bitcoin since 2009 but I think it’s getting – most – most – by the end of this half the world is going to bloody know.”
• Guardian Australia has been unable to independently verify the authenticity of the transcripts published by Gizmodo, or whether the transcript is an accurate reflection of the audio if the interview took place. It is also not clear whether the phrase “running” refers merely to the process of mining bitcoin using a computer.
• The purported admission in the transcript does not state that Wright is a founder of the currency, but other emails that Gizmodo claim are from Wright suggest further involvement he may have had in the development of bitcoin.
• The emails published by Gizmodo cannot been verified. Comment has been sought from Sinodinos on whether he was contacted by Wright – or his lawyer – in relation to bitcoin and its regulatory and taxation status in Australia.
• A third email published by Gizmodo from 2008 attributes to Wright a comment where he said: “I have been working on a new form of electronic money. Bit cash, bit coin …”
• WikiLeaks on Twitter: “We assess that Craig S Wright is unlikely to be the principal coder behind Bitcoin.” https://t.co/nRnftKPjm9”
• Additional Coverage: Freedom Hacker

In Patches We Trust: Why Security Updates have to get better

• “How long do you put off restarting your computer, phone, or tablet for the sake of a security update or software patch? All too often, it’s far too long”
• Why do we delay?
• I am in the middle of something
• The update might break something
• I can’t waste a bunch of time dealing with fixing it if it doesn’t work
• I hate it when they move buttons around on me
• Installing the update makes the device unusable for 20+ minutes
• “Patches are good for you. According to Homeland Security’s cyber-emergency unit, US-CERT, as many as 85 percent of all targeted attacks can be prevented by applying a security patch”
• “The problem is that far too many have experienced a case when a patch has gone disastrously wrong. That’s not just a problem for the device owner short term, but it’s a lasting trust issue with software giants and device makers.”
• We have all seen examples of bad patches
• “Apple’s iOS 8.0.1 update was meant to fix initial problems with Apple’s new eight generation mobile operating system, but killed cell service on affected phones — leaving millions stranded until a fix was issued a day later. Google had to patch the so-called Stagefright flaw, which affected every Android device, for a second time after the first fix failed to do the job. Meanwhile, Microsoft has seen more patch recalls in the past two years than in the past decade.”
• “Microsoft, for example, issued 135 security bulletins this year alone with thousands of separate vulnerabilities patched. All it takes is one or two patches to fail or break something — which has happened — to account for a 1 percent failure rate.”
• Users get “update fatigue”, If every time they go to use the computer, there is a new update for one or more of: Java, Flash, Chrome, Skype, Windows, etc.
• Worse, many drivers and other programs now add their own utilities, “update managers” and so on. Lenovo and Dell have both recently had to patch their “update managers” because they actually make your system more vulnerable
• Having a slew of different programs constantly nagging the user about updating just causes the user to stop updating everything, or to put the updates off for longer and longer
• “At the heart of any software update is a trust relationship between the user and the company. When things go wrong, it can affect thousands or millions of users. Just ignoring the issue and pulling patches can undermine a user’s trust, which can damage the future patching process.”
• “Customers don’t always expect vendors to be 100 percent perfect 100 percent of the time, or at least they shouldn’t,” said Childs. “However, if vendors are upfront and honest about the situation and provide actionable guidance, it goes a long way to reestablishing the trust that has been lost over the years.”

New APT group identified, known as Sofacy, or Fancy Bear

• “Sofacy (also known as “Fancy Bear”, “Sednit”, “STRONTIUM” and “APT28”) is an advanced threat group that has been active since around 2008, targeting mostly military and government entities worldwide, with a focus on NATO countries. More recently, we have also seen an increase in activity targeting Ukraine.”
• “Back in 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as its first stage malware. The implant shared certain similarities with the old Miniduke implants. This led us to believe the two groups were connected, at least to begin with, although it appears they parted ways in 2014, with the original Miniduke group switching to the CosmicDuke implant.”
• “In the months leading up to August, the Sofacy group launched several waves of attacks relying on zero-day exploits in Microsoft Office, Oracle Sun Java, Adobe Flash Player and Windows itself. For instance, its JHUHUGIT implant was delivered through a Flash zero-day and used a Windows EoP exploit to break out of the sandbox. The JHUHUGIT implant became a relatively popular first stage for the Sofacy attacks and was used again with a Java zero-day (CVE-2015-2590) in July 2015.
  While the JHUHUGIT (and more recently, “JKEYSKW”) implant used in most of the Sofacy attacks, high profile victims are being targeted with another first level implant, representing the latest evolution of their AZZYTrojan.”
• This shows how APT attackers constantly evolve, and reserve their best exploits for use against high profile targets, using lesser quality exploits on lesser targets, to avoid the better exploits being discovered and mitigated
• “The first versions of the new AZZY implant appeared in August of this year. During a high profile incident we investigated, our products successfully detected and blocked a “standard” Sofacy “AZZY” sample that was used to target a range of defense contractors.”
• “Interestingly, the fact that the attack was blocked didn’t appear to stop the Sofacy team. Just an hour and a half later they had compiled and delivered another AZZY x64 backdoor. This was no longer detectable with static signatures by our product. However, it was detected dynamically by the host intrusion prevention subsystem when it appeared in the system and was executed.”
• “This recurring, blindingly-fast Sofacy attack attracted our attention as neither sample was delivered through a zero-day vulnerability — instead, they appeared to be downloaded and installed by another malware. This separate malware was installed by an unknown attack as “AppData\Local\Microsoft\Windows\msdeltemp.dll””
• The attackers have multiple levels of malware, and can cycle through them until something works, then use that to drop a payload that matches the quality of the target they are attacking
• “In addition to the new AZZY backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. Among the most popular modern defense mechanisms against APTs are air-gaps — isolated network segments without Internet access, where sensitive data is stored. In the past, we’ve seen groups such as Equation and Flame use malware to steal data from air-gapped networks. The Sofacy group uses such tools as well. The first versions of these new USB stealer modules appeared around February 2015 and the latest appear to have been compiled in May 2015.”
• “This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants. More details on the new USB stealers are available in the section on technical analysis.”
• “Over the last year, the Sofacy group has increased its activity almost tenfold when compared to previous years, becoming one of the most prolific, agile and dynamic threat actors in the arena. This activity spiked in July 2015, when the group dropped two completely new exploits, an Office and Java zero-day. At the beginning of August, Sofacy began a new wave of attacks, focusing on defense-related targets. As of November 2015, this wave of attacks is ongoing. The attackers deploy a rare modification of the AZZY backdoor, which is used for the initial reconnaissance. Once a foothold is established, they try to upload more backdoors, USB stealers as well as other hacking tools such as “Mimikatz” for lateral movement.”
• Lateral movement is a more generic term for Island Hopping, moving around inside the network once you get through the outer defenses
• “Two recurring characteristics of the Sofacy group that we keep seeing in its attacks are speed and the use of multi-backdoor packages for extreme resilience. In the past, the group used droppers that installed both the SPLM and AZZY backdoors on the same machine. If one of them was detected, the other one provided the attacker with continued access.”
• “As usual, the best defense against targeted attacks is a multi-layered approach. Combine traditional anti-malware technologies with patch management, host intrusion detection and, ideally, whitelisting and default-deny strategies.”

Feedback:

• Backup solution….. Help!

• Replicate to Freenas at in-laws

• ddos

• ZFS on the Desktop

Round Up:

• A journal for MD/RAID5 Fixes old Linux RAID issue?
• Adobe releases Flash patch for 79 different CVEs, 56 of which are use-after-frees. Adobe says none of the patched vulnerabilities are being exploited publicly. Adobe also patched a dozen memory corruption vulnerabilities, two heap buffer overflows, stack, integer and buffer overflow vulnerabilities, in additional to security bypass flaws and a type confusion vulnerability
• When Undercover Credit Card Buys Go Bad — Krebs on Security
• Microsoft moving Windows Server 2016 to per-core licensing (compared to current per-socket)
• Steam tightens trading security amid 77,000 monthly account hijackings
• On the CCA (in)security of MTProto, How Telegram’s crypto is not as good as standard crypto
• Adobe, Microsoft Each Plug 70+ Security Holes — Krebs on Security
• oclHashcat can now crack 8 different TrueCrypt ciphers for the price of 3
• Microsoft Patch Tuesday includes revoking *.xboxlive.com certificate after it was accidently leaked
• Interview about the ‘Crypto Wars’ with Matt Blaze, the man to killed the Clipper Chip by finding its flaws
• FBI admits it uses stingrays, zero-day exploits
• Cloud is outsourcing but it’s not outsourcing (as was)
• After UAE bank fails to pay ransom, attack dumps 10s of thousands of customers transaction histories online
• Cisco warns of one ‘Critical’, and a number of ‘High’ severity flaw in its routers and other devices
• More Than 80% of Mobile Apps Have Encryption Flaws, Study Finds
• An HTTP Status Code to Report Legal Obstacles
• Millions of embedded devices including routers, smart TVs, and cell phones, still have not patched uPNP bug from 2012, including 326 apps on the Google Apps Store, including some very popular apps
• 7 signs you’re doing devops wrong
• DN42, a massive dynamic VPN, specifically for testing and learning about routing protocols
• Funny KGB story

The post Finding Nakamoto | TechSNAP 244 first appeared on Jupiter Broadcasting.

A new trick up Fedora’s sleeve might be worth trying on your own Linux install, the new mini-pc revolution is here & the Raspberry Pi Zero brings it for $5. Adobe announces the death of Flash… Kind of. But we’ll share how to finish the job & truly banish flash from your Linux rig.

Plus open source gaming just got an upgrade, GIMP has some fancy & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Offline Media solution for the Rover / Bandwidth challenged.

• Emby? tablet/PC?

• Plex and Plex Pass on a tablet?

• rsync and vlc on a laptop?

• Amazon.com: Kingston Digital 5-in-1 Mobile Companion, Expanded Storage, 4640 mAh Battery Charger, and more for iOS and Android devices (MLWG2): Computers & Accessories

Follow Up / Catch Up

Warsow 2.0 Released With Better Graphics, CC-Licensed Game Assets

Warsow 2.0 adds a tutorial level to help new gamers, many graphical effects were revamped, weapon parameters were tweaked, new HUDs, and many other changes.

The Warsow 2.0 renderer is reported to be 30~50% faster for overall performance, reduced vRAM footprint for textures, KTX texture format support, support for the GLSL binary cache, multi-threading to speed-up map loading, and many other interesting changes.

GIMP 2.9.2 Released

with 2.9.2, you can already benefit from certain aspects of the new engine, such as:

• 16/32bit per color channel processing
• Basic OpenEXR support
• On-canvas preview for many filters
• Experimental hardware-accelerated rendering and processing via OpenCL
• Higher-quality downscaling

Additionally, native support for PNG, TIFF, PSD, and FITS files in GIMP has been upgraded to read and write 16/32bit per color channel data.

• GIMP 2.9.2 Released, How About Features Trivia?

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

F24 System Wide Change: Default Local DNS Resolver – devel-announce – Fedora List Archives

Plain DNS protocol is insecure and therefore vulnerable from various
attacks (e.g. cache poisoning). A client can never be sure that there
is no man-in-the-middle, if it does not do the DNSSEC validation
locally.

We want to have Unbound server installed and running on localhost by
default on Fedora systems.

• Against DNSSEC — Quarrelsome

Linux Academy

• Linux Academy | Linux and AWS Online Training

The Mini PC Roundup

Raspberry Pi Zero: the $5 computer – Raspberry Pi

Today, I’m pleased to be able to announce the immediate availability of Raspberry Pi Zero, made in Wales and priced at just $5. Zero is a full-fledged member of the Raspberry Pi family, featuring:

• A Broadcom BCM2835 application processor
  • 1GHz ARM11 core (40% faster than Raspberry Pi 1)
• 512MB of LPDDR2 SDRAM
• A micro-SD card slot
• A mini-HDMI socket for 1080p60 video output
• Micro-USB sockets for data and power
• An unpopulated 40-pin GPIO header
  • Identical pinout to Model A+/B+/2B
• An unpopulated composite video header
• Our smallest ever form factor, at 65mm x 30mm x 5mm

Raspberry Pi Zero runs Raspbian and all your favourite applications, including Scratch, Minecraft and Sonic Pi. It is available today in the UK from our friends at The Pi Hut and Pimoroni, and in the US from Adafruit

Kodi on the $5 Raspberry Pi Zero

Omega – Onion

Omega is an invention platform for the Internet of Things. It comes WiFi-enabled and supports most of the popular languages such as Python and Node.JS. Omega makes hardware prototyping as easy as creating and installing software apps.

Dimensions: 28mm x 42mm
OS: OpenWRT Linux
Processor: 400MHz
RAM: 64MB DDR2
Flash: 16MB
Wireless: 802.11 b/g/n
Ports: 18 GPIO
Language: Python, Node.JS, PHP, Ruby, Lua and more…

Wireless Raspberry Pi speaker | Linux User & Developer – the Linux and FOSS mag for a GNU generation

AirPlay uses Apple technology that was reverse-engineered in 2011, which means that third-party devices can now participate in the fun. AirPlay allows any Apple device to broadcast whatever is coming out of its speakers to an AirPlay receiver (which will be our Pi in this case). There is a way to send audio from PulseAudio to AirPlay receivers

GeekBox | by geekbuying the Pioneering Versatile Open Source TV Box

The RK3368 is an Octa Core 64bit, ARM Cortex-A53 processor with PowerVR G6110 graphics chip, 28nm processing design, Support OPENGL ES 3.1. RK3368 with super video capabilities, 4K×2K, H.265 and HDMI 2.0@60Hz output support.

TING

• Ting – mobile that makes sense

Adobe kills the ‘Flash’ name after twenty years

Adobe revealed that the Flash product will be called Adobe Animate CC from January’s update of the Creative Cloud suite. There’s no explicit mention of what the browser plug-in will be called, but presumably it will mirror the change of name.

Support Jupiter Broadcasting on Patreon

The post Raspberry Pi Does What? | LINUX Unplugged 121 first appeared on Jupiter Broadcasting.

The OpenZFS summit just wrapped up and Allan shares the exciting new features coming to the file system, researchers warn about flaws in NTP & of course we’ve got some critical patches.

Plus a great batch of questions, a rockin’ round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OpenZFS Dev Summit

• Earlier this week the OpenZFS Developers Summit was held, as well as the 10th Anniversary party for the open sourcing of ZFS
• The first day consisted of networking and presentations
• Videos:
  • Opening Keynote and OpenZFS Success Stories
  • OpenZFS Internals
  • Masked ZFS Send, and ZFS Send Compression
  • Live Migration of NFS shares with Zmotion
  • The birth of ZFS, with Jeff Bonwick
  • Declustered RAID
  • Eager Zero, improving performance on AWS and VMWare
  • Compressed ARC
  • Discontiguous Caching with ABD
  • Dedup Ceiling, Persistent L2ARC, and ZFS native TRIM/UNMAP
  • Sandboxing ZFS on Linux
  • Metadata Allocation Classes, and Ztour
  • Writeback Caching
  • Story Time / Q and A with Matt and Jeff
• The second day was a hackathon at Github’s offices. People worked on a number of different projects, and Nexenta provided prizes to the projects voted to be the best prototypes
• Hackathon Presentations
• During the hackathon, I worked on a new feature of ZFS to make it easier to tell what command line features the current version of ZFS supports, so my replication script can determine if a new feature is supported or not

Researchers warn about flaws in NTP

• NTP is one of the oldest protocols still in use on the Internet. The Network Time Protocol is used to keep a computer’s clock in sync. It is very important for many applications, including cryptography (if your clock is wrong, certificates cannot be verified, expired certificates may be accepted, one-time-passwords may not be valid yet or already expired, etc)
• “The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems”
• Researchers from Boston University announced yesterday that it’s possible for an attacker to cause an organization’s servers to stopping checking the time altogether
• “This research was first disclosed on August 20, 2015 and made public on October 21, 2015.”
• “NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research”
• Post by researchers
• PDF: Full research paper
• The researchers outline 4 different attacks against NTP:
  • Attack 1 (Denial of Service by Spoofed Kiss-o’-Death)
  • Attack 2 (Denial of Service by Priming the Pump)
  • Attack 3 (Timeshifting by Reboot)
  • Attack 4 (Timeshifting by Fragmentation)
• It is recommended you upgrade your version of NTP to ntp-4.2.8p4
• “With the virtual currency bitcoin, an inaccurate clock could cause the bitcoin client software to reject what is a legitimate transaction”
• The paper goes on to describe the amount of error that needs to be induced to cause a problem:
  • TLS Certificate: years. Make a valid certificate invalid by setting the time past its expiration date, or make an expired certificate valid by turning the clock back
  • HSTS: a year. This is a header sent by websites that says “This site will always use a secure connection”, for sanity’s sakes, this header has an expiration date set some time in the future, usually a year. If you forward the clock past then, you can trick a browsers into accepting an insecure connection.
  • DNSSEC: months.
  • DNS Caches: days.
  • Routing (if security is even enabled): days
  • Bitcoin: hours
  • API Authenticate: minutes
  • Kerberos: minutes
• Alternatives:
  • Ntimed
  • OpenNTPd
    • Interesting feature: It can validate the ‘sanity’ of the time returned by the NTP server by comparing it against the time in an HTTPS header from a set of websites you select, like Google.com etc. It doesn’t set the time based on that (too inaccurate), but if the value from the time server is more than a few seconds off from that, ignore that time server as it might be malicious
  • tlsdate
  • NTPSec (a fork of regular NTP being improved)
• Additional Coverage: ArsTechnica

Adobe and Oracle release critical patches

• Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software
• All users should upgrade to Flash 19.0.0.226
• If you are worried, consider switching Flash to Click-to-Play mode
• Oracle has also released its quarterly patch update for Java, addressing at least 25 security vulnerabilities
• “According to Oracle, all but one of those flaws may be remotely exploitable without authentication”
• All users are strongly encouraged to upgrade to Java 8 Update 65
• Again, consider using click-to-play mode, to avoid allowing unexpected execution of Java
• “The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.”
• “Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java”

Feedback:

• Bandwidth vs the speed of light

• Unison and an encrypted remote-mounted filesystem

• ZFS pool configuration

• Chinese woman made platform shoes for penetration testing

Round up:

• Android 6.0 re-implements mandatory storage encryption for new devices
• A tale of software maintenance, or lack there of
• Apple’s claim of unbreakable iMessage encryption ‘basically lies’
• To follow up last weeks news that Zerodium/VUPEN will pay $1 – $3 million for an iOS 9 jailbreak, if they can keep it private, PANGU released their Jailbreak for 9.0 – 9.0.2 to the public
• Apple tells US Court that “accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system (iOS8 at the time)”
• Yahoo mail app for mobile is getting rid of passwords, and using push notifications for authentication
• Remote code exec hijack hole found in Huawei 4G USB modems
• Don’t be fooled by fake online reviews, part 2
• Teen Who Hacked CIA Director’s Email Tells How He Did It
• Cisco TALOS offers expert assistance to any hosting provider to finds they are hosting malicious content or actors
• Tim Berners-Lee warns Facebook against creating a walled garden, “don’t you dare make a phone that can only go to facebook.com.”
• Google switches to BoringSSL, but they don’t recommend that you do
• Battery Tests Find No iPhone 6s Chipgate Problems – Consumer Reports
• XVWA (Xtreme Vulnerable Web Application) is a PHP/MySQL application purposely built with one of each different type of classic vulnerability, to help security enthusiasts learn about application security

The post A Rip in NTP | TechSNAP 237 first appeared on Jupiter Broadcasting.

How the NSA might be breaking Crypto, fresh zero day exploit against Flash with a twist & Keylogging before computers.

Plus a great batch of your questions, a rocking round-up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How might the NSA be breaking crypto?

• “There have been rumors for years that the NSA can decrypt a significant fraction of encrypted Internet traffic. In 2012, James Bamford published an article quoting anonymous former NSA officials stating that the agency had achieved a “computing breakthrough” that gave them “the ability to crack current public encryption.” The Snowden documents also hint at some extraordinary capabilities: they show that NSA has built extensive infrastructure to intercept and decrypt VPN traffic and suggest that the agency can decrypt at least some HTTPS and SSH connections on demand. However, the documents do not explain how these breakthroughs work, and speculation about possible backdoors or broken algorithms has been rampant in the technical community.”
• “Yesterday at ACM CCS, one of the leading security research venues, we and twelve coauthors presented a paper that we think solves this technical mystery.”
• PDF: Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
• “The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.”
• “If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. There seemed to be no reason why everyone couldn’t just use the same prime, and, in fact, many applications tend to use standardized or hard-coded primes. But there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.”
• “For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.”
• “Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.”
• “Based on the evidence we have, we can’t prove for certain that NSA is doing this. However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto. While the documents make it clear that NSA uses other attack techniques, like software and hardware “implants,” to break crypto on specific targets, these don’t explain the ability to passively eavesdrop on VPN traffic at a large scale.”
• “8.4% of Alexa Top 1M HTTPS domains allow DHE_EXPORT, of which 92.3% use one of the two most popular primes”
• “After a week-long precomputation for each of the two top export-grade primes (see Table 1), we can quickly break any key exchange that uses them. Here we show times for computing 3,500 individual logs; the median is 70 seconds.”
• “Our calculations suggest that it is plausibly within NSA’s resources to have performed number field sieve precomputations for at least a small number of 1024-bit Diffie-Hellman groups. This would allow them to break any key exchanges made with those groups in close to real time. If true, this would answer one of the major cryptographic questions raised by the Edward Snowden leaks: How is NSA defeating the encryption for widely used VPN protocols?”
• If the NSA has precomputed just one DH 1024 group, they would be able to compromise 37% of the HTTPS traffic to the top 1 million sites using an active downgrade attack. If they have precomputed the ten most popular DH 1024 groups, that number increases to 56%
• When applied to VPNs, the single most popular DH 1024 group would comprise 66% of all traffic. For SSH, the number is 25%. For both VPN and SSH, the top 10 does not increase the likelihood of compromise, this suggests that outside of a specific very popular 1024 bit group, most other sites do not reuse the same group as others.
• “we performed a scan in which we mimicked the algorithms offered by OpenSSH 6.6.1p1, the latest version of OpenSSH. In this scan, 21.8% of servers preferred the 1024-bit Oakley Group 2, and 37.4% preferred a server-defined group. 10% of the server-defined groups were 1024-bit, but, of those, near all provided Oakley Group 2 rather than a custom group”
• Recommendations from the paper:
  • Transition to elliptic curves: Transitioning to elliptic curve Diffie-Hellman (ECDH) key exchange with appropriate parameters avoids all known feasible cryptanalytic attacks
  • Increase minimum key strengths: Server operators should disable DHE_EXPORT and configure DHE ciphersuites to use primes of 2048 bits or larger.
  • Avoid fixed-prime 1024-bit groups: For implementations that must continue to use or support 1024-bit groups for compatibility reasons, generating fresh groups may help mitigate some of the damage caused by NFS-style precomputation for very common fixed groups.
  • Don’t deliberately weaken crypto: Our downgrade attack on export-grade 512-bit Diffie-Hellman groups in TLS illustrates the fragility of cryptographic “front doors”. Although the key sizes originally used in DHE_EXPORT were intended to be tractable only to NSA, two decades of algorithmic and computational improvements have significantly lowered the bar to attacks on such key sizes.
• “Prior to our work, Internet Explorer, Chrome, Firefox, and Opera all accepted 512-bit primes, whereas Safari allowed groups as small as 16 bits. As a result of our disclosures, Internet Explorer, Firefox, and Chrome are transitioning the minimum size of the DHE groups they accept to 1024 bits, and OpenSSL and Safari are expected to follow suit.”
• Additional information from the researchers site WeakDH.org
• Sysadmin’s guide to securing your servers

• https://www.onlinemeetingnow.com/register/?id=pmsy0fu2ck&inf_contact_key=c3de960e4fc660a9c3744ecc74a608bdde91a80fc9d58288c71bfd6d9c0209ad

Fresh Zero Day exploit against fully patched Adobe Flash

• Just last week, we were commenting on how quiet things have been on the Adobe Flash front
• Sorry for jinxing it for everyone
• This zero day exploit even affects Flash version 19.0.0.207 which was released on Tuesday
• Adobe expects to release a patch that fixes the Zero day some time next week
• “Attackers are exploiting a previously unknown vulnerability in fully patched versions of Adobe’s Flash Player so they can surreptitiously install malware on end users’ computers”
• “So far, the attacks are known to target only government agencies as part of a long-running espionage campaign carried out by a group known as Pawn Storm, researchers from antivirus provider Trend Micro said in a blog post published Tuesday. It’s not unusual for such zero-day exploits to be more widely distributed once the initial element of surprise wanes. The critical security flaw is known to reside in Flash versions 19.0.0.185 and 19.0.0.207 and may also affect earlier versions. At this early stage, no other technical details are available”
• “In this most recent campaign of Pawn Storm, several Ministries of Foreign Affairs received spear phishing e-mails. These contain links to sites that supposedly contain information about current events, but in reality, these URLs hosted the exploit”
• In this wave of attacks, the emails were about the following topics:
  • “Suicide car bomb targets NATO troop convoy Kabul”
• “Syrian troops make gains as Putin defends air strikes”
• “Israel launches airstrikes on targets in Gaza”
• “Russia warns of response to reported US nuke buildup in Turkey, Europe”
• “US military reports 75 US-trained rebels return Syria”
• The most startling thing here is that you would not expect government employees to get such news via email, so they should know better than to fall for emails with these subjects or follow links with such headlines.
• “It’s worth noting that the URLs hosting the new Flash zero-day exploit are similar to the URLs seen in attacks that targeted North Atlantic Treaty Organization (NATO) members and the White House in April this year.”
• It will be interesting to see if any of the exploit kits manage to pick up this Zero-day before the patch is released
• This attack is currently focused on the government, and the attackers likely want to keep their zero-day to themselves
• Once a fix is released, I would expect the regular malware authors to reverse engineer the fix to find the exploit, and see this added to the regular exploit kits
• Additional Coverage: Krebs

Keylogging before computers: How Soviets used IBM Selectric keyloggers to spy on US diplomats

• “A National Security Agency memo that recently resurfaced a few years after it was first published contains a detailed analysis of what very possibly was the world’s first keylogger—a 1970s bug that Soviet spies implanted in US diplomats’ IBM Selectric typewriters to monitor classified letters and memos.”
• “The electromechanical implants were nothing short of an engineering marvel. The highly miniaturized series of circuits were stuffed into a metal bar that ran the length of the typewriter, making them invisible to the naked eye. The implant, which could only be seen using X-ray equipment, recorded the precise location of the little ball Selectric typewriters used to imprint a character on paper. With the exception of spaces, tabs, hyphens, and backspaces, the tiny devices had the ability to record every key press and transmit it back to Soviet spies in real time.”
• “The Soviet implants were discovered through the painstaking analysis of more than 10 tons’ worth of equipment seized from US embassies and consulates and shipped back to the US. The implants were ultimately found inside 16 typewriters used from 1976 to 1984 at the US embassy in Moscow and the US consulate in Leningrad. The bugs went undetected for the entire eight-year span and only came to light following a tip from a US ally whose own embassy was the target of a similar eavesdropping operation.”
• “”Despite the ambiguities in knowing what characters were typed, the typewriter attack against the US was a lucrative source of information for the Soviets,” an NSA document, which was declassified several years ago, concluded. “It was difficult to quantify the damage to the US from this exploitation because it went on for such a long time.” The NSA document was published here in 2012. Ars is reporting the document because it doesn’t appear to have been widely covered before and generated a lively conversation Monday on the blog of encryption and security expert Bruce Schneier.”
• “When the implant was first reported, one bugging expert cited in Discover magazine speculated that it worked by measuring minute differences in the time it took each character to be imprinted. That theory was based on the observation that the time the Selectric ball took to complete a rotation was different for each one. A low-tech listening device planted in the room would then transmit the sounds of a typing Selectric to a Soviet-operated computer that would reconstruct the series of key presses.”
• “In fact, the implant was far more advanced and worked by measuring the movements of the “bail,” which was the term analysts gave to the mechanical arms that controlled the pitch and rotation of the ball.”
• “In reality, the movement of the bails determined which character had been typed because each character had a unique binary movement corresponding to the bails. The magnetic energy picked up by the sensors in the bar was converted into a digital electrical signal. The signals were compressed into a four-bit frequency select word. The bug was able to store up to eight four-bit characters. When the buffer was full, a transmitter in the bar sent the information out to Soviet sensors.”
• “There was some ambiguity in determining which characters had been typed. NSA analysts using the laws of probability were able to figure out how the Soviets probably recovered text. Other factors which made it difficult to recover text included the following: The implant could not detect characters that were typed without the ball moving. If the typist pressed space, tab shift, or backspace, these characters were invisible to the implant. Since the ball did not move or tilt when the typist pressed hyphen because it was located at the ball’s home position, the bug could not read this character either.”
• “The implants were also remarkable for the number of upgrades they received. Far from being a static device that was built once and then left to do its job, the bugs were constantly refined.”
• “There were five varieties or generations of bugs. Three types of units operated using DC power and contained either eight, nine, or ten batteries. The other two types operated from AC power and had beacons to indicate whether the typewriter was turned on or off. Some of the units also had a modified on and off switch with a transformer, while others had a special coaxial screw with a spring and lug. The modified switch sent power to the implant. Since the battery-powered machines had their own internal source of power, the modified switch was not necessary. The special coaxial screw with a spring and lug connected the implant to the typewriter linkage, and this linkage was used as an antenna to transmit the information as it was being typed. Later battery-powered implants had a test point underneath an end screw. By removing the screw and inserting a probe, an individual could easily read battery voltage to see if the batteries were still active.”
• “The devices could be turned off to avoid detection when the Soviets knew inspection teams were in close proximity. Newer devices operated by the US may have had the ability to detect the implants, but even then an element of luck would have been required, since the infected typewriter would have to be turned on, the bug would have to be turned on, and the analyzer would have to be tuned to the right frequency. To lower this risk, Soviet spies deliberately designed the devices to use the same frequency band as local television stations.”
• I thought this was an interesting example of how espionage works and how hard it can be to detect

Feedback:

• 2gbps with direct connections?
  • ifconfig lagg0 create
  • ifconfig lagg0 laggproto roundrobin laggport igb0 laggport igb1
  • ifconfig lagg0 192.168.101.1/24

• VLAN Basics

• PHP-FPM Tweaking

• Remote PC power on
  • APC AP7900 is $600+, but can be cheap on ebay

Round Up:

• Security researcher claims $24k bounty from Microsoft for Hotmail hack
• Turning the FCC’s proposal around, a coalition of 260 security researchers want the FCC to REQUIRE that all router firmwares be open source
• University of Cambridge study finds 87% of Android devices are insecure
• Flaw in Kaspersky’s “Network Attack Blocker” could allow an adversary to trick your firewall into blocking traffic from any address, including Kaspersky and Windows update
• “USB Killer” flash drive can fry your computer’s innards in seconds
• OpenZFS adds new hashing algorithms: SHA512/256, Skein, and Edon-R … and RESUMABLE ZFS REPLICATION!!!!
• EMC agrees to buyout by Dell
• Web Authentication Arms Race — A tale of two security experts
• Windows 10 start menu to include ads for “suggest apps”
• Statically Linking a Windows Kernel Driver as an ELF — A FireEye challenge
• Kemoge: Another Mobile Malicious Adware Infecting Over 20 Countries
• Researcher sets up a DigitalOcean droplet with the shellshock vulnerability, and watches what happens
• Company offers up to $3 million for jailbreak of new “rootless” iOS9
• An XSS vector containing no letters

The post National Security Breaking Agency | TechSNAP 236 first appeared on Jupiter Broadcasting.

LastPass gets bought, FireFox loves Flash long time, just not your plugins, good iPhone vs bad iPhone & why the rest of the world laughs at the state of the US’ mobile payments.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• LogMeIn acquires LastPass for $125m
• Obama administration opts not to force firms to decrypt data — for now – The Washington Post
• Mozilla Firefox will drop support for NPAPI plugins by the end of 2016, but will keep Flash around | VentureBeat | Dev | by Emil Protalinski
• Samsung and TSMC iPhone 6s Chips Show Smaller Real-World Battery Impacts Compared to Benchmarks – Mac Rumors
• Apple Claims TSMC vs Samsung A9 Chip Variants Result in Only 2-3% Difference in ‘Real World’ Battery Life – Mac Rumors
• The story in English | MobilePay

The post LogMeIn to LastPass | TTT 217 first appeared on Jupiter Broadcasting.

Top law enforcement officials in the US want backdoors in all encryption systems. What would the ramifications to open source around the world be if this became law of the land in the US?

Details on the upcoming road show, Kubuntu’s new look, saying goodbye to an old friend & some Go powered retro feedback.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Linux Foundation is giving away Chromebooks | ITworld

• Xiaomi Plan To Release A Laptop That Runs Linux, Report Claims

Catch Up:

• Kubuntu | Friendly Computing

• Chrome will block obnoxious Flash ads starting September 1st

TING

• Ting – mobile that makes sense

Using gotty to expose my BBS to the web!

I was delighted to see that you guys covered gotty in the last episode of LAS. I just recently (about a week ago) started experimenting with gotty as a bridge between my telnet/SSH BBS and the web, and it’s been a pretty sweet experience so far. The author was very responsive on his GitHub page in walking me through a handful of issues I was having in getting the font setup correctly (since my board makes heavy use of textmode artwork). Check it out!

• The Go Programming Language

Go is an open source programming language that makes it easy to build
simple, reliable, and efficient software.

How does OSS Respond to State Backdoor Requirements?

NSA Boss: Encrypted Software Needs Government Backdoors

He remains adamant that technology companies should install government-friendly backdoors in encrypted products.

• NSA director defends plan to maintain ‘backdoors’ into technology companies | US news | The Guardian

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

New name for the road show…

Chris mentioned he was looking for a silly name for the new mobile studio in his RV. Here you go, “The whole enchilada show”. OK, perhaps not that good, other ideas….

zircon_34

JB Road Show Essentials Wishlist

A list of important items we need for our road trip, thanks for the help, this lets us focus on big ticket mechanical and installation items!

Linux Academy

• Linux Academy | Linux and AWS Online Training

LILO to finish development of LILO at 12/2015

Any keystroke launcher diehards here? : LinuxActionShow

01org/thermal_daemon · GitHub

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Insecurity by Design | LINUX Unplugged 108 first appeared on Jupiter Broadcasting.

Freshly back from LinuxCon we update you on the stories of the day, the big players pushing Flash out the door & how forgetful scientists accidentally quadruple lithium-ion battery lifespan.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Ashley Madison’s $19 ‘Full Delete’ Option Made The Company Millions – BuzzFeed News
• Amazon puts another nail in Flash’s coffin – Digiday
• IAB Says HTML5 Is New Standard, Adobe Agrees | Digital – Advertising Age
• Forgetful scientists accidentally quadruple lithium-ion battery lifespan | Chips | Geek.com

The post Happy Little Accidents | TTT 205 first appeared on Jupiter Broadcasting.

Oracle really doesn’t want you to reverse engineer their products but they may have just released the Kraken, we’ll explain.

A massive drop of 35 fixes in one day, great feedback and follow up, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Oracle doesn’t think you should try to reverse engineer their products

• “Oracle, never the most researcher-friendly software vendor, has taken its antagonism to another level after publishing a blog post by CSO Mary Ann Davidson that rails against reverse engineering and saying that the company has no need for researchers to look at Oracle’s code for vulnerabilities because “it’s our job to do that, we are pretty good at it”
• The blog post has since been taken down
• Archive.org copy of Oracle Blog post
• Google Cache of Oracle Blog post
• “Davidson, who has been at Oracle for more than 25 years, said in the post that reverse engineering violates Oracle’s license agreement and that the company regularly sends letters to customers and consultants who it believes have violated the EULA. She also said that even when researchers try to report a security vulnerability in an Oracle product, the company often takes issue with how the bug was found and won’t credit researchers.“
• This is where I take the most extreme exception
• First, I don’t imagine that it is most average Oracle customers who are reverse engineering Oracle software looking for bugs
• Often, security research companies will look for bugs in major bits of software (be in Flash, Windows, Firefox, Chrome, Java, etc) with the goal of publishing their research once the bugs they find are fixes, in order to build a reputation, to get security consulting customers
• This system depends on A) Vendors actually accepting and acting upon bug reports, and B) Vendors crediting the people who discover the flaws in the security advisory / patch notes
• When a researcher is helping you better your software, for free, the least you can do is given them credit where it is due
• If Oracle doesn’t want to have a bug bounty program, that is their decision, but they cannot expect the entire security community to just pretend Oracle doesn’t exist, and isn’t an attack surface
• ““I almost hate to answer this question because I want to reiterate that customers Should Not and Must Not reverse engineer our code. However, if there is an actual security vulnerability, we will fix it. We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers. We will, however, fix it to protect all our customers, meaning everybody will get the fix at the same time,” Davidson said in the post.“
• So atleast they are going to fix it, eventually …
• ““However, we will not give a customer reporting such an issue (that they found through reverse engineering) a special (one-off) patch for the problem. We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”“
• But credit? Nope. Ohh, and we might decide to try to engage in litigation against you
• Of course, if you actually read the EULA, Oracle’s software is not warranted for any use what-so-ever. The EULA basically spells out that using any of the software in production is at your own risk, and you probably shouldn’t do that. Of course, that is what every EULA says.
• ““Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers,” Davidson said in the post.“
• Of course, Oracle’s Legal department backpedaled, hard:
• A statement sent by Oracle PR said that the company removed the post because it didn’t fit with the company’s relationship with customers.
• “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers,” said Edward Screven, Executive Vice President and Chief Corporate Architect, at Oracle.
• Twitter reacted quickly
• An new trend has emerged around the hashtag #OracleFanFic

Why not insider trade on EVERY company?

• This bloomberg view article starts with a typical description of how insider trading works, and how people get away with it
• It then starts to dig into how a group of Ukrainian malactors did it against a huge number of companies, and illegally profited over $100 million.
• The group broke into the systems of Marketwired, PR Newswire, and Business Wire, and lifted the press releases before they became public
• Then, rather than acting on this information themselves, which might have been obvious, they sold the information to various different people, in exchange for a flat fee, or a stake in the action
• They created an entire industry around the information, eventually growing a support infrastructure, and even taking ‘requests’ for releases from specific companies
• “They ran this like a business. They provided customer support: The hackers allegedly set up servers for their customers to access their information, and “created a video tutorial on how to access and use one of the servers they used to share the Stolen Releases.””
• “The defendants allegedly stole approximately 150,000 confidential press releases from the servers of the newswire companies,”
• “The size and professionalization of the business, though, shouldn’t be confused with sophistication. There are some signs that these guys actually weren’t all that sophisticated. For one thing, the traders seem to have gotten caught in the usual way. “The investigation began when prosecutors in Brooklyn and the FBI received a referral from the SEC about a pattern of suspicious trading by some of the defendants,”
• “The other place where the hackers may not have been that sophisticated was in the actual hacking. The hackers “gained unauthorized access to press releases on the networks of Marketwired using a series of SQL Injection Attacks.” They gained access to Business Wire after “the login credentials of approximately fifteen Business Wire employees had been ‘bruted.’”
• The author of the article makes an interesting point: “But I feel like part of it has to be that the people in charge of those databases, like me until today, had a disenchanted view of the financial world. These systems didn’t hold the nuclear launch codes. They held press releases — documents that, by definition, would be released publicly within a few days at most. Speed, convenience and reliability were what mattered, not top-notch security. How important could it be to keep press releases secure? What were the odds that a crack team of criminals would be downloading tens of thousands of press releases before they became public, in order to sell them to further teams of criminals who would trade on them? It just sounds so crazy. You’d have to be paranoid to even think of it. But — allegedly! — it’s exactly what happened.”
• Additional Coverage – Bloomberg
• Additional Coverage – Threat Post
• Justice Department Press Release
• New Jersey Federal Criminal Complaint
• Brooklyn Federal Criminal Complaint
• SEC Press Release
• SEC Civil Complaint

Adobe issues huge patch that fixes 35 vulnerabilities in Flash and AIR

• “The vulnerabilities Adobe patched Tuesday include a number of type confusion flaws, use-after-free vulnerabilities, buffer overflows, and memory corruption vulnerabilities. Many of the vulnerabilities can be used to take complete control of vulnerable machines”
• Make sure your flash version is 18.0.0.232 or newer
• The fixes flaws include:
• 16 use-after-frees
• 8 memory corruptions
• 5 type confusions
• 5 buffer overflow and heap buffer overflow bugs
• 1 integer overflow flaw
• “These updates include further hardening to a mitigation introduced in version 18.0.0.209 to defend against vector length corruptions (CVE-2015-5125).”
• In an interesting turn of events, “On Monday, researchers from Kaspersky Lab disclosed that attackers behind the Darkhotel APT campaign have been using one of the patched Flash bugs developed by Hacking Team in its attacks”
• “Darkhotel seems to have burned through a pile of Flash zero-day and half-day exploits over the past few years, and it may have stockpiled more to perform precise attacks on high-level individuals globally,” Kaspersky Lab principal security researcher Kurt Baumgartner said
• “Note: Beginning August 11, 2015, Adobe will update the version of the “Extended Support Release” from Flash Player 13 to Flash Player 18 for Macintosh and Windows. To stay current with all available security updates, users must install version 18 of the Flash Player Extended Support Release or update to the most recent available version. For full details, please see this blog post “
• Official Adobe Advisory
• The advisory issues thanks to a number of researchers and companies that found the vulnerabilities including:
  • Google Project Zero
  • FortiGuard Labs
  • Alibaba Security Research Team
  • Chromium Vulnerability Rewards Program
  • 360 Vulcan Team
• Additional Coverage

Feedback:

• multiboot linux and running openssh-server on all

• Allan made a comment in response to a question “FreeNAS with Quad GbEthernet

• Get some Fiber in your Freenas.. Fiber Channel

• Server Envy

Round Up:

• The first publicly released Android Security Advisory – Fixing StageFright and other video processing vulnerabilities on Nexus devices
• Sharp announces new line of DC powered appliances, starting with an Air Conditioner. Avoiding the conversion from DC to AC to DC for Solar and other alternative power sources
• Cisco warns customers of attacks replacing IOS bootstrap images on routers
• Why it is important to choose your audience. When you leak documents, and no one takes you seriously
• Facebook’s Internet Defense Prize ($100,000) was awarded to a team of Georgia Tech researchers who found a new class of browser-based memory-corruption vulnerabilities and built a corresponding detection technique
• The team behind the Anthem breach may also be who hit United Airlines
• Steam fixes vulnerability in site that allowed anyone to reset the password of another account, hijacking it
• 3 Chechen women use “CatFishing” scheme to take ISIS combatants for $3300
• Don’t be fooled by phony online reviews – Krebs details the story of someone who got scammed, badly
• Finally, a way to explain IaaS, PaaS, and SaaS

The post Oracle's EULAgy #oraclefanfic | TechSNAP 227 first appeared on Jupiter Broadcasting.

Adobe is making changes to Flash to mitigate 0day exploits, with help from Google. Chrysler recalls 1.4M vehicles due to a software flaw, we go inside the “Business Club” cyber crime gang.

Plus a great batch of questions, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

0day exploits against Flash will be harder thanks to new mitigations

• Three new exploit mitigations are being added to Adobe’s Flash player in an effort to prevent future exploits
• The mitigations were developed in a collaboration between Adobe and Google’s Project Zero
• The mitigations are:
  • “buffer heap partitioning” – Specific types of objects have been moved to an entirely separate heap (the OS Heap instead of the Flash Heap), preventing an overflow in the Flash Heap from ever being able to corrupt those objects. “It’s worth noting that this defense is much more powerful in a 64-bit build of Flash, because of address space limitations of 32-bit processes. This mitigation is now available in the Chrome version of Flash, and is expected to come to all other browsers sometime in August. Now is a good time to upgrade to a 64-bit browser and Flash.”
  • “stronger randomization for the Flash heap” – The flash heap is no longer stores in a predictable location, so it is harder to exploit. In addition, especially on 64-bit platforms, large allocations are further randomized. And older exploit developed by Project Zero used up to a 1GB allocation in order to hit a predictable location. With the large 64bit address space to play with, these allocations can be so far apart that it will be very difficult for an attacker to overflow the flash heap to run into the binary sections.
  • “Vector.<*> length validation secret” – Many of the recent and previous exploits have worked by overwriting the length of the Vector objects, to make them overflow into other areas of memory. The previous two mitigations make it harder to do this, but Adobe have developed a validation technique to detect when the length has been altered unexpectedly. The Adobe mitigation works by storing a “validation secret”, a hash of the correct length and a secret value, the attack doesn’t know the secret value, so cannot write the correct hash, and Flash will exit with a runtime error. This mitigation is available in all Flash builds as of 18.0.0.209.
• “Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities”
• Hopefully these will propagate quickly and reduce the frequency of flash 0 days
• Google Project Zero Blog Post

1.4M Vehicle Recall After Bug in Chrysler UConnect System

• Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.
• The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.
• This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.
• Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.
• It’s not a Sprint issue but they have been “working with Chrysler to help them further secure their vehicles”.
• Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on Thursday, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.
• Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
• The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements.
• Chrysler Recalls
• After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
• Fiat Chrysler Automobiles (FCA) Uconnect Vulnerability
• FCA Uconnect Vulnerability | ICS-CERT

Inside the “Business Club” crime gang

• Krebs profiles the “Business Club” crime gang, which apparently managed to steal more than $100 million from European banks and businesses
• The story centers on the “Gameover ZeuS” trojan and botnet. The commercial ZeuS malware had been popular for years for stealing banking credentials, but this was a closely held private version built for himself by the original author
• “Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.””
• “That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.”
• “The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.”
• “Business Club members who had access to the GameOver ZeuS botnet’s panel for hijacking online banking transactions could use the panel to intercept security challenges thrown up by the victim’s bank — including one-time tokens and secret questions — as well as the victim’s response to those challenges. The gang dubbed its botnet interface “World Bank Center,” with a tagline beneath that read: “We are playing with your banks.””
• “The Business Club regularly divvied up the profits from its cyberheists, although Fox-IT said it lamentably doesn’t have insight into how exactly that process worked. However, Slavik — the architect of ZeuS and Gameover ZeuS — didn’t share his entire crime machine with the other Club members. According to Fox-IT, the malware writer converted part of the botnet that was previously used for cyberheists into a distributed espionage system that targeted specific information from computers in several neighboring nations, including Georgia, Turkey and Ukraine.”
• “Beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled a cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents, Fox-IT found.”
• The botnet was also used against Turkey
• “The keywords are around arms shipments and Russian mercenaries in Syria,” Sandee said. “Obviously, this is something Turkey would be interested in, and in this case it’s obvious that the Russians wanted to know what the Turkish know about these things.”
• “The espionage side of things was purely managed by Slavik himself,” Sandee said. “His co-workers might not have been happy about that. They would probably have been happy to work together on fraud, but if they would see the system they were working on was also being used for espionage against their own country, they might feel compelled to use that against him.”
• The full Fox-IT report is available as a PDF here

Feedback:

• FreeNAS with Quad GbEthernet

• eSata enclosure

• pfSense Minix Router

• GlusterFS alternatives

• Enhanced commit privileges: Allan Jude (src)

Round Up:

• Kim Dotcom: ‘I don’t think your data is safe on Mega anymore’
• Get root on any OS X machine, with a shell command that fits in a tweet
• The Martian author says Comcast let hacker take over his e-mail
• Scaling Netflix – From 0 to a Terabit
• “Thunderstrike 2” rootkit uses Thunderbolt accessories to infect Mac firmware
• Why Netflix chose NGINX and FreeBSD to build its CDN
• An Update to Nexus Devices
• PHP mt_rand only returns odd numbers? Looks even worse in hex, low bits not being set?
• Breach at PNI Digital Media Inc., a company that makes photo kiosks, has affected customers a many large retailers including Walmart, CVS, Rite Aid, Sam’s Club and Costco
  
• How coordinated disclosure works in the real world
• HP Researchers find the Smart Watches are a security risk
• Belgian Government accidently includes 20,000 employees of transit operator in its phishing test

The post Solving the Flash Plague | TechSNAP 226 first appeared on Jupiter Broadcasting.

A fresh version of LibreOffice hits the web, another Flash attack in the wild, this one uses “malvertising”. What the heck is malvertising? We discuss.

Plus what the state of Android looks like in 2015, another OS X bug & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• New Features | LibreOffice – Free Office Suite – Fun Project – Fantastic People
• Another Flash attack spotted, this time against Yahoo! users
• OS X Bug Exploited To Infect Macs Without Need For Password – Slashdot
• This is what Android fragmentation looks like in 2015
• This is what Android looks like in 2015 | The Verge

The post Lousy Lollipop Adoption | TTT 202 first appeared on Jupiter Broadcasting.

The best remote desktop experience has never been easier, we’ll show you the power of X2Go with the security of SSH!

Plus the push to kill flash picks up, Firefox OS fork “H5OS” gets a $100 million boost, how to watch Amazon Prime video under Linux & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Install X2Go

apt-get update

apt-get install python-software-properties

add-apt-repository ppa:x2go/stable

sudo apt-get update

sudo apt-get install x2goserver x2goserver-xsession

sudo apt-add-repository ppa:ubuntu-mate-dev/ppa

sudo apt-add-repository ppa:ubuntu-mate-dev/trusty-mate

sudo apt-get update && sudo apt-get upgrade

sudo apt-get install --no-install-recommends ubuntu-mate-core ubuntu-mate-desktop

sudo apt-get update

sudo apt-get install x2goclient

Brought to you by: O’REILLY OSCON

— PICKS —

Runs Linux

• Mr Robot the TV Show, Runs Linux

Desktop App Pick

• Aegisub

Aegisub is a free, cross-platform open source tool for creating and modifying subtitles. Aegisub makes it quick and easy to time subtitles to audio, and features many powerful tools for styling them, including a built-in real-time video preview.

• [App Pick] Aegisub – Advanced Subtitle Editor : LinuxActionShow

Weekly Spotlight

• Watch Amazon Prime Video on Linux – firefox
  • Chrome
• Set the user agent to

  ‘Mozilla/5.0 (X11; U; Linux i686; de-DE) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.127 Large Screen Safari/533.4 GoogleTV/ 162671’

— NEWS —

Ubuntu PC maker System76 abandons Flash, says it’s too dangerous | Ars Technica

Ubuntu PC maker System76 will stop installing Adobe Flash on its laptops and desktops, saying the software is too dangerous and is no longer necessary.”In 2007 System76 was granted a license from Adobe to pre-install Flash on all our laptops and desktops,” the company said in a blog post yesterday. “In terms of making a great first impression with our customers, especially those new to Ubuntu, this was an important detail.”

• System76 Blog — Farewell, Flash

• Firefox on Twitter: “We are committed to protecting our users from security risks. That’s why–following an Adobe alert–we temporarily blocked #Flash in Firefox.”

• Mozilla blocks Flash as Facebook security chief calls for its death | The Verge

FSF and SFC work with Canonical on an “intellectual property” policy update [LWN.net]

The Free Software Foundation (FSF) and Software Freedom Conservancy (SFC) have both put out statements about a change to the Canonical, Ltd. “intellectual property” policy that was negotiated over the last two years (FSF statement and SFC statement). Effectively, Canonical has added a “trump clause” that clarifies that the licenses of the individual packages override the Canonical policy when there is a conflict. T

• Statement on Canonical’s updated licensing terms for Ubuntu GNU/Linux — Free Software Foundation — working together for free software
• Conservancy & the FSF Achieve GPL Compliance for Canonical, Ltd. “Intellectual Property” Policy – Software Freedom Conservancy
• Ubuntu Policy Complies With GPL But Fails To Address Other Important Software Freedom Issues | Jonathan Riddell’s Diary
• What the Ubuntu IP Announcement means – Benjamin Kerensa

Firefox OS fork “H5OS” gets a $100 million boost

Acadine, founded by former Mozilla execs, has received a $100 million investment from China’s Tsinghua Unigroup, to launch a Firefox OS fork called “H5OS.”

Feedback:

• https://slexy.org/view/s20pfKTU1u

• https://slexy.org/view/s20YRxoPCv

• https://slexy.org/view/s2029DPsII

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Get Going with X2Go | LAS 374 first appeared on Jupiter Broadcasting.