Show Notes: linuxunplugged.com/392

The post Dad's Deployments | LINUX Unplugged 392 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/336

The post Linus' Filesystem Fluster | LINUX Unplugged 336 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/285

The post Pain the APT | LINUX Unplugged 285 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Distrustful U.S. allies force spy agency to back down in encryption fight

• Some ISO delegates said much of their skepticism stemmed from the 2000s, when NSA experts invented a component for encryption called Dual Elliptic Curve and got it adopted as a global standard.

• In 2007, mathematicians in private industry showed that Dual EC could hide a back door, theoretically enabling the NSA to eavesdrop without detection. After the Snowden leaks, Reuters reported that the U.S. government had paid security company RSA $10 million to include Dual EC in a software development kit that was used by programmers around the world.

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

• Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company’s IT systems.

• “The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” Vickery revealed today.

• The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys.

Equifax sends customers to wrong website, not theirs, for help

• The credit management company Equifax has been sending customers to a fake “phishing” website for weeks, potentially causing them to hand over their personal data and full financial information to hackers.

• After the data breach was revealed earlier this month, Equifax established the domain www.equifaxsecurity2017.com to handle incoming customer questions and complaints. This website is not connected to Equifax’s main website.

• On Wednesday, a user reached out to Equifax on Twitter asking for assistance. The responding tweet sent the user to www.securityequifax2017.com, which is an impostor site designed to look like the Equifax splash page.

FinFisher government spy tool found hiding as WhatsApp and Skype

• This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISP level – packaging real downloads with spyware.

• When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.

• When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.

Feedback

• Stored passwords & Amazon Fire Stick

+Hey Dan. What is a good and inexpensive tape backup drive for LTO tapes? What works for you best? Thx!

Round Up:

• HOW TO HACK A TURNED-OFF COMPUTER

• Passwords For 540,000 Car Tracking Devices Leaked Online

• In spectacular fail, Adobe security team posts private PGP key on blog

Apache Struts Vulnerability: More Than 3,000 Organizations At Risk Of Breach

• Facebook re-licenses React under MIT license after developer backlash

The post Patch Your S3it | TechSNAP 338 first appeared on Jupiter Broadcasting.

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years

• The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
• The official advisory is available on the Open Threat Exchange website
• The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
• In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
• Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
• “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
• Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
• Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.

Unaoil: the company that bribed the world

• After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
• A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
• The investigation centres on a Monaco company called Unaoil.
• Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
• The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
• Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
• The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
• The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
• It is the Monaco company that almost perfected the art of corruption.
• It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
• How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
• Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
• On a semi-related note, another big story for you to go read:
• How to hack an Election from someone who has done it, more than once

Researchers find flaw in Visa database

• No, not that kind of Visa, the other one.
• Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
• This has very important security considerations, as the application process for getting a visa is when most security checks are done
• Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
• Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
• After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
• As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
• “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
• Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
• State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
• “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.

Feedback:

• SSH key protection

• Router Thoughts from Allan

• rmh from the chatroom asks…

Round Up:

• Microsoft Sues Justice Department Over Client Data Gag Orders
• Root cause analysis of a recent Flash zero day
• Exclusive: Canadian Police Obtained BlackBerry’s Global Decryption Key
• After an outage, an Australian mobile provider credited customers with a single day of unlimited data usage. One customer managed to use 994 GB of mobile usage in a single day
• Sophisticated bribe scheme gets game company with access to antivirus whitelist to falsely list malware was trusted
• Microsoft releases optional Windows update to mitigate “mousejacking”, where an attacker can take over your wireless mount and keyboard from up to 100 meters away
• Github commits can now be GPG signed to prove their authenticity
• If you can’t break crypto, break the client. Recovery of plaintext from iMessage
• Renting a movie on your iOS device might free up some space for you
• The Italian Ministry of Economical Progress has revoked “HackingTeam”’s licence to export their Galileo remote control software outside of the EU, must ask special permission for each sale
• Laziness remains the greatest enemy of password security
• The “All Prior Art” project seems to machine generate every possible patent and release it under a creative commons license, so it can never be patented by anyone else. The ultimate reverse patent troll?
• How to identify a vehicle at risk of collisions

The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

Entroware’s Apollo laptop has arrived, and we share our first hands on impressions of their ultra Linux laptop, how does it compare to the Purism, and a quick chat with Entroware’s co-founder.

Plus we discuss the Mint hack, and solutions we could create as a community to solve the bigger problems, updates from some of our favorite open source projects, and chat about Beep Beep Yarr, and more!

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Beep Beep Yarr! by Linux Voice

<< Silk Guardian >> is an anti-forensic kill-switch

Silk Guardian is an anti-forensic LKM kill-switch that waits for a change on your usb ports and then wipes your ram and turns off your computer.

MUTINY! — Ubuntu MATE 16.04 Adds Unity-Style Desktop Layout

“There’s a Mutiny coming!,” the Ubuntu MATE team teases. “Yes, that is a top menu. Yes, this is Ubuntu MATE. See you Thursday for the Beta 1 release!”.

Cnchi v0.14 Moves Into Stable Branch

The most notable change in Cnchi 0.14 is beta support for ZFS (in Automatic Installation Mode). It is now possible to install Antergos with ZFS as your chosen filesystem. You simply tell Cnchi which drive to use and it will take care of formatting the drive and configuring ZFS for you.

TING

• Ting – mobile that makes sense

The most powerful Ubuntu phone is still not good enough

The Meizu Pro 5 has the Galaxy S6’s processor, but not its performance

100,000,000 Monthly Active Users

Now Telegram has more than 100,000,000 monthly active users. 350,000 new users sign up each day. We’re delivering 15 billion messages daily.

• Telegram: Contact @itsecalert

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

“The Mint Hack”

Hacker explains how he put “backdoor” in hundreds of Linux Mint downloads | ZDNet

The hacker responsible, who goes by the name “Peace,” told me in an encrypted chat on Sunday that a “few hundred” Linux Mint installs were under their control — a significant portion of the thousand-plus downloads during the day.

• How can a server that hosts a high-profile website like linuxmint.com be so low on security

Backdoored Linux Mint, and the Perils of Checksums

But it’s also important to note that comparing the checksum of a file you downloaded with what you see on the website you downloaded it from isn’t secure either, even if you are using SHA256. If a hacker can hack the website to modify the download link, they can modify the checksum at the same time to match their malicious download.

The only solution to this problem is to use public key cryptography.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Apollo by Entroware

• Pictures of the Apollo

Support Jupiter Broadcasting on Patreon

The post Apollo Has Landed | LINUX Unplugged 133 first appeared on Jupiter Broadcasting.

Our best open source alternatives to LastPass. We run down the easy, the straight forward & the totally custom solutions to rolling your password managment. All our picks are totally open source, auditable & ready to use today.

Plus the first reviews of the Steam Machines hit the web, Red Hat’s big buy, GIMP in your browser & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

LastPass Killers

• Yahoo Mail drops passwords and adds third-party email support for new apps

It’s Yahoo Mail‘s 18th birthday this month and to mark the occasion, Yahoo is pulling out all the stops with three major announcements: a brand new mobile app for Android and iOS, the support for multiple third-party email accounts and, perhaps most significantly, the introduction of a completely password-free sign-in experience called Yahoo Account Key.

LastPass Joins the LogMeIn Family

It’s a big day here at LastPass. We’re thrilled to announce that we’re joining LogMeIn. As one of the world’s leading SaaS companies, we can’t imagine a better team to align with our values and product-driven mission. With their experience in growing successful brands like join.me, we’re excited to join LogMeIn in delivering the next generation of identity and access management for individuals, teams and companies, with LastPass at the forefront.

KeePass

• KeepassC

KeePassC is a password manager fully compatible to KeePass v.1.x and KeePassX. That is, your
password database is fully encrypted with AES.

KeePassC is written in Python 3 and comes with a curses-interface. It is completely controlled
with the keyboard (vim-like keys are supported).

Some features are:

• AES encryption of the database with password and/or keyfile
• Included customizable password generator
• KeePassX and KeePass v.1.x compatible (KeePass v2.x planned)
• Database entries are sorted in alphabetically sorted groups
• Subgroups of groups
• Entries are identified by a title
• Search entries by this title and show matches in an own group
• Set expiration dates to remind you that a new password is needed
• Unicode support
• Copy username and password to clipboard
• Auto-locking workspace and self-deleting clipboard with adjustable delays
• Options to remember last database and last keyfile
• Open URLs directly in your standard browser
• Optional use of vim/ranger-like keys
• Simple command line interface
• Network functionality including multiuser support

• The last can be used to omit password entering, too

• kpcli – A command line interface for KeePass

A command line interface (interactive shell) to work with KeePass 1.x or 2.x database files. This program was inspired by my use of the CLI of the Ked Password Manager (“kedpm -c”) combined with my need to migrate to KeePass.

Pass

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

• Pass for Android on F-Droid

How Active is Pass Development?

• Migrating your data to Pass

To free password data from the clutches of other (bloated) password managers, various users have come up with different password store organizations that work best for them.

Using Git to Sync Pass

First install and then setup git

1 $ git config --global user.name  "John Doe"
2 $ git config --global user.email "johndoe@foobar.com"
3 $ pass git init

QtPass GUI for pass, the standard UNIX password manager

• Using pass or git and gpg2 directly
  • Cross platform: Linux, BSD, OS X and Windows
  • Reading pass password stores
  • Decrypting and displaying the password and related info
  • Editing and adding of passwords and information
  • Updating to and from a git repository
  • Per-folder user selection for multi recipient encryption
  • Configuration options for backends and executable/folder locations
  • Copying password to clipboard
  • Configurable shoulder surfing protection options
  • Experimental WebDAV support

Planned features

• Re-encryption after users-change (optional ofcourse).
• Plugins based on key, format is same as password file.
• Colour coding folders (possibly disabling folders you can’t decrypt).
• WebDAV (configuration) support.
• Optional table view of decrypted folder contents.
• Opening of (basic auth) urls in default browser? Possibly with helper plugin for filling out forms?

• Some other form of remote storage that allows for accountability / auditing (web API to retreive the .gpg files)?

• GPG – How to trust an imported key

Encryptr – Powered by Crypton

Encryptr is simple and easy to use. It stores your sensitive data like passwords, credit card data, PINs, or access codes, in the cloud. However, because it was built on the zero-knowledge Crypton framework, Encryptr ensures that only the user has the ability to access or read the confidential information. Not the app’s developers, cloud storage provider, or any third party.

Encryptr only ever encrypts or decrypts your data locally on your device. No plain text is ever sent to the server, not even your passphrase. This is what zero-knowledge means.*

You don’t even need to hand over any personal data to register. Not your name, and not your email address. The app only requires a username and a passphrase.

Encryptr is free, and completely open source. This includes Crypton.

Firefox Password Manager

If you use the same simple password for everything you will be more susceptible to identity theft. The Create secure passwords to keep your identity safe article shows you an easy method for creating secure passwords and using the Password Manager, as described above, will help you remember them all.

Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them. The Use a Master Password to protect stored logins and passwords article shows you how to prevent this and keep you protected in the event your computer is lost or stolen.

When paired with Firefox sync feature this effectively emulates LastPass without Yubikey support, and without the password generation feature.

— PICKS —

Runs Linux

Etch-a-sketch RUNS LINUX!

Over on YouTube user devnulling has uploaded a video showing his “Etch-A-SDR” project. This project involved creating an all-in-one SDR device out of an Odroid C1, Teensy 3.1 and an RTL-SDR dongle. The Odroid C1 is an embedded computer, similar to the Raspberry Pi 2 and the Teensy 3.1 is a microcontroller development board. The “Etch-A-SDR” is named as such because of its resemblance to an Etch-A-Sketch toy. It has two knobs that can be used for tuning and several side buttons for changing demodulation modes etc.

Upon boot the Etch-A-SDR opens GQRX and is ready for tuning within seconds of turning it on. In addition to using it as a portable SDR with GQRX the Etch-A-SDR can also be booted into normal Linux mode and into Etch-A-Sketch mode, where it operates as a normal Etch-A-Sketch toy.

The code can be downloaded from https://github.com/devnulling/etch-a-sdr.

Desktop App Pick

FreeMind Mind Mapping Tool

FreeMind is a premier free mind-mapping software written in Java. The recent development has hopefully turned it into high productivity tool. We are proud that the operation and navigation of FreeMind is faster than that of MindManager because of one-click “fold / unfold” and “follow link” operations.

• Keeping Track of Projects
• Project workplace
• Workplace for Internet Research
• Essay Writing and Brainstorming
• Small Database with structure
• Commented Internet Favorites or Bookmarks

Weekly Spotlight

Hangups

hangups is the first third-party instant messaging client for Google
Hangouts. It includes both a Python library and a reference client with a
text-based user interface.

Unlike its predecessor Google Talk, Hangouts uses a proprietary,
non-interoperable protocol. hangups is implemented by reverse-engineering
this protocol, which allows it to support features like group messaging that
aren’t available in clients that connect via XMPP.

hangups is still in an early stage of development. The reference client is
usable for basic chatting, but the API is undocumented and subject to change.
Bug reports and pull requests are welcome!

— NEWS —

GIMP Online – rollApp

Run GIMP and other X11 apps in your web browser.

Red Hat is buying Ansible for more than $100M

Buying Ansible — one of four major providers of at least partly open-source devops tools — makes sense, because it can add to Red Hat’s line of offerings. Plus, Ansible already integrates with Red Hat’s OpenShift, OpenStack, and Red Hat Enterprise Linux software.

• Red Hat buys Ansible to bolster its developer toolset – Fortune

As part of the deal, about50 Ansible employees will join Red Hat

• Red Hat Is Buying IT Automation Startup Ansible, Reportedly For Around $100M | TechCrunch

Red Hat today also provided a brief update to its earnings as part of the news. It says the acquisition is expected to have no material impact to Red Hat’s revenue for the third and fourth quarters of its fiscal year. Non-GAAP operating expenses for fiscal 2016 will be increased by $2 million, or ($0.01) per share, in Q3 and $4.0 million, or ($0.02) per share, in Q4 as a result of the transaction.

Proxmox VE 4.0 is OUT

This video highlights the new features in Proxmox VE 4.0:

• Debian Jessie 8.2 and 4.2 Linux kernel
• Linux Containers (LXC)
• IPv6 support
• Bash completion
• New Proxmox VE HA Manager

View all updates: https://pve.proxmox.com/wiki/Roadmap

The Alienware Steam Machine: finally, a gaming PC for the living room

I used to laugh when I saw Linux users scramble to build compatibility layers to play “real” PC games. I chuckled when Valve CEO Gabe Newell lambasted Windows 8 as a “catastrophe for everyone,” proffering Linux and SteamOS as a viable alternative. It seemed so far-fetched, so silly. Truth be told, I’m still laughing — but now it’s because I’m enjoying myself. The Alienware Steam Machine has some growing pains, but it’s fun. Lots of fun.

• Steam’s living room hardware blitz gets off to a muddy start | Ars Technica

It’s all very smooth, overall, but there were a few sticking points that seemed a little rough compared to other game consoles. While the system hasn’t frozen on us during a game yet, there have been a handful of times where the whole OS hung when we were closing or opening a title, requiring a system reboot that took 30 to 60 seconds. We ran into occasional problems with webpage scrolling, the on-screen keyboard, and Wi-Fi recognition as well, all of which disappeared with a reboot.

We also found a few SteamOS games that still include an intermediate “launcher” screen that asks players to confirm resolution and other settings. That’s only an annoyance because these screens can’t be navigated with the Steam Controller; you need to plug in a mouse and keyboard to get through to the actual game in these cases. While the SteamOS interface includes large warnings that these games require extra hardware, and Valve isn’t directly responsible for third-party developers’ unfriendly decisions, it still seems like an oversight to have such games be unplayable out of the box.

• ARCH steam controller not detected properly

Feedback:

• https://slexy.org/view/s2Y836bi9B
• https://slexy.org/view/s2sQ9ZkWTx
• https://slexy.org/view/s2VwIphEzi
• https://www.indiegogo.com/projects/open-foss-training#/

Rover Log Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Passing On LastPass | LAS 387 first appeared on Jupiter Broadcasting.

Aaron Seigo joins us to discuss the Kolab project, open source’s genuine answer to Microsoft Exchange and other groupware solutions. We also discuss the Roundcube project’s fundraiser & possible integration with Kolab.

Plus our Virtual LUG reviews Ubuntu 15.04, and we discuss what’s so desktop focused about Ubuntu 15.10 & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Video: 84-Year-Old Volunteer Rebuilds, Sends Linux Laptops to Africa | Linux.com

Retired pastor James Anderson, age 84, has never worked in IT or had any formal computer training, but over the past two years he has rebuilt more than a hundred IBM ThinkPad laptops and sent them to schools and nonprofits in Africa — all running Linux.

Catch Up:

• A freshly minted Macbook Pro(8,1)….hope i am doing it right…

Linux Academy

• Linux Academy | Linux and AWS Online Training

• uGet 2.0 is Officially Released!

• ArchAssault at SELF | Teespring

We are releasing our first set of ArchAssault shirts in preparation for SouthEast LinuxFest which is at the beginning of June 2015!

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Roundcube Next | Indiegogo

Roundcube is the world’s most popular open source webmail application. It is used by millions of people to access to their email (and much more) on their own terms every single day.

But we can’t sit still. The web has evolved a lot in the last decade, and we want Roundcube to take full advantage of the best web technologies available. Doing so will let us evolve Roundcube into being a fluid single-page web app which you can use on all of your devices: desktop, laptop, tablet and smartphone.

• Roundcube – Free and Open Source Webmail Software

…is a browser-based multilingual IMAP client with an application-like user interface.
It provides full functionality you expect from an email client, including MIME support,
address book, folder manipulation, message searching and spell checking.
More information…

TING

• Ting – mobile that makes sense

Relax, it’s just Ubuntu 15.04. AARGH! IT’S FULL OF SYSTEMD!!!

Review Systemd is here. It’s arrived in Vivid Vervet, the latest, just-released distro of Ubuntu — 15.04.

Most users will notice very little overall difference in this latest Ubuntu release, but it’s this change that packs the biggest punch.

Wily Werewolf is the name of Ubuntu 15.10

“I think Ubuntu has come to represent the leanest, cleanest focus on free software and design for future experiences, and I think it’s time for us now to accelerate that lead. It’s really important for us to be sure that developers that are comfortable developing for GNOME or KDE know that their applications will absolutely be welcome in a converged Ubuntu world.”

• Ubuntu 15.10 Codename Announced (And a Whole Heap More)

“I would like to announce that we are going to ship a device this year, with a manufacturer, that will fit in your pocket, and be a phone, and will give you a desktop experience. That PC pocket experience is real on Ubuntu.”

• Canonical Is Focusing on Ubuntu Desktop Once More for 15.10

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Open Source Kollaboration | LINUX Unplugged 91 first appeared on Jupiter Broadcasting.

The hype around Virtual Reality has been building steadily, hitting a new highs this week after Facebook’s earnings report. We’ll take a look back at the previous VR boom of the early 90s & ask if history is repeating itself.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

The World’s Email Encryption Software Relies on One Guy, Who is Going Broke – ProPublica

The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.

Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.

Update, Feb. 5, 2015, 8:10 p.m.: After this article appeared, Werner Koch informed us that last week he was awarded a one-time grant of $60,000 from Linux Foundation’s Core Infrastructure Initiative. Werner told us he only received permission to disclose it after our article published. Meanwhile, since our story was posted, donations flooded Werner’s website donation page and he reached his funding goal of $137,000. In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project.

Late last year, Keurig announced a new machine, the 2.0, calling it the “future of brewing” and touting its ability to make both small cups and large carafes. But another, less-publicized feature has been getting most of the attention: the brewer’s advanced scanning system that locks out any coffee pods not bearing a special mark. It’s essentially a digital rights management system, but for coffee, and it’s proving to be the brewer’s downfall.

On an _earnings call Wednesday_the company announced that brewer sales fell 12 percent last quarter, the first full quarter for which the 2.0 was on sale. “Quite simply our 2.0 launch got off to a slower start than we planned,” said CEO Brian Kelley. _He said_the company had been too slow to get 2.0-compatible cups onto retail shelves and “confusion among consumers as to whether the 2.0 would still brew all of their favorite brands.”

2 New Samsung Gear VR Ads Introduce VR to the Masses (video)

The ad uses actual content from the Gear VR headset which is a smart choice, though, curiously, no games are featured. Instead, the ad focuses on 360 video—clips from a helicopter over a city, elephants roaming in their natural habitat, a CGI Pacific Rim experience, and a moment from Cirque du Soleil.

What Facebook’s Oculus Rift movies means for ads | The Drum

Facebook is out to prove that virtual reality is more real than its detractors think, erecting an in-house studio to create fully immersive films on its Oculus Rift platform. If the medium is to be widely accepted by advertisers then the social network needs to show how the learnings can convey a more tangible form of the brand experience.

Virtual Reality : Free Download & Streaming : Internet Archive

Virtual reality started out as a science fiction concept in the early 1950s. Now, VR has become a kind of holy grail – lots of promises and claims, few results delivered. This program looks at the state of virtual reality. Demonstrations include the Talking Glove, AutoDesk’s Cyberspace project, the Virtual Hand, GestureGlove, CyberGlove, CyberCAD, Virtus Corporation’s WalkThrough. Also a visit to the Virtual Reality Showcase at the Software Development Conference in Santa Clara, California. Originally broadcast in 1992.

The post Is VR Bust? | Tech Talk Today 129 first appeared on Jupiter Broadcasting.

Researchers develop an ultrasonic mesh network to extract data from computer networks, Feedly and Evernote get attacked, and something is amiss with Windows 7.

Then its a great batch of your feedback, our answers, and much much more!

Thanks to:

— Show Notes: —

Exfiltrating data using an ultrasonic mesh network

• Researchers at the Fraunhofer institute in Germany have developed a protocol based on an underwater communications protocol, to pass messages between laptops using their speakers
• Fraunhofer Institute is famous for having invented the MP3 audio codec and being a significant contributor to the H.264/MPEG-4 AVC video codec.
• The paper describes a ‘Covert Channel’ that can be used to circumvent firewalls and intrusion detection systems
• The system uses ultrasonic sound, emitted by laptop speakers and received by laptop microphones
• The range is about 20 meters and the provides about 20 bits/second of bandwidth
• The general principle is to create a mesh network of laptops in order to exfiltrate data from a protected network or location
• The proof of concept was created by installing a keylogger on a laptop, which would then send the data back to the attacker by emitting the ultrasonic (inaudible to the human ear) sounds, which would then be picked up by another infected machine and repeated, extending the transmission range
• Eventually the signal may be able to reach a machine outside of the protected area or network, and be received by the attack, or re-transmitted by regular means
• As a countermeasure, they suggest possibly disabling the speakers/microphone entirely
• As a more useful countermeasure, they suggest a low-pass filter that would either remove the ultrasonic frequencies from the output, or shift them down to audible range so they can be detected by humans
• The paper also discusses a host-based intrusion detection system that analyzes audio input and output for suspect signals
• Full PDF

Feedly And Evernote Go Down As Attackers Demand Ransom

• After restoring its services after Wednesday’s attack, the Feedly team reported in a blog post Thursday morning that it had been hit by a second DoS attack. As of late Thursday morning, Feedly is down again.
• On Thursday June 12th Feedly Posted to their Blog: “2:04am PST – Criminals are attacking feedly with a distributed denial of service attack (DDoS). The attacker is trying to extort us for money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.”
• In Evernote’s case, the company noted yesterday evening that it was unavailable, and that it was working to neutralize a denial of service attack. A few hours later, a message on Evernote’s Twitter account said its service was restored – but it’s not out of the woods yet. “There may be a hiccup or two for the next 24 hours,” the tweet warned.
• At least in Feedly’s case the attackers demanded a ransom to stop the attack.
• It’s unknown as of now if the hackers are demanding ransom from Feedly on day two of the attack. The company has not responded to a request for comment.
• Denial of service attack [Neutralized] – Feedly Blog
• Feedly, Evernote And Others Become Latest Victims Of DDoS Attacks
• BBC News – Feedly and Evernote struck by denial of service cyber-attacks
• EuroBSDCon 2013 — Allan Jude — Mitigating DDoS Attacks at Layer 7

Microsoft patching flaws in Windows 8, but not Windows 7?

• Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day vulnerabilities.
• The missing safe functions were part of Microsoft’s dedicated libraries intsafe.h and strsafe.h that help developers combat various attacks.
• Researcher Moti Joseph and malware analyst Marion Marschalek (@pinkflawd) developed a capable diffing (comparison) tool dubbed DiffRay which would compare Windows 8 with 7, and log any safe functions absent in the older platform.
• In a demonstration of DiffRay, the researchers found four missing safe functions in Windows 7 that were present in 8.
• Including:
  • bcrypt.dll!ConvertRsaPrivateBlobToFullRsa
  • netlogon.dll!NlpAddResourceGroupsToSamInfo
  • twext.dll!EscapeField (possible unpatched interger overflow in Windows 7, fixed in 8)
• Slides
• Video – What happens in Windows 7, stays in Windows 7

Feedback:

• SSD read-caching at hardware RAID level?

• What would you do to make a SoHo server the most reliable?

• GPG and Email encryption

• Regarding secure FTP clients…

• MPLS or VPN

Round Up:

• Replicating NSA’s gadgets using open source
  
• iOS 8 strikes an unexpected blow against location tracking
• Cisco patches cross-site-scripting flaws in security appliances that allowed unauthenticated remote code execution
• Massive TweetDeck outage may have been ‘accident’ caused by teen’s experiment
• Google engineer: We need more Web programming languages
• Microsoft Protests Order to Disclose Email Stored Abroad
• Juniper Networks Partner caught selling beta and pre-release hardware to Cisco. Cisco reverse engineering Junipter products to try to blunt competitive edge, claims it was looking for IP infringment
• Cyberbullying law would let police ‘remotely hack into computers, mobile devices, or cars’
• NSF Researcher banned after caught using super computers to mine bitcoins
• Canada: 14-Year-Olds Hack ATM Using Default Password Available on the Internet
• Krebs — P.F. Changs latest victim in credit card breach, started in March

The post Demilitarized Tone | TechSNAP 166 first appeared on Jupiter Broadcasting.

Just when you thought openSSL was safe, we’ve got a whole new round of security flaws. Plus we’ll go inside a massive online carding shop.

Then it’s your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

OpenSSL and GnuTLS flaws

• A series of new vulnerabilities have been found in both SSL/TLS libraries
• Latest Versions:
• OpenSSL 0.9.8za.
• OpenSSL 1.0.0m.
• OpenSSL 1.0.1h.
• CVE-2014-0224 — An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
• CVE-2014-0221 — By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
• CVE-2014-0195 — A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
• CVE-2014-0198 — A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
• CVE-2010-5298 — A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
• CVE-2014-3470 — OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
• OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper \”Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”. This issue was previously fixed in OpenSSL 1.0.1g.
• GnuTLS releases update to fix flaws as well
• CVE-2014-3466 — A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length
• Deeper analysis of the GnuTLS flaw

Inside a carding shop

• Bryan Krebs releases his expose on the inner workings of a professional carding shop
• This shop focused on ‘dumps’, full track data that can be written to blank cards, allowing the fraudster to take the card into a big box store, and buy large ticket items that can easily be sold for cash
• “The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. “
• “Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.”
• Bryan has a great slideshow that shows some of the regions and retails that were compromised, and what the sets of cards sell for

Feedback:

• Forever Changing IP Address?

• Lan neutrality

• Can you give me an advice regarding zfs on my nas?!

• YouTube / Google Video and Net Neutrality

• Any Swedish Techsnap fans?

Round Up:

• Linux users at risk as ANOTHER critical GnuTLS bug found
• It\’s not Net Neutrality that\’s at stake, it\’s Cable Company Fuckery
• New Heartbleed attack hits Android devices and routers over Wi-Fi
• Malware creation breaks record 160,000 new samples per day
• Google Releases End-to-End Encryption Extension
• Insecure by design and trusted by default, the hell that is unpatchable embedded systems
• Linksys E4200 vulnerability allows attacker to bypass admin password
• New Soraya Malware includes Form Grabbing, Memory Scraping Functionality
• Heartbleed exploitable over enterprise wireless networks
• Vulnerabilities found in law enforcement surveillance systems
• Crucial launches new data center grade SSDs, but also new MX100 consumer line at under 50 cents per GiB

The post House of Credit Cards | TechSNAP 165 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

We\’ll be talking with Ted Unangst of the OpenBSD team about their new signing infrastructure. After that, we\’ve got a tutorial on how to run your own NTP server. News, your feedback and even… the winner of our tutorial contest! It\’s a big show, so stay tuned to BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation\’s 2013 fundraising results

• The FreeBSD foundation finally counted all the money they made in 2013
• $768,562 from 1659 donors
• Nice little blog post from the team with a giant beastie picture
• \”We have already started our 2014 fundraising efforts. As of the end of January we are just under $40,000. Our goal is to raise $1,000,000. We are currently finalizing our 2014 budget. We plan to publish both our 2013 financial report and our 2014 budget soon.\”
• A special thanks to all the BSD Now listeners that contributed, the foundation was really glad that we sent some people their way (and they mentioned us on Facebook)

OpenSSH 6.5 released

• We mentioned the CFT last week, and it\’s finally here!
• New key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein\’s Curve25519 (now the default when both clients support it)
• Ed25519 public keys are now available for host keys and user keys, considered more secure than DSA and ECDSA
• Funny side effect: if you ONLY enable ed25519 host keys, all the compromised Linux boxes can\’t even attempt to login
• New bcrypt private key type, 500,000,000 times harder to brute force
• Chacha20-poly1305 transport cipher that builds an encrypted and authenticated stream in one
• Portable version already in FreeBSD -CURRENT, and ports
• Lots more bugfixes and features, see the full release note or our interview with Damien
• Work has already started on 6.6, which can be used without OpenSSL!

Crazed Ferrets in a Berkeley Shower

• In 2000, MWL wrote an essay for linux.com about why he uses the BSD license: \”It’s actually stood up fairly well to the test of time, but it’s fourteen years old now.\”
• This is basically an updated version about why he uses the BSD license, in response to recent idiocy from Richard Stallman
• Very nice post that gives some history about Berkeley, the basics of the BSD-style licenses and their contrast to the GNU GPL
• Check out the full post if you\’re one of those people that gets into license arguments
• The takeaway is \”BSD is about making the world a better place. For everyone.\”

OpenBSD on BeagleBone Black

• Beaglebone Blacks are cheap little ARM devices similar to a Raspberry Pi
• A blog post about installing OpenBSD on a BBB from.. our guest for today!
• He describes it as \”everything I wish I knew before installing the newly renamed armv7 port on a BeagleBone Black\”
• It goes through the whole process, details different storage options and some workarounds
• Could be a really fun weekend project if you\’re interested in small or embedded devices

This episode was brought to you by

Interview – Ted Unangst – tedu@openbsd.org / @tedunangst

OpenBSD\’s signify infrastructure

Tutorial

Running an NTP server

News Roundup

Getting started with FreeBSD

• A new video and blog series about starting out with FreeBSD
• The author has been a fan since the 90s and has installed it on every server he\’s worked with
• He mentioned some of the advantages of BSD over Linux and how to approach explaining them to new users
• The first video is the installation, then he goes on to packages and other topics – 4 videos so far

More OpenBSD hackathon reports

• As a followup to last week, this time Kenneth Westerback writes about his NZ hackathon experience
• He arrived with two goals: disklabel fixes for drives with 4k sectors and some dhclient work
• This summary goes into detail about all the stuff he got done there

X11 in a jail

• We\’ve gotten at least one feedback email about running X in a jail Well.. with this commit, looks like now you can!
• A new tunable option will let jails access /dev/kmem and similar device nodes
• Along with a change to DRM, this allows full X11 in a jail
• Be sure to check out our jail tutorial and jailed VNC tutorial for ideas
• Ongoing Discussion

PCBSD weekly digest

• 10.0 \”Joule Edition\” finally released!
• AMD graphics are now officially supported
• GNOME3, MATE and Cinnamon desktops are available
• PCBSD also got a mention in eweek

Feedback/Questions

• Justin writes in: https://slexy.org/view/s21VnbKZsH
• Daniel writes in: https://slexy.org/view/s2nD7RF6bo
• Martin writes in: https://slexy.org/view/s2jwRrj7UV
• Alex writes in: https://slexy.org/view/s201koMD2c
  + unofficial FreeBSD RPI Images
• James writes in: https://slexy.org/view/s2AntZmtRU
• John writes in: https://slexy.org/view/s20bGjMsIQ

• All the tutorials are posted in their entirety at bsdnow.tv
• The ssh tutorial has been updated with some new 6.5 stuff
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: if you\’re on FreeBSD 8.3 for some reason, upgrade soon – it\’s reaching EOL
• Reminder: if you\’re using pkgng, be sure to update to 1.2.6 for a security issue
• The winner of the tutorial contest is… Dusko! We didn\’t get as many submissions as we wanted, but his Nagios monitoring tutorial was extremely well-done. It\’ll be featured in a future episode. Congrats! Send us a picture when it arrives.
• Allan got his pillow in the mail as well, it\’s super awesome

The post Time Signatures | BSD Now 23 first appeared on Jupiter Broadcasting.

Ubuntu Edge failed to reach its funding, there are many theories why, we’ll break them all down and debate if the touch trend has come to an end.

Plus: A walkthrough of Bitmessage and the recent “hack” attempt this week, a new self hosted email project…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux249 to score .COM for just $2.49! For new orders save 32% with our code go32off2
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Was Ubuntu Edge a Sign?

Brought to you by: System76

• Ubuntu Edge Campaign Admits $32 Million Goal Was ‘Crazy’

The number came out of doing some homework on what would be needed to bring the phone to market. And ultimately bringing a phone like this to market requires a lot industrial design work, electrical design, testing, etc. We could have gone for a lower total number, but with a much higher per-unit cost. So, we tried to find something that was a good compromise.

• Mark Shuttleworth: The Ubuntu Edge was a ‘time machine’ | ZDNet

“We thought we could take a leap forward two or three years in terms of the capabilities of today’s phone through the Edge,”

– ::snip:: –

“It certainly raised eyebrows in the phone industry in a good way. Folks feel there’s a hunger for something new and it sent a signal as to what that something new might look like,” said Shuttleworth.

• Canonical CEO: Expect an Ubuntu phone in early 2014

“I think the full Ubuntu convergence experience will not be in the first round of Ubuntu phones, which we’re targeting for the first quarter 2014,” Silber told CNET. “Just phones, not a full converged plug-into-your-monitor device,” she added, stressing, “I think convergence is the future. It may take many forms.”

• Canonical CEO Jane Silber

---

– Picks –

Runs Linux:

• Crazyflie Nano Quadcopter, Runs Linux

• Runs Linux Crazyflie Nano Quadcopter

Android Pick:

• CheapCast

Desktop App Pick:

• Mumble

• Server: linuxunplugged.mumble.com

• Port: 6394

• Email Server Project

• Picks so far

• Madjo

Search our past picks:

• LASAppPicks

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

---

— NEWS —

• Microsoft chief Steve Ballmer to retire within 12 months

• GNOME 3.10 sightings

• GNOME 3.10 Continues Pushing Ahead With Wayland

• Wayland & Weston 1.2.1 Released

• Natural Selection 2 Appears On Steam For Linux

• August 30: Reinforced » Natural Selection 2

• Mailpile Is A Pro-Privacy, Open Source Webmail Project That’s Raised ~$100,000 On Indiegogo | TechCrunch

• Mailpile team tweets: “Mailpile will have Bitmessage support!”

— /etc: Bitmessage —

Brought to you by: Untangle

• Groklaw – Forced Exposure ~pj

• Mailpile team tweets: "Mailpile will have Bitmessage support!

A modern, fast web-mail client with user-friendly encryption and privacy features. 100% Free and Open Source software

• My Security Analysis of Bitmessage

• Trying Arch & Bitmessage

• Direct Message Network Spike 8/20/2013

• Bitmessage Spammer Makes his Post

• Bitmessage Address Directory

• Ubuntu PPA

– Feedback: –

• Linux: the most insecure, defaced OS in the world!

• A video and thoughts on “No Minimize Button”

• Email Server Project

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Hell froze over, Matt’s on Facebook

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Ubuntu Beyond the Edge | LAS s28e05 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/42032/little-phish-big-breach-techsnap-124/ Thu, 22 Aug 2013 16:39:18 +0000 https://original.jupiterbroadcasting.net/?p=42032 It all started with a simple phishing attack, we’ll share the story about a small bank that had a major compromise, plus the Washington Post gets hacked…

The post Little Phish Big Breach | TechSNAP 124 first appeared on Jupiter Broadcasting.

]]>

It all started with a simple phishing attack, we’ll share the story about a small bank that had a major compromise, plus the Washington Post gets hacked…

A great batch of questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code techsnap249 to get a .COM for $2.49.
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Attackers use DDoS attack on banks as cover to conduct APT attack on wire transfer switches, stealing millions of dollars

• Rather than attacks like we have previously discussed where the the fraudsters targeted individuals and companies with malware and then drained their bank accounts, this newer series of attacks has targeted the banks and credit unions directly
• Many of these attacks have been against smaller banks and credit unions because of their more limited IT security infrastructure
• It is unclear exactly how the attackers infiltrated the banks’ networks, but attacks similar to those against The Washington Post and The Onion are likely, fairly well executed spear phishing attacks
• Once the computer of someone inside the bank has been compromised, it can be loaded up with keyloggers, remote administration trojans and other malware
• The attacker can then use the ‘trusted’ computer to escalate their privileges, either directly, or by impersonating the person whos PC has been compromised, and sending more phishing emails internally
• Once a computer with access to the ‘wire transfer switch’ (usually an application) is compromised, the attacker can initiate a wire transfer from any account
• Individual bank accounts and bank employees often have limits on the amount they can transfer, however with escalated privileges, the attackers were able to increase or remote these limits in some cases
• Some banks have instituted anti-fraud systems that require a second employee to authorize any large wire transfer, however attackers had managed to compromise multiple employee accounts inside the bank, and were able to provide the secondary approval of their fraudulent transfers
• “In at least one instance, actors browsed through multiple accounts, apparently selecting the accounts with the largest balance”
• Then, to cover their tracks, the attackers launch a Distributed Denial of Service attack against the banks website, and/or online banking portal. This disruption is designed to keep the IT staff at the bank busy and keep attention of other bank employees away from the wire transfer system
• If successful, the DDoS attack distracts the bank long enough to prevent them clawing back the wire transfer. The bank has a much better chance of getting the money back if they can report the transfer as fraudulent within the first few minutes
• \”The service portal is down, the bank is losing money and reliability, and the security team is juggling the priorities of what to fix first. That\’s when the switch attack – which is very rare because those systems are not easily compromised [and require] high-privilege level in a more advanced persistent threat style case – takes place.\”
• Internet Crime Complaint Center (IC3) issues warning in Sept 2012
• Gartner Report
• Dell SecureWorks Report

---

Washington Post hacked by Syrian Electronic Army

• The attackers managed to modify specific pages of the Washington Post website to redirect traffic to the site of the attackers for about 30 minutes
• The Syrian Electronic Army (SEA) is a pro-Assad group known for hacking many twitter accounts, as well as other newspapers including The Financial Post, The Onion and the Associated Press
• SEA originally hacked an employee’s twitter account and used it to spread their message
• Some time after that, pages on the website started being redirected
• It is unclear if the employee’s credentials were used to execute the redirect attack
• The method of attack was exactly the same as that used against the Financial Post and The Onion, phishing emails appearing to come from other employees inside the same company, that redirected users to a fake email login page, that captured their credentials. It is unclear if WP uses gmail as the FP and the Onion did
• In a tweet, SEA claimed they had compromised ‘Outbrain’, a business partner of the newspaper that provides ‘content discovery’ mechanisms
• The tweet also claimed that this compromise gave them access to not only the WP, but also CNN and TIME Magazine
• The newspaper promptly disabled the Outbrain module and enacted other defensive measures
• Outbrain acknowledged the problem last Thursday. “We are aware that Outbrain was hacked earlier today. In an effort to protect our publishers and readers, we took down service as soon as it was apparent. The breach now seems to be secured and the hackers blocked out, but we are keeping the service down for a little longer until we can be sure it’s safe to turn it back on securely. We are working hard to prevent future attacks of this nature.”
• This type of attack is especially dangerous. If the SEA had redirected users to a site containing malware, rather than just their own site feature a political message in arabic, the results could have been much worse, and it could have gone on much longer before it was noticed
• This is the type of attack that is the most dangerous, it is like a watering hole attack, except it targets a mass audience, instead of a small one
• Additional Coverage

---

Feedback:

• Project Byzantium

• getvau.lt passwords

• Geek Choices

  • Switch: Netgear GS724T-300NAS
  • Router: Soekris net6501

• em0 watchdog timeout

Send us a Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

Round-Up:

• EFF wins court battle to release document showing FISC court ruled NSA Surveillance unconstitutional in 2011
• Poison Ivy RAT used in 3 new attacks
• Microsoft re-releases patch for vulnerability in Active Directory Federation Services after it caused many servers to stop working
• Twitter oauth token data leaked, attacker claims to have tokens for every twitter user, posts 15k tokens
• Microsoft pulls back patch for Exchange Server 2013, fixes Oracle bug that could allow a malicious .PDF to compromise the SERVER when viewed by a client with OWA
• Microsoft announces that in 6 months they will issue an update that will disable digital certificates with MD5 fingerprints. An optional version of the patch is available for testing, before the patch goes live on all supported OSs. Certifications should use SHA1 or SHA256 hashes
• Jekyll transforming malware developed by Georgia Institute of Technology passed through Apple iOS Review process undetected. Apparently the app was only tested by Apple for 7 seconds. Malware is able to post tweets, take photos, send email and SMS, and even attack other apps – all without the user’s knowledge
• Bruce Schneier’s comments on the Cryptopocalypse
• Trading on NASDAQ halted by unknown technical glitch
• Programming via voice recognition – developing a custom spoken language to express programming concepts like curley braces
• Groklaw shuts down because it can no longer trust the security of email

The post Little Phish Big Breach | TechSNAP 124 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/41332/cost-of-encryption-techsnap-122/ Thu, 08 Aug 2013 11:53:41 +0000 https://original.jupiterbroadcasting.net/?p=41332 We’ll have a frank discussion about the encryption Arms race underway, the side channel attack against gpg research have found, headlines from Back Hat...

The post Cost of Encryption | TechSNAP 122 first appeared on Jupiter Broadcasting.

]]>

We\’ll have a frank discussion about the encryption Arms race underway, the side channel attack against gpg research have found, headlines from Back Hat…

And then an epic batch of your questions, our answers!

---

— Show Notes —

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Researchers have found a side-channel attack which could possibly be used to steal your gnupg keys

• Researchers Yuval Yarom and Katrina Falkner from The University of Adelaide presented their paper at Blackhat
• The Flush+Reload attack is a cache side-channel attack that can extract up to 98% of the private key
• The attack is based on the L3 cache, so it works across all cores, unlike previous attacks where the attacker had to be on the same CPU core as the victim
• This attack works across VMs, so an attacker in one VM could extract the GnuPG from another VM, even if it is executing on a different CPU
• Research Paper

---

More Encryption Is Not the Solution

• Poul-Henning Kamp (PHK) wrote an article for ACM Queue about how Encryption is not the answer to the spying problems
• Inconvenient Facts about Privacy
• Politics Trumps Cryptography – Nation-states have police forces with guns. Cryptographers and the IETF (Internet Engineering Task Force) do not.
• Not Everybody Has a Right to Privacy – Prisoners are allowed private communication only with their designated lawyers
• Encryption Will Be Broken, If Need Be – Microsoft refactors Skype to allow wiretapping
• Politics, Not Encryption, Is the Answer
• “There will also always be a role for encryption, for human-rights activists, diplomats, spies, and other professionals. But for Mr. and Mrs. Smith, the solution can only come from politics that respect a basic human right to privacy—an encryption arms race will not work”
• PHK postulates that a government could approach a cloud service as say “on all HTTPS connections out of the country, the symmetric key cannot be random; it must come from a dictionary of 100 million random-looking keys that I provide” and then hide it in the Cookie header

---

Interview with Brendan Gregg

• Buy on Amazon: DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X and FreeBSD
• Yelling at hard drives

---

Feedback:

• When will we see IPv6?

• What good habits should I force myself into?

• Ubuntu Forums

• Creating a Virtual LAN for Learning?

• ZFS Array Quest & GPG Key Managment

• The Age Old Certs Question

• Convert a Production FreeBSD into pfSense

• ZFS Summer Project

• Looking for Input on a new AP

• Amazon.com: TP-LINK TL-WR1043ND Ultimate Wireless N300 Router , Gigabit, 300Mbps, USB port , 3 Detachable Antenna x3/ IP QoS/ QSS Button: Electronics

Correction Section

• MegaFeedback

• In Defence of RHEL

• Pluggable CC in Linux

Echos from the Hall of Shame

• [HallOfShame] Microsoft not allowing passwords longer than 16 characters. Not hashing? : techsnap

• [HallOfShame] Commonwealth Bank Password Limitations : techsnap

Round Up:

• Gmail, Outlook.com and e-voting \’pwned\’ on stage in crypto-dodge hack
• Judge blocks researching from disclosing vulnerability in Volkswagen immobiliation system
• Researchers reveal how to hack an iPhone in 60 seconds
• Edward Snowden is not the story, the Death of the Internet is
• Moscow Subway To Use Devices To Read Data On Phones
• Black Hat paper spells out how advertising networks will build future botnets
• Google changes stance on Net Neutrality
• Black Hat: Disabling a car’s brakes by backing its onboard computer
• Google Copyright Infringement Reports to Quadruple This Year
• PHK’s musings and rants about HTTP/2.0

The post Cost of Encryption | TechSNAP 122 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/40802/ethically-hacked-techsnap-120/ Thu, 25 Jul 2013 19:17:35 +0000 https://original.jupiterbroadcasting.net/?p=40802 A huge amount of SIM cards are susceptible to an Over the Air attack, Apple’s hacker outs himself, and the trouble with the Ubuntu forums!

The post Ethically Hacked | TechSNAP 120 first appeared on Jupiter Broadcasting.

]]>

A huge amount of SIM cards are susceptible to an Over the Air attack, Allan’s got the details, Apple’s hacker outs himself, and the trouble with the Ubuntu forums!

Plus a batch of your questions, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

---

Security Researcher Claims Apple Developer Website Hack

• Apple\’s Developer Center first went offline last Thursday, and on Sunday, Apple revealed that it had been taken down as a precaution after a security breach. It is unclear who was responsible for the hacking, but a security researcher, Ibrahim Balic has suggested that he might be to blame for the outage.
• The company added that critical developer data had not been compromised and that they were working day n’ night to fix the vulnerability and bring the site back online.
• According to 9 to 5 Mac adds that, “In an email… Balic … is persistent in stating he did this for security research purposes and does not plan to use the information in any malicious manner.”
• The comment comes from independent security researcher Ibrahim Balic, who claims that his effort was not intended to be malicious and that he reported his findings to Apple just hours before the developer site was taken down by the company.
• Balic, who has reported 13 different bugs to Apple, originally discovered an iAd Workbench vulnerability on June 18 that allowed a request sent to the server to be manipulated. This security hole could be used to acquire the names and email addresses of iTunes users (even non-developers).
• After finding the loophole, Balic wrote a Python script to harvest data from the vulnerability and then displayed it in a YouTube video, which may have put him on Apple\’s radar.
• In addition to the iAd Workbench bug, Balic also discovered and submitted a report on a bug that caused the Dev Center site to be vulnerable to a stored XSS attack. While Balic says that it was possible to access user data by exploiting the Dev Center issue, he claims that he did not do so.
• New Details Emerge on Security Researcher Potentially Responsible for Dev Center Outage s
• Apple Outlines Plan for Bringing Developer Center Back Online
  Additional Coverage

---

Ubuntu Forums compromised

• The forums were defaced and the database compromised
• There were approximately 1.82 million registered accounts in the forum database
• Attackers have access to each of these user\’s username, password and email address
• The passwords were salted hashes, but by which algorithm was not made clear. Where these cryptographic hashes, or just md5(salt+md5(password)) or similar like some forum software?
• If you were a registered user, and reused that password anywhere else, you are likely going to have a bad time
• “Ubuntu One, Launchpad and other Ubuntu/Canonical services are NOT affected by the breach”
• Timeline:
• 2013-07-20 2011 UTC: Reports of defacement
• 2013-07-20 2015 UTC: Site taken down, this splash page put in place while investigation continues.
• 2013-07-21: we believe the root cause of the breach has been identified. We are currently reinstalling the forums software from scratch. No data (posts, private messages etc.) will be lost as part of this process.
• 2013-07-22: work on reinstalling the forums continues.

---

Feedback:

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

• Voicemail from OSCON
• 389 Directory Server (Open Source LDAP)

The enterprise-class Open Source LDAP server for Linux. It is hardened by real-world use, is full-featured, supports multi-master replication, and already handles many of the largest LDAP deployments in the world. The 389 Directory Server can be downloaded for free and set up in less than an hour using the graphical console.

• Too many VMs in One Place?

• An Excellent Chance to Talk about FreeBSD for Allan!

• PPA for PHP5 : Ondřej Surý

• How does one learn how to become a PenTester?

  • Metaspolitable
  • Backtrack view by example
• Linux Drive Recovery | LAS s27e10 | Jupiter Broadcasting

Round Up:

• Feds Demand the Keys, Preparing for the Death of Public-Key Encryption
• The UNIX Issue of the Bell System Technical Journal turns 35 Spotted by Poul-Henning Kamp @bsdphk
• UK MP leading the charge for default blocking porn, has website hacked and filled with porn, accuses random blogger who comments on it of being behind the attack #doesnotknowhowtheinternetworks
• MIT Uses Machine Learning Algorithm To Make TCP Twice As Fast
• NSA says it cannot search its own emails to fulfill FOIA requests
• US-CERT releases advisory about DNS Amplification attacks, includes configuration suggestions to prevent your servers from being part of an attack
• True tales of white-hat hacking

---

The post Ethically Hacked | TechSNAP 120 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/38491/privacy-under-linux-las-s27e04/ Sun, 09 Jun 2013 14:02:25 +0000 https://original.jupiterbroadcasting.net/?p=38491 We demo tools for Linux to protect your privacy. And we’ll highlight Bitmessage, an open source project designed to kill email, and encrypt your communications.

The post Privacy Under Linux | LAS s27e04 first appeared on Jupiter Broadcasting.

]]>

We demo tools for Linux to protect your privacy. And we’ll highlight Bitmessage, an up and coming open source project designed to kill email, and encrypt your communications from the start.

Plus: The big plans for Cinnamon, FireFox OS’ get a big boost, the conclusion to our Let’s Play giveaway…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux249 to score .COM for just $2.49! 35% off your ENTIRE first order just use our code 35off2 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

— Show Notes: —

Privacy Under Linux:

Brought to you by: System76

• Tech Companies Concede to Surveillance Program

• Funny: goshakkk/nsa_panel · GitHub

• Off-the-Record Messaging

• Tochat

• Bitmessage is the Bitcoin of online communicatio

• PyBitmessage-Daemon · GitHub

• Tor Browser Bundle

• Seahorse – Encryption Made Easy

• GPG-Crypter | Main / HomePage browse

• P2P Search: YaCy – The Peer to Peer Search Engine: Home

---

– Picks –

Runs Linux:

• Chinese supercomputer destroys speed records, Runs Linux

• Thanks to CptFlashdrive in the Linux Action Show SubReddit

Android Pick:

• Orbot: Proxy with Tor – Android Apps on Google Play

• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Guake terminal

• Drop Down Terminal – GNOME Shell Extensions

• Picks so far

• Madjo

Search our past picks:

• LASAppPicks

This tumblr contains the Linux app picks from the Linux Action Show. Both the Linux apps and the Android apps

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

---

— NEWS —

• Foxconn and Mozilla are collaborating to develop 5 devices for OEMs, including a tablet

• Cinnamon 2.0 in Linux Mint 16, no GNOME back-end

• The Linus and Dirk show [LWN.net]

• Garry’s Mod Running On Linux

— /etc: Let’s Play —

Brought to you by: Untangle

• Let’s Play Amnesia: The Dark Descent- On Linux!

I promise, I only cut out one part where I freaked out really bad, and only then because it was during the footage I cut out because I wasn’t sure where to go. I may or may not have been scared by my lantern running out of oil and suddenly turning off.

• Lets Play – Alpha Centauri on Linux

– Feedback: –

• Made a opensource python app to play hotkeyable soundclips after ChrisLAS sayd he was looking for such a tool

• Made a Web Based Soundboard

• Arch = Gentoo 5 Years Ago?

• Tails – About – Thx Q5sys

Gary’s Mod Comes to Linux… Sells 7 Copies.. What say you?

• https://twitter.com/garrynewman/status/343127745317986304

• https://twitter.com/garrynewman/status/343128562745892865

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• reglue.org
• Open Source Windows Applications
• Writing about Linux, sometimes, even asking tough questions
• Hell froze over, Matt’s on Facebook

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Privacy Under Linux | LAS s27e04 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/25876/dont-copy-that-floppy-techsnap-79/ Thu, 11 Oct 2012 16:04:46 +0000 https://original.jupiterbroadcasting.net/?p=25876 How a Russian Spy ring used floppies to pass sensitive information, how Backblaze made it through the great hard drive shortage. Plus GPG explained!

The post Don't Copy That Floppy | TechSNAP 79 first appeared on Jupiter Broadcasting.

]]>

How a Russian Spy ring used floppies to pass sensitive information, how Backblaze made it through the great hard drive shortage, and why the US congress is saying no to Chinese Telco manufactures.

Plus a big batch of your questions, and our answers.

All that and much more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

How Backblaze dealt with the hard drive shortage

• During the hard drive shortage that started a year ago, Backblaze found itself in a rather tight spot, in order to continue offering unlimited storage for $5/month, they needed more drives
• The price of a 3TB internal drive shot up from $129 to $349 overnight
• However external drives, were prices around $169, at least $100 cheaper than their internal counterparts (mostly because HP, Dell and Apple had bought up most of the supply of internal drives)
• BackBlaze fills about 50TB worth of drives per day, so they need a continuous supply of new drives
• Between November 2011 and February 2012, Backblaze farmed 5.5 Petabytes worth of hard drives from retailers, mostly consisting of external drives that needed to be removed from their enclosures
• The external drives incurred other costs, shucking the drives out of the enclosures, and recycling the leftover shells afterwards
• Many stores had ‘limit 2 per customer’ (I remember this well with my own drive buying), and BackBlaze employees employed many devious tactics to try to squeeze more out of each store, including pretending to be a grandmother buying drives for each of her grandchildren for Christmas
• Backblaze employees were banned from a number of CostCo and BestBuy stores, or asked to leave empty handed
• On Christmas Eve, the CEO of BackBlaze stopped at a friend’s house to pick up 80x 3TB drives his friend had acquired from an online site that forgot to limit the quantity he could order. It had taken the FedEx driver more than 30 minutes to unload all of the drives into the apartment. While loading them into his car, the BackBlaze CEO reflected that the drives he was loading into his car, were worth more than the car
• Backblaze still buys external drives when the price is right, ~$30 cheaper than internal drives, to cover the additional cost of preparing the drives
• The ‘shucked’ drives can usually not be returned for warranty replacement
• Additional Coverage
• Additional Coverage
• The backblaze storage pod 2.0

---

Russian spy ring relied on notepad and floppy disks

• Sub-Lt. Jeffrey Delisle pled guilty today on charges of breach of trust and two counts of communicating safeguarded information to a foreign entity
• The maximum sentence for ‘communicating safeguarded information to a foreign entity’ is life in prison
• Delisle was an Analyst at HMCS Trinity, an intelligence facility that tracks vessels entering and exiting Canadian waters via satellites, drones and underwater devices, it is located at the naval base in Halifax, Nova Scotia
• He would search for and copy sensitive materials from a secure computer at the base
• Copy/pasting the data into notepad, it would then save it to a floppy disk
• The floppy was then moved to a regular non-secure computer, where the data was transferred to a USB drive
• After taking the USB home, he would access a webmail account, and draft an email, but never send it
• His Russian handlers had the username and password to the email account, and would access it, and retrieve the stolen intelligence
• The emails were never sent, lessening the chance that they might be intercepted
• Delisle walked into the Russian Embassy in Ottawa in 2007 and asked to speak to someone from the GRU (Russian Military Intelligence), offering to sell the secrets he had access to
• He was paid $3000/month in prepaid credit cards
• the RCMP (Royal Canadian Mounted Police, Equivalent to the FBI in Canada) started investigating him after CBSA (Canada Border Services Acency) Officers alerted the Military when Delisle returned from a short trip to Brazil with a large amount of cash
• Additional CBC Coverage

---

SEC hands out first ever fine for ‘failure to protect customer data’

• In the spring of 2005, network traffic at the Florida officers of GunnAllen Financial had slowed to a crawl
• The company had outsourced its entire IT department to The Revere Group
• GunnAllen’s acting CIO, a partner at Revere Group, asked the manager of the IT team to investigate
• A senior network engineer had disabled the WatchGuard firewalls and routed all of the broker-dealer’s IP traffic–including trades and VoIP calls–through his home cable modem
• As a result, none of the company’s trades, emails, or phone calls were being archived, in violation of Securities and Exchange Commission regulation
• However, this did not appear in the final report from the SEC about the settlement with GunnAllen Financial, which was actually about other breaches of security and policy
• Some of the data that was routed through the engineering some connection include: bank routing information, account balances, account numbers, social security numbers, customers’ home addresses and driver’s license numbers
• “He’d purposefully break things, then come in in the morning and be the hero, I ended up key-logging all the servers, and I logged him logging in from home at 2:30 in the morning, logging on to BlackBerry servers and breaking them."
• Although required by the SEC to keep copies of all emails for 7 years, “There was a point in time for probably two months where no one’s email was logged. I brought it up in a meeting once and was told to shut up [by the acting CIO]”
• In 2008 FINRA (Financial Industry Regulatory Authority) fined GunnAllen $750,000 for a “trade allocation scheme” conducted by former head trader, in which profitable stock trades were allocated to his wife’s personal account instead of to the accounts of firm customers
• Employees at The Revere Group were afraid to report issues because other employees had been fired

---

Bug in facebook mobile app could expose your phone number

• A feature of the facebook mobile app allows you to compare your mobile contacts list against facebook, and find any people you have in your phone, but not on facebook
• A researcher exploited this feature by adding random phone numbers to his phone’s contact list and was able to determine many users’ mobile phone numbers, despite their privacy settings
• Facebook originally denied that this was an issue when he reported it to them, they claimed that rate limiting and privacy settings prevented the exploit
• The researcher posted proof , in the form of 100s of phone numbers (random digits blocked out to protect the innocent) with the corresponding person’s name
• Facebook has since tightened up the rate limiting
• TheNextWeb has an article on how to protect your phone number on facebook

---

TechSNAP viewer discovers IE flaw

• IE8 and IE9 in compatibility mode will sometimes mistakenly render plain text content as HTML
• This means that the ‘raw’ view of a pastebin of some javascript source code, could cause the browser to execute it, rather than display it
• A proof of concept is providers for you to test your browser

---

US congressional report says Huawei and ZTE are a security threat

• A draft of a report by the House Intelligence Committee said Huawei and another Chinese telecom, ZTE, “cannot be trusted” to be free of influence from Beijing and could be used to undermine US security
• The report recommends that the chinese hardware manufacturers should be barred from US contracts and acquisitions, due to the security implications of chinese controlled devices in sensitive US installations
• US set to reject UN ITU proposals for changes to Global Telecom systems, citing danger of increased foreign espionage
• The US fears nations like China and Russia will gain too much control and impose tracking and monitoring, and assert control over content and user information
• US says that ITU regulations are “not an appropriate or useful venue to address cybersecurity,”

---

Feedback

• More Info on digi-pass
  • PDF with more info
• Could provide some insight to GPG Keys?
  • Packages are signed by the GPG key of the person or group who created them
  • Your package manager maintains a list of the GPG keys you trust (the default is usually to trust official packages from your distro)
  • If you use 3rd party packages, you will get a warning
  • You must decide if you trust the 3rd party that signed the package, not to include an exploit in the package
  • If you trust the 3rd party, you can add their key to your allow list, and you will not receive the warning
  • It is unsafe to ignore the warning if you do not trust the source of the packages, especially if you are trying to install an official package
• Switching to Publicly Signed SSL?
  • Wildcard SSL certificates cover *.domain.com (something.domain.com, otherthing.domain.com)
  • This does not include *.something.domain.com
  • Covers future sub domains that you might create
  • There are also ‘UCC’ (Unified Communications Certificates) certificates, that allow you to enumerate many domains to be covered by a single certificate. Adding or removing a domain to the certificate requires it to be reissued
  • UCC certificates are expensive, but are popular for Exchange servers that must cover multiple domains
• Securing Cookies
• Darwin writes in with a note that in addition to limiting the length of your password, ‘Microsoft Account’ also prevents you using some special characters, including ‘space’

Round-Up

• iOS6 maps accidently reveal secret tiawanese military base
• ICANN wants the WHOIS database to contain accurate customer data, possibly even including the credit card used to purchase the domain, for 2 years after a domain expires. FTC says yes, EU says no
• RSA executive chairman Art Coviello has drawn strong reactions from Privacy advocates for his criticism of privacy advocates
  
• Cybercriminals offering ‘insurance’ from prosecution, claiming they specialize in bribing or intimidating Russian/Eastern European police
• Spreadsheet Blamed For UK Rail Bid Fiasco
• PGP Creators new project provides industrial-strength encryption for Android and iOS
• Google launches Civic Information API

The post Don't Copy That Floppy | TechSNAP 79 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/14956/simulated-cyber-war-techsnap-36/ Thu, 15 Dec 2011 20:35:34 +0000 https://original.jupiterbroadcasting.net/?p=14956 Find out how the 2012 Olympics are preparing for cyper war, we’ll answer a great batch of questions. And Allan’s embarrassing tech war story!

The post Simulated Cyber War | TechSNAP 36 first appeared on Jupiter Broadcasting.

]]>



Find out how the 2012 Olympics are preparing for cyper war, we’ll answer a great batch of questions.

And Allan’s embarrassing tech war story!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Free Private Registration

GoDaddy Offer Code: techsnap17
Link: https://www.godaddy.com/domainaddon/private-registration.aspx?isc=techsnap17

$1.99 hosting for the first 3 months

GoDaddy Offer Code: techsnap11

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

   
Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

Show Notes:

Big Oil the next big target for cyber attacks?

• The IT Manager for Royal Dutch Shell told the World Petroleum Conference that their company has been receiving an ever increasing number of cyber attacks against its infrastructure.
• The attacks are said to be motivated by commercial interest, as well as political and criminal interests.
• If attackers managed to gain access to critical control systems, they would be able to manipulate valves and pumps, and cause unimaginable damage, physical, monetary and environmental.
• British Petroleum said they had seen a large increase in cyber attacks after the US Golf Oil Spill disaster.
• This is only further evidence that industrial control systems need to be completely isolated from the internet, not protected by just a firewall, but entirely isolated. Even then, threats such as stuxnet or duqu can be introduced by portable media such as USB flash drives. Physical and System security needs to be taken much more seriously.

---

Olympic Control Center prepares for simulated Cyber Attacks

• The new Olympic Control Center in Canary Wharf that will provide support and management for the IT infrastructure of the 2012 Olympics in London is preparing for a variety of Simulated Cyber Attacks in order to improve their preparedness for the Olympic games.
• The simulated attacks will include a Denial of Service attack, which they plan to mitigate by using a distributed website, and viruses and other malware getting in to the organizers’ computers.
• The computer network is used to store and record scores from the games and feed information to the public and the media.
• The operations Center has a staff of 180 permanent employees.
• “Another key principle is to keep mission-critical games systems quite isolated from anything web-facing. So very much partitioned and separated, thus making it hard for an external attack to succeed.”
• The company running the Operations Center is Atos, a very large multinational IT services company. However Atos has had issues of its own.
• In the autumn of 2008, Atos Origin was the subject of a government enquiry after a memory stick with passwords and user names for an important government computer system was found in a car park. BBC Coverage

---

War Story

Allan’s rm -rf / war story (Sovereign)

When I was in high school and college, I ran an IRC shell provider. It started out as one little home brew server on a 128kbit colocation, and grew to its peak of 9 dedicated servers in 4 data centers. As you can imagine, there were plenty of times where people tries to attack, hack or root my servers. It always made me laugh when they tried the latest Redhat exploit against my FreeBSD 4.x machine.

One such exploit involved a symbolic link to / with a obfuscated name (If I recall correctly, it was dot space space and then some unicode characters). As part of the cleanup, I went to remove the offending symlink. Because of the special characters etc in the name, I used the shell’s tab complete feature. Out of admittedly bad habit I used rm -rf rather than just rm, and either the shell or I put a trailing / on the symlink, so rather than removing the symlink, the shell resolved the symlink and started to execute the equivalent of rm -rf /. I knew something was wrong after a second or two when the command prompt did not return, and before I could figure out what was going on, I saw error messages about how /bin/tcsh could not be removed because it was in use, and that the kernel would not be deleted because it was flagged ‘system immutable’. I felt the blood drain out of my face and I quickly broke out in a cold sweat. I immediately hit control+c to prevent any further damage, but things were pretty far gone. /etc and /bin were gone, save for my shell because it was in use. So, without even ls, it was a little difficult to even tell what was left. This server had about 100 customers on it, and a decent uptime (175 days or so if I recall correctly).

Luckily, because of proper disaster planning on my part, daily Bacula backups of that server existed on our central backup server. A few commands to the bacula console and I was restoring /etc, /boot and /bin. Then I did a verify/compare operation to determine what other files may have been deleted, and restored them as well. Amazingly, all of this was pulled off without a reboot, and without a single complaint from a customer. Total time from disaster to recovery was less than 1 hour, and I managed to maintain the uptime.

---

Feedback

Q: (Matt) I listened to TechSnap – 28 and 34 about the ZFS Server Build. Now I’m a little confused, How is Allan’s ZFS server configured? If ZFS will do all the RAID stuff and he’s using RAID Z2 for the RAID–6 option then why are his drives on an Adaptec RAID controller and how is the Adaptec configured? Are you using a big RAID–0?

A: We’ve gotten this question quite a bit, because using a RAID controller is contrary to what I said during the TechSNAP 28 ZFS episode. In this case, I did not have a choice, I needed a controller that was supported under BSD, so I went with the Adaptec. The motherboard’s onboard Intel controller only has 6 ports, and 2 of those are used for the dedicated OS drives, which are mirrored in FreeBSD software using GEOM. The adaptec had the added advantage to their unique solution for battery backup. I have configured the Adaptec to pass-thru each drive directly to ZFS without any RAID, and then ZFS deals with the drives individually, making the RAID Z2 array. As I said during the initial episode, you don’t want to back your ZFS with a RAID device, because you lose control, and some ZFS features, like the ability to swap a device out. If I had done a big RAID–0 device exposed to ZFS, I could not have created the RAID Z2 array, because it requires at least 3 devices. Also, if one drive in a RAID–0 dies, the entire array is lost, so that would not be very good either.
*

Q: (Graham) I am looking to do a Raid set up but I would like to know if need two hard drives to be the same make or model or can they be two hard drives of the same size?

A: While the two drives do not have to be the same model, size, or even manufacturer, it is best if they are. Then you are striping or mirroring, the performance is mostly dictated by the slower of the two drives, so identical drives means that one drive is not constantly waiting for the other. There are also be issues with timing when the drives have drastically different performance. However, depending on your configuration, sometimes it is possible to make use of the additional performance of one of the drives. The FreeBSD software RAID driver GEOM’s mirroring mode supports different balancing methods, including: load, prefer, round-robin and split.
*

Q: (Bill) Currently I am designing/developing a client/server communications platform. I would love to make the project Open Source when I start developing the code but I am concerned about potential security implications. The plan is to use a user auth system so users can easily contact each other. This is making my security senses tingle because if you have the code for the auth system you could it break down easily. I would love to hear your opinions about this as there are ways it could be done but they could kill ease of use.

A: If you rely on nothing more than the fact that no one knows how your security system works (called Security Through Obscurity), then it is not really security at all. Rather than writing your own authentication system, it might be best to use an existing library, depending on what exactly you are trying to authenticate against. Standard libraries for cryptography like AES, SHA and Blowfish, and authenticity libraries like GPG and SSL/TLS. In the end, being open source allows other developers to spot any mistakes you make, and either notify you about them, or contribute patches to resolve them.

Round-Up:

• Howard L. Berman, author of SOPA : SOPA
• Exclusive: Iran hijacked US drone, says Iranian engineer
• Google Wallet leaves sensitive data unencrypted and accessible, says security firm
• Google gives £550k to Bletchley Park
• iBahn, the hotel ISP, denies data breach by Chinese hackers
• Universal Music Group has podcast pulled from YouTube just because they do not like it

Holiday Reading:

[asa default]0307269930[/asa]
[asa default]0765323117[/asa]

Audible Audio Book Version

   

The post Simulated Cyber War | TechSNAP 36 first appeared on Jupiter Broadcasting.

]]>