Show Notes: linuxunplugged.com/464

The post Git Happens | LINUX Unplugged 464 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/463

The post You Git What You Pay For | Coder Radio 463 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/406

The post Functional Sadism | Coder Radio 406 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/379

The post Favorite Linux Tweaks | LINUX Unplugged 379 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/26

The post The Trouble with Docker | Self-Hosted 26 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/349

The post Arm: A New Hope | LINUX Unplugged 349 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/69

The post Pagure a GitLab Alternative: Neal Gompa | Jupiter Extras 69 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/61

The post Brunch with Brent: Nuritzi Sanchez | Jupiter Extras 61 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/133

The post Linux Action News 133 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/348

The post Dependency Dangers | Coder Radio 348 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/392

The post Keeping up with Kubernetes | TechSNAP 392 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/255

The post Fedora to the Core | LINUX Unplugged 255 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/313

The post GitLab’s CEO | CR 313 first appeared on Jupiter Broadcasting.

Show Notes: podcast.asknoahshow.com/68

The post Microsft Buys GitHub | Ask Noah Show 68 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/252

The post Github Hubbub | LINUX Unplugged 252 first appeared on Jupiter Broadcasting.

Show Notes:

coder.show/312

The post Git with Microsoft | Coder Radio 312 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

House Passes Long-Sought Email Privacy Bill

• The U.S. House of Representatives on Monday approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails.

• This is a very short piece of legislation. You can read it quickly, but it is an amendment. Basically, it’s copy/cut/pasting into the existing act, so you have to read it in context of the OLD act.

• Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

• Based on a 1986 law created in the days when cell phones did not contain email. Back then, the standard was store and forward, not the central storage so common today. There was no cloud.

• EFF’s Surveillance Self-Defense guide.

• This is very important. What is also important is protecting privacy when crossing borders. Your rights must be preserved when crossing borders. Trouble is, it seems we have no rights when doing so.

Here’s What Transport for London Learned From Tracking Your Phone On the Tube

• Advertising? I can see how this is useful for more than just advertising. Traffic flow. Knowing about time from A to B. Mention EZPass and monitoring of badges to determine flow.

• Signs announced trial, opt out by disabling wifi.

• The documents also seem to suggest that if TfL switched on tracking full time it could offer real time crowding information to passengers – so we could see a CityMapper of the not-too-distant future telling us which stations to avoid.

• That sounds simlar to how Waze and Google Maps collect real-time data on traffic congestion.

• Collecting information is one thing. Controlling access to that information is vital. As we’ve seen so many times in the past, it is the use of that data for unintended purposes which is of most concern.

• Rainbow tables

GitLab Postmortem of database outage of January 31

• This came from Shawn. We covered this incident in eposide 305.

• I want to make it clear from the start, we are not mocking GitLab. There is no joy to be taken here.

• On January 31st 2017, we experienced a major service outage for one of our products, the online service GitLab.com. The outage was caused by an accidental removal of data from our primary database server.

• What a horrible feeling that engineer then had. Imagine, for a moment. Production has just been wiped out… OMG.

• Backups could not be found, nor could they be used. It was all gone.

• I can imagine lots and lots of waiting for stuff to finish. Very stressful. Much hope, but very stressful.

• Wow, could not access their own projects. Ouch. Almost want their own repo offline, but then accusations of not dog fooding, etc.

• Prometheus monitorin

• Some places take the approach of making staging the hot backup for production. Exactly the same. Move production onto staging hardware if required.

• “I don’t remember where I saw it (probably hackernews), but someone proposed to constantly recreate staging from production’s backup. This way we would have an up-to-date staging version and frequently tested backup recovery process.”

Feedback:

• Should I convert to FreeNAS

• Follow Up Bacula

• possible malware distributor

Round Up:

• No more ransom – from Alejandro

• Semi-Critical Intel Atom C2000 SoC Flaw Discovered, Hardware Fix Required – from Shawn

• Ticketbleed – from Shawn

• Yahoo, MSN Struck by Advanced Malvertising Campaign

• Factory That Made Exploding Galaxy Note 7 Batteries Catches Fire

• US Judge Ordered Google to Hand Over Emails Stored On Foreign Servers to FBI

• Vizio settles with FTC, will pay $2.2 million and delete user data

• WordPress Kept Users And Hackers In The Dark While Secretly Fixing Critical Zero-Day

• Diehard Coders Just Rescued NASA’s Earth Science Data

• University attacked by its own vending machines, smart light bulbs & 5,000 IoT devices

• Bored with ho-hum cloud backups? Use Usenet (yes, Usenet!) instead

• Unpacking the rack-mount chassis – YouTube

• Moving tower system into rack mount chassis – YouTube

• Yes, an APC AR3100 rack can fit into a Subaru Outback

• APC AR3100 rack assembly – YouTube

• Moving the rack into place – YouTube

The post Metadata Matters | TechSNAP 306 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

• In this case, it was the accountants who noticed something was wrong.

• What? No centralised real-time monitoring?

• IN EARLY JUNE 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.

• Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.

• He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky. The man would parlay a $20 to $60 investment into as much as $1,300 before cashing out and moving on to another machine, where he’d start the cycle anew. Over the course of two days, his winnings tallied just over $21,000. The only odd thing about his behavior during his streaks was the way he’d hover his finger above the Spin button for long stretches before finally jabbing it in haste; typical slots players don’t pause between spins like that.

• On June 9, Lumiere Place shared its findings with the Missouri Gaming Commission, which in turn issued a statewide alert. Several casinos soon discovered that they had been cheated the same way, though often by different men than the one who’d bilked Lumiere Place. In each instance, the perpetrator held a cell phone close to an Aristocrat Mark VI model slot machine shortly before a run of good fortune.

• By examining rental-car records, Missouri authorities identified the Lumiere Place scammer as a 37-year-old Russian national. He had flown back to Moscow on June 6, but the St. Petersburg–based organization he worked for, which employs dozens of operatives to manipulate slot machines around the world, quickly sent him back to the United States to join another cheating crew. The decision to redeploy him to the US would prove to be a rare misstep for a venture that’s quietly making millions by cracking some of the gaming industry’s most treasured algorithms.

• Russia has been a hotbed of slots-related malfeasance since 2009, when the country outlawed virtually all gambling. (Vladimir Putin, who was prime minister at the time, reportedly believed the move would reduce the power of Georgian organized crime.) The ban forced thousands of casinos to sell their slot machines at steep discounts to whatever customers they could find. Some of those cut-rate slots wound up in the hands of counterfeiters eager to learn how to load new games onto old circuit boards. Others apparently went to the supect’s bosses in St. Petersburg, who were keen to probe the machines’ source code for vulnerabilities.

• By early 2011, casinos throughout central and eastern Europe were logging incidents in which slots made by the Austrian company Novomatic paid out improbably large sums. Novomatic’s engineers could find no evidence that the machines in question had been tampered with, leading them to theorize that the cheaters had figured out how to predict the slots’ behavior. “Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers.

• Recognizing those patterns would require remarkable effort. Slot machine outcomes are controlled by programs called pseudorandom number generators that produce baffling results by design. Government regulators, such as the Missouri Gaming Commission, vet the integrity of each algorithm before casinos can deploy it.

• But as the “pseudo” in the name suggests, the numbers aren’t truly random. Because human beings create them using coded instructions, PRNGs can’t help but be a bit deterministic. (A true random number generator must be rooted in a phenomenon that is not manmade, such as radioactive decay.) PRNGs take an initial number, known as a seed, and then mash it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example—in order to produce a result that appears impossible to forecast. But if hackers can identify the various ingredients in that mathematical stew, they can potentially predict a PRNG’s output. That process of reverse engineering becomes much easier, of course, when a hacker has physical access to a slot machine’s innards.

• Knowing the secret arithmetic that a slot machine uses to create pseudorandom results isn’t enough to help hackers, though. That’s because the inputs for a PRNG vary depending on the temporal state of each machine. The seeds are different at different times, for example, as is the data culled from the internal clocks. So even if they understand how a machine’s PRNG functions, hackers would also have to analyze the machine’s gameplay to discern its pattern. That requires both time and substantial computing power, and pounding away on one’s laptop in front of a Pelican Pete is a good way to attract the attention of casino security.

• On December 10, not long after security personnel spotted the suspect inside the Hollywood Casino in St. Louis, four scammers were arrested. Because he and his cohorts had pulled their scam across state lines, federal authorities charged them with conspiracy to commit fraud. The indictments represented the first significant setbacks for the St. Petersburg organization; never before had any of its operatives faced prosecution.

• The Missouri and Singapore cases appear to be the only instances in which scammers have been prosecuted, though a few have also been caught and banned by individual casinos. At the same time, the St. Petersburg organization has sent its operatives farther and farther afield. In recent months, for example, at least three casinos in Peru have reported being cheated by Russian gamblers who played aging Novomatic Coolfire slot machines.

• The economic realities of the gaming industry seem to guarantee that the St. Petersburg organization will continue to flourish. The machines have no easy technical fix. As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose PRNGs have been cracked “would have to pull all the machines out of service and put something else in, and they’re not going to do that.” (In Aristocrat’s statement to WIRED, the company stressed that it has been unable “to identify defects in the targeted games” and that its machines “are built to and approved against rigid regulatory technical standards.”) At the same time, most casinos can’t afford to invest in the newest slot machines, whose PRNGs use encryption to protect mathematical secrets; as long as older, compromised machines are still popular with customers, the smart financial move for casinos is to keep using them and accept the occasional loss to scammers.

• So the onus will be on casino security personnel to keep an eye peeled for the scam’s small tells. A finger that lingers too long above a spin button may be a guard’s only clue that hackers in St. Petersburg are about to make another score.

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

• This came to our attention from Shawn
• For most people, routers are the little boxes which sit between you and your ISP. They do NAT, possibly firewall, and general stop the outside world from getting in without your permission. Well, that’s what they are supposed to do. The issue, long standing, is updates. When vulnerabilities are found, the code needs to be patched. With these devices, that issues can be troublesome, given that everyday consumers cannot be expected to update them. For us geeks, this isn’t so much as an issue, if the updates are made available to us
• We patch our own systems already, patching the firmware on a device… we can do that too.
• The vast majority of router users are unaware that they require an update. They sit there waiting, and sometimes they are found. When they are found to have a vulnerability, they can become part of a bot-net, a huge collection of devices ready to do the bidding of those with ill-intent. These bot-nets can be used for a variety of malicious purposes. Why do this? Most often, it’s money.
• This story is about someone discovering a problem with their router, and then exploring it.

GitLab.com melts down after wrong directory deleted, backups fail

• This also came from Shawn

• Source-code hub GitLab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.

• On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we’ve listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.

• Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.

• That Google Doc mentioned in the last tweet notes: “This incident affected the database (including issues and merge requests) but not the git repos (repositories and wikis).”

• So some solace there for users because not all is lost. But the document concludes with the following:

• So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.

• The world doesn’t contain enough faces and palms to even begin to offer a reaction to that sentence. Or, perhaps, to summarise the mistakes the startup candidly details as follows:

  • LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage

  • Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.

  • SH: It looks like pg_dump may be failing because PostgreSQL 9.2 binaries are being run instead of 9.6 binaries. This happens because omnibus only uses Pg 9.6 if data/PG_VERSION is set to 9.6, but on workers this file does not exist. As a result it defaults to 9.2, failing silently. No SQL dumps were made as a result. Fog gem may have cleaned out older backups.

  • Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.

  • The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost

  • The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented

  • Our backups to S3 apparently don’t work either: the bucket is empty

• Making matters worse is the fact that GitLab last year decreed it had outgrown the cloud and would build and operate its own Ceph clusters. GitLab’s infrastructure lead Pablo Carranza said the decision to roll its own infrastructure “will make GitLab more efficient, consistent, and reliable as we will have more ownership of the entire infrastructure.”

• See also GitLab.com Database Incident

• see also Catastrophic Failure – Myth Weavers – My thanks to Rikai for bringing this to our attention.

• example of why making sure your backup solution is solid as hell is extremely important

• The guy is completly honest and takes ownership of the mistakes he made. Hopefully others can learn from his mistakes.

• For context, myth-weavers is a website that handles things like the creation/managing and sharaing of D&D (and other tabletop RPG) character sheets online ( https://www.myth-weavers.com/sheetindex.php ), they lost about 6 months of data.

• Backup automation is good, because people will fail and skip steps more often than computers will, and this is a perfect example of that.

• The trick is getting it done RIGHT and having it NOTIFY you when something ISN’T right. As well as making it consistent, reproducible and redundant if possible. This is also an example of why if you have data you care about, that step should not be skipped.

• Automated backups are a lot of up-front work that people often avoid doing, at least partially and regret it later. This is a well documented postmortem of what happens when you do that and why you should set aside the time and get it done

• Not exactly mission-critical data, but still very important data for the audience they cater too. Handcrafted, imagination-related kinda stuff

• This GitLab outage and database deletion & lack of backups is a great reminder to routinely test your disaster recovery strategies

• Dataloss at GitLab

• Thoughts On Gitlab Data Incident

• Blameless PostMortems and a Just Culture

Feedback:

• Mesos and software that is impossible to back up

• Windows backup to FreeNAS

• FreeNAS Transmission Permissions

Round Up:

• AT&T and Verizon just got a free pass from the FCC to divide up the internet

• These 10 cities have the worst malware infection rates in the US

• Anonymous Hacks and Takes Down 10,613 Dark Web Portals

• We don’t want to alarm you, but PostScript makes your printer an attack vector – From Shawn

• A Hacker Just Pwned Over 150,000 Printers Left Exposed Online

• Dark net markets moving to adopt bug bounty programs

• FOSDEM video recordings

• 70% of D.C. CCTV cameras infected with Ransomware 8-days before presidential inauguration

• iOS Cracking Tools Allegedly Stolen from Cellebrite Get Dumped Online by Hackers

• Microsoft’s DRM can expose Windows-on-Tor users’ IP address

• Got an OpenBSD Web server? Better patch it

• LibTLS: Rethinking the TLS/SSL API

The post Gambling with Code | TechSNAP 305 first appeared on Jupiter Broadcasting.

We peer into the past of the show to pull out the amazing clips you guys suggested to us and fondly remember how funny it is to listen to Chris get trolled. Sit back, relax & enjoy the fun in this look back at best of Coder Radio!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

A look back on 2014:

Clips are listed in the order they’re show. Repeat links are because multiple clips were used from the same episde.

• Episode 123 – The Trolling Begins
• Episode 129 – Discussions about community negativity
• Episode 123 – Chris is on trial!
• Episode 106 – Is the Nexus 5 a developer device?
• Episode 84 – Sysadmins vs Developers
• Episode 84 – Are Developers no longer Engineers & Computer Scientists?
• Episode 126 – Where’s our cloud configs!?
• Episode 123 – Michael Dominick reveals his mater plan
• Episode 126 – Chris is SICK of HTML5!
• Episode 105 – A valid alternative to github?
• Episode 106 – When will Google’s ideology change?
• Episode 123 – Michael Dominick gets a visit from his conscience
• Episode 123 – Everyone is ripping off everyone else & Chris uses the right tool for each job
• Episode 123 – Michael Dominick rests his case!

The post Best Of Coder Radio 2014 | CR 133 first appeared on Jupiter Broadcasting.

Has Docker’s wild success caused it grow too big & too corporate? In light of the CoreOS project’s announcement of Rocket we’ll reflect on the big problem both projects needs to solve.

Plus our plans to involve community around building an API for Jupiter Broadcasting, your feedback & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• Best of Coder Radio

Content needed for the Best of Moments:

• Episode Title:
• Link to Episode:
• Timecode:
• What was the topic:

submit the content on the following form, https://goo.gl/forms/pK0zNG4F3i

• IndyTechTrekkie comments on Get Back to the ’50s | Coder Radio 130

• Thoughts on JB 2015 from an app developer

• Ghost for markdown static site generation

• End-to-end encryption for the rest of us

• I.CX: Secure messaging for the rest of us.

Dev Hoopla:

GUI building

At 4 minutes in you get to see an old interface designer in action, which seems very simple and better than many even now! Nice to see a glimpse of Xcode’s history.

• NeXT vs Sun – YouTube

Ewww, You Use PHP? | MailChimp Email Marketing Blog

Lately here at MailChimp we’ve been trying to bring in more developers to help us keep the innovation coming fast and furious as the application grows in scope and scale. It’s always been difficult for us to hire really good developers, just because of where we are. Our office is here in Atlanta GA, not exactly a hotbed of cool startups in the last few years. On top of that we’re fundamentally an email company, which is far from a sexy problem for geeks to sink their teeth into. But the biggest negative reaction we get when hiring new developers is when we mention the programming language we use.

Ewww, you use PHP? I thought you were cool!

Yes, I’m afraid we have to come clean. We use PHP here at MailChimp.

The post Dock Your Rocket | CR 131 first appeared on Jupiter Broadcasting.