How Groupon made the switch to FreeBSD & why. Researches extract keys from a hardware module & Intel’s new CPU backed malware protection.

Plus your questions, a great roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Researchers manage to exfiltrate keys from an HSM

• “The Gemalto SafeNet Luna HSM allows remote authenticated users to bypass intended key-export restrictions by leveraging (1) crypto-user or (2) crypto-officer access to an HSM partition.”
• An HSM (hardware security module) is a dedicated device that is meant to safely store private encryption keys. They usually also provide crypto processing
• Rather than allowing a user to have access to a secret key, the user instead passes the file, message, certificate or whatever to the HSM, and it then signs or encrypts the payload and returns it to the user
• The idea is that the user never has access to the keys this way
• This is how all Certificate Authorities work
• “HSMs may possess controls that provide tamper evidence such as logging and alerting and tamper resistance such as deleting keys upon tamper detection.”
• Researchers found a flaw in the SafeNet HSMs
• “PKCS#11 is a very complex standard with dozens of APIs and wide-range of cryptographic operations, called “mechanisms” for everything from encryption to random number generation. Safenet vulnerability involves the key derivation mechanisms. These are used to create a cryptographic key as a function of another key”
• “For example BIP-32 for Bitcoin proposes the notion of hierarchical-deterministic wallets where a family of Bitcoin addresses are derived from a single “seed” secret. Designed properly, key-derivation provides such an amplification effect while protecting the primary secret. Even if a derived key is compromised, the damage is limited. One can not work their way back to the seed. But when designed improperly, the derived key has a simple relationship to the original secret and leaks information about it.”
• “Related-key cryptanalysis is the specific branch specializing in these attacks. It turns out that for Safenet HSMs, we do not need to dig very deep into cryptanalytic results. There are at least two mechanisms that are easy to exploit and work generically against a wide-class of algorithms: extract-key-from-key and XOR-base-and-data.”
• “Extract-key-from-key is defined in section 6.27.7 of PKCS#11 standard version 2.30. It may as well have been renamed “extract-substring” as the analog of standard operation on strings. This derivation scheme creates a new key by taking a contiguous sequence of bits at desired offset and length from an existing key.”
• So, with access to the HSM, you can define a new key, as a sub-string of the secret key. In the case of the example here, they used the first 2 bytes of the AES256 key as a new key
• They then used that key in a SHA256-HMAC to encrypt a chosen plaintext
• They were then able to take that plaintext, and brute force the key offline (knowing that it was only 2 bytes)
• Repeat this 16 times, for all 32 bytes, and you have now recovered the entire AES256 key
• “Surprisingly this works not only against symmetric keys such as AES or generic HMAC secrets but also against elliptic-curve private keys (RSA, plain DSA and Diffie-Hellman were not affected.) This is an implementation quirk: these mechanisms are typically intended for symmetric-keys only. For elliptic-curve keys, the byte array being truncated is the secret scalar part of the key. For example the “secret” component for a Bitcoin ECDSA key is a discrete logarithm in secp256k1. Internally that discrete logarithms is just stored as 32-byte scalar value, and extract-key-from-key can be used to successively reveal chunks of that scalar value.”
• “XOR-base-and-data suffers from a very similar problem. This operation derives a new key by XORing user-chosen data with original secret key. While there are cryptographic attacks exploiting that against specific algorithms such as 3DES, a design choice made by Safenet leads to simpler key recovery attack that works identically against any algorithm: when the size of data is less than size of the key, result is truncated to data size. XORing 256-bit AES key with one-byte data results in one-byte output. That provides another avenue for recovering a key incrementally: we derive new HMAC key by XORing with successively longer sequences of zero bytes, with only the last segment of new key left to brute-force at each step.”
• “Regardless of the authentication mode, the client must have a logged in session with HSM to use existing keys. It is enough then for an attacker to compromise the client machine in order to extract keys. That may sound like a high barrier or even tautological- “if your machine is compromised, then your keys are also compromised.” But protecting against that outcome is precisely the reason for using cryptographic hardware in the first place. We offload key management to special-purpose, tamper-resistant HSMs because we do not trust our off-the-shelf PC to sufficiently resist attacks. The assumption is that even if the plain PC were compromised, attackers only have a limited window for using HSM keys and only as long as they retain persistence on the box, where they risk detection. They can not exfiltrate keys to continue using them after their access has been cut off. That property both limits damage and gives defenders time to detect/respond. A key extraction vulnerability such as this breaks that model. With a vulnerable HSM, temporary control over client (or HSM credentials, for that matter) allows permanent access to key outside the HSM.”
• “The vulnerability applies to all symmetric keys, along with elliptic curve private-keys. There is one additional criteria required for exploitation: the key we are trying to extract must permit key-derivation operations. PKCS#11 defines a set of boolean attributes associated with stored objects that describe usage restrictions. In particular CKA_DERIVE determines whether a key can be used for derivation. A meta-attribute CKA_MODIFIABLE determines whether other attributes (but not all of them) can be modified. Accordingly an object that has CKA_DERIVE true or CKA_MODIFIABLE true— which allows arbitrarily changing the former attribute— is vulnerable.”
• “Latest firmware update from Safenet addresses the vulnerability by removing weak key-derivation schemes. This is the more cautious approach. It is preferable to incremental tweaks such as attempting to set a minimum key-length, which would not be effective.”
• Very interesting research, there is much more detail in the blog post

Operations at Group On, dealing with bit rot

• In this free sample article from the latest edition of the “FreeBSD Journal”, Sean Chittenden of GroupOn tells the story of how the company dealt with switching from Linux to FreeBSD to have ZFS protect their important databases backed by SSDs
• It turns out, if your organization is already supporting more than one flavour of Linux, supporting FreeBSD is not any more work
• FreeBSD brought a lot of new things to the table, not just ZFS, but DTrace, easy custom kernels, fast custom package sets with poudriere, but also, never having to fsck again.
• “now it’s one of the bigger items that no one missed or even talks about anymore. Imagine running a fsck(1) on a near line backup server with 288TB of storage.”
• “One of the challenges of organizational change: personal anxiety from either learning something new, or trusting something new in production”
• GroupOn used a number of 30 minute video call sessions to ease their database team into FreeBSD, with short demonstrations and open Q&A sessions
• They filled in the missing bits by hiring external trainers to come in and give a one week crash course on FreeBSD to the entire operations team
• In the end, the article is a good guide to adopting any technical change at a moderately sized organization, and talks about both the technical and personal challenges of such a change
• Video from BayLISA on same topic

CheckPoint unveils new CPU-level malware protection called SandBlast

• “The new software monitors CPU activity looking for anomalies that indicate that attackers are using sophisticated methods that would go unnoticed with traditional sandboxing technology”
• “Traditional sandboxes, including Check Point’s, determine whether files are legitimate by opening them in a virtual environment to see what they do. To get past the sandboxes attackers have devised evasion techniques, such as delaying execution until the sandbox has given up or lying dormant until the machine it’s trying to infect reboots”
• “SandBlast thwarts the evasion technique called Return Oriented Programming (ROP), which enables running malicious executable code on top of data files despite protection offered by Data Execution Prevention (DEP), a widespread operating system feature whose function is to block executable code from being added to data files.”
• “ROP does this by grabbing legitimate pieces of code called gadgets and running them to force the file to create new memory page where malicious shell code can be uploaded to gain execution privileges. This process has the CPU responding to calls that return to addresses different from where they started.”
• “SandBlast has a CPU-level detection engine that picks up on this anomaly and blocks the activity. The engine is available either on an appliance in customers’ data centers or as a cloud service running out of Check Point’s cloud. The engine relies on features of Intel’s Haswell CPU architecture”
• It is interesting to see this new processor feature being used to detect attacks, but I wonder if it can also be used the other way around, to monitor a system for regular activity
• “Check Point is also introducing a feature called Threat Extraction which makes it safe to open documents quickly before they can be run through the sandbox. It converts Word documents do PDF files, which neutralizes malware they may contain. It can convert PDF files to PDF files as well to reach the same end.”
• A way to ‘cleanse’ common over-featured file formats of unwanted features like macros, embedded javascript, etc seems like a very useful way to combat malicious files

Feedback

• letsencrypt.org Launches Q4 2015

• GPG sign email without passphrase

Round Up:

• Inspired by TV Show, engineers from Dropbox develop BSD licensed losslessh264 codec that can compress video and jpeg images losslessly. “22% reduction in file size for JPEG images without any notable loss in image quality”
• China Forces Developers Of Great Wall Circumvention Tools To Delete Their Software
• Municipal ISP created 5 years ago, now offers 10gbps connections in Salisbury, North Carolina for only $400/month, and 50/50 for just $45/month
• Save WiFi/Individual Comments
• Clean Application Compartmentalization with SOAAP [PDF]
• Wikipedia discovers scammers are charging to ‘protect’ profiles
• Goofy phishing attack forgets what it was actually advertising
• Inside Malvertising digs into the issue and looks at why it is so hard to fix
• OpenSSL Security – A year in review
• Want some database passwords? Easy

The post Hardware Insecurity Module | TechSNAP 232 first appeared on Jupiter Broadcasting.

This time on the show, we’ll be talking some ZFS with Sean Chittenden. He’s been using it on FreeBSD at Groupon, and has some interesting stories about how it’s saved his data. Answers to your emails and all of this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

More BSDCan 2015 videos

• Almost as if we said it would happen last week, more BSD-related presentation videos have been uploaded
• Alexander Motin, Feature-rich and fast SCSI target with CTL and ZFS
• Daichi Goto, FreeBSD for High Density Servers
• Ken Moore, Lumina-DE
• Kevin Bowling, FreeBSD Operations at Limelight Networks
• Maciej Pasternacki, Jetpack, a container runtime for FreeBSD
• Ray Percival, Networking with OpenBSD in a virtualized environment
• Reyk Floeter, Introducing OpenBSD’s new httpd
• Still more to come, hopefully

OpenBSD httpd rewrite support

• One of the most-requested features of OpenBSD’s new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
• There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
• Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
• In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you’d like to give it a try now
• It’s since been committed to -current, so you can try it out with a snapshot too

SSH 2FA on FreeBSD

• We’ve discussed different ways to lock down SSH access to your BSD boxes before – use keys instead of passwords, whitelist IPs, or even use two-factor authentication
• This article serves as a sort of “roundup” on different methods to set up two-factor authentication on FreeBSD
• It touches on key pairs with a server-side password, google authenticator and a few other variations
• While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
• OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems

NetBSD 7.0-RC1 released

• NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
• Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
• They’re looking for as much testing as possible, so give it a try and report your findings to the release engineering team

Interview – Sean Chittenden – seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

• We’ve covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
• This blog post about it has something not mentioned before: virtual domains and virtual users
• This means you can easily have “user1@domain.com” and “user2@otherdomain.com” both go to a local user on the box (or a different third address)
• It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
• Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we’ll cover in more detail when it’s released…

OctoPkg, a QT frontend to pkgng

• A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
• Obviously, it needed to be rewritten to use FreeBSD’s pkg system instead of pacman
• There are some basic instructions on how to get it built and running on the github page
• After some testing, it’ll likely make its way to the FreeBSD ports tree
• Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over

AFL vs. mandoc, a quantitative analysis

• Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
• It’s meant to be accompanying material to his BSDCan talk, which already covered nine topics
• mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
• The article breaks down the 45 different bugs that were found, based on their root cause
• If you’re interested in secure coding practices, this’ll be a great one to read

OpenZFS conference video

• Videos from the second OpenZFS conference have just started to show up
• The first talk is by, you guessed it, Matt Ahrens
• In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
• There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS

Feedback/Questions

• Bryson writes in
• Kevin writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Bitrot Group Therapy | BSD Now 95 first appeared on Jupiter Broadcasting.

Liz Abinante began her journey at the age of 12 and is now a software engineer at New Relic! She also funded her way through school by selling knitting patterns!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Art Craft Code
• Art Craft Code Github
• Feministy
• Groupon

Full transcription of previous episodes can be found at heywtr.tumblr.com

The post OMG the Internet! | WTR 20 first appeared on Jupiter Broadcasting.

The Rosetta Mission has landed, Groupon plays nice with Gnome, a catastrophic Windows bug gets patched, the medical tricorder of today, YouTube’s music service, a quick note on open source .Net, our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

#CometLanding

• xkcd 1446

Groupon decides to leave ‘Gnome’ trademark alone | PCWorld

Groupon has dropped trademark applications that sought to use the “Gnome” name for a point-of-sale tablet it released in May, clashing with the open-source software group of the same name.

The nonprofit Gnome Foundation, which is behind the Gnome desktop for GNU/Linux and BSD, has held a registered trademark for the name since 2006.

Potentially catastrophic bug bites all versions of Windows. Patch now | Ars Technica

Microsoft has disclosed a potentially catastrophic vulnerability in virtually all versions of Windows. People operating Windows systems, particularly those who run websites, should immediately install a patch Microsoft released Tuesday morning.

The vulnerability resides in the Microsoft secure channel (schannel) security component that implements the secure sockets layer and transport layer security (TLS) protocols, according to a Microsoft advisory. A failure to properly filter specially formed packets makes it possible for attackers to execute attack code of their choosing by sending malicious traffic to a Windows-based server.

While the advisory makes reference to vulnerabilities targeting Windows servers, the vulnerability is rated critical for client and server versions of Windows alike, an indication the remote-code bug may threaten Windows desktops and laptop users as well. Amol Sarwate, director of engineering at Qualys, told Ars the flaw leaves client machines open if users run software that monitors Internet ports and accepts encrypted connections.

“If they install software that listens on port, then that machine would be vulnerable,” he said. An example would be “if they run Windows 7 but install an FTP server on it that accepts connections from outside, or a Web server on a client.”

Tuesday’s disclosure means that every major TLS stack—including Apple SecureTransport, GNUTLS, OpenSSL, NSS, and now Microsoft SChannel—has had a severe vulnerability this year.

This Device Diagnoses Hundreds of Diseases Using a Single Drop of Blood | WIRED

Called the rHEALTH

One small drop of blood is dropped into a small receptacle, where nanostrips and reagents react to the blood’s contents. The whole cocktail then goes through a spiral micro-mixer and is streamed past lasers that use variations in light intensity and scattering to come up with a diagnosis, from flu to a more serious illness such as pneumonia—or even Ebola—within a few minutes. There’s also a vitals patch that users can wear to get continuous health readings—EKG, heart rate, body temperature—delivered to their smartphone or the rHEALTH device itself via a Bluetooth link. An app called CHAS (Comprehensive Health Assessment Unit) can walk the user through the process of self-diagnosis.

The real innovation of rHEALTH, according to Chan, is in getting all the diagnostics technologies packed together into one handheld device. By shrinking its components so much compared to traditional devices, Chan says, patients will need to give 1,500 times less blood than they would for regular tests. Since it was originally developed for NASA, the device has even been tested in simulated lunar and zero gravity. “It’s a symphony of innovations, but we’ve pushed all of them individually to create the device,” Chan says.

YouTube’s music service launches in ‘weeks’ following indie deal

After a long (and frequently contentious) negotiation process, YouTube’s long hinted-at music service appears to be close to launch. Sources for the Financial Times claim that YouTube has finally signed a deal with Merlin, the rights group that represents about 20,000 indie music labels. The move gives the ad-free streaming option a well-stocked catalog ahead of its launch, which is reportedly due within “weeks.” It’s not clear just what broke the deadlock, but a tipster says that the new terms are “substantially more favorable” than what YouTube offered in June

DRIVE: Safe Messaging and Driving by RISE Devices — Kickstarter

The post From Space With Love | Tech Talk Today 90 first appeared on Jupiter Broadcasting.

The crew took the Firefox challenge & we follow up, we reflect on 10 years of Firefox, their early Linux support & the growing competition from Webkit.

Gnome raised money to defend it’s Trademark from Groupon, which has quickly raised the white flag. Is this instant groundswell of support the dawn of a new community attitude towards Gnome?

Plus an exciting first live on the show, tons of great feedback & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Amazon Echo Parody – YouTube

FU:

• How to fix the vsync issues with Nvidia cards

• Cheap Linux USB Headphones?

• Most persuasive features for potential switchers?

• Fedora Next – delayed but awesome.

Firefox Challange Follow Up

• I’m taking the Firefox Challenge, and I crash too

Celebrating 10 Years of Firefox | The Mozilla Blog

10 years ago we built Firefox to give you a choice. The Web was a monoculture and the only way in was through the company that controlled your operating system. We believed then, and so did many of you, that the Web deserved an independent alternative. Today hundreds of millions of people trust Firefox because they understand that we’re different; that our independence lets us put you first.

Mozilla Introduces ‘Forget Button’ for Firefox and Dev Edition Browser

With a huge developer user base, Mozilla’s new Firefox Developer Edition browser looks to provide an all-in-one debugging toolset for professi

While it’s loosely based around the previous Firefox Aurora builds, it’s not a straight-forward rebrand — it’s closer to the nightly builds, but built for a developer user base with different needs. It also removes a lot of the safeguards that are vital in the consumer browser but that can frustrate developers.

Chromium:

• The Google-authored portion of Chromium is released under the BSD license,[18] with other parts being subject to a variety of different open-source licenses, including the MIT License, the LGPL, the Ms-PL and an MPL/GPL/LGPL tri-license

• Chromium (web browser) – Wikipedia, the free encyclopedia
  

  Differences from Google Chrome

Chromium is the name given to the open-source project and the browser source code released and maintained by the Chromium Project.[7] It is possible to download the source code and build it manually on many platforms. To create Chrome from Chromium, Google takes this source code and adds:[8]

• A restriction blocking the installation of extensions from anywhere other than the Chrome Web Store[9]
• Integrated Flash Player[10] (proprietary license and code)
• Built-in print preview and print system
• The Google and Google Chrome names (both trademarked)[11][12][13]
• An auto-update system called GoogleUpdate (some, such as the Debian or Ubuntu community builds of chromium, rely on the package management system of the OS as an alternative)
• An opt-in option for users to send Google their usage statistics and crash reports
• RLZ tracking when Chrome is downloaded as part of marketing promotions and distribution partnerships. This transmits information in encoded form to Google, including both when—and from where—Chrome was downloaded. In June 2010, Google confirmed that the RLZ tracking token is not present in versions of Chrome downloaded from the Google website directly, nor in any version of Chromium. The RLZ source code was also made open source at the same time (previously it was proprietary—and although the source is now open the feature was not migrated to Chromium) so that developers can confirm what it is and how it works.[14]

By default, Chromium only supports Vorbis, Theora and WebM codecs for the HTML5 audio and video tags. Google Chrome supports these as well as the patent-encumbered AAC and MP3 codecs. On 11 January 2011, the Chrome Product manager, Mike Jazayeri, announced that Chrome would no longer support the H.264 video format for its HTML5 player.[15] In October 2013 Cisco announced that it was open-sourcing its H.264 codecs and will cover all fees required.[16] As of December 2013, Chrome still supports H.264. Linux distributions that distribute Chromium may add support for other codecs to their customized versions of Chromium.

Gnome Vs Groupon

• Help the GNOME Foundation defend the GNOME trademark

Recently Groupon announced a product with the same product name as GNOME. Groupon’s product is a tablet based point of sale “operating system for merchants to run their entire operation.” The GNOME community was shocked that Groupon would use our mark for a product so closely related to the GNOME desktop and technology. It was almost inconceivable to us that Groupon, with over $2.5 billion in annual revenue, a full legal team and a huge engineering staff would not have heard of the GNOME project, found our trademark registration using a casual search, or even found our website, but we nevertheless got in touch with them and asked them to pick another name. Not only did Groupon refuse, but it has now filed even more trademark applications (the full list of applications they filed can be found here, here and here). To use the GNOME name for a proprietary software product that is antithetical to the fundamental ideas of the GNOME community, the free software community and the GNU project is outrageous. Please help us fight this huge company as they try to trade on our goodwill and hard earned reputation.

• Groupon respond to ‘Defend GNOME’ critisism

• Sri Viswanath the Senior Vice President of Engineering and Operations at Groupon just posted

MATE 14.04 is OUT!

• Ubuntu MATE | Ubuntu MATE

• More Ubuntu MATE coverage for our German members.

• Ubuntu MATE 14.04 Live Release at 1:01:15.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show:

• Ubuntu Online Summit Starts in Just Two Days

The post Firefox gets Unplugged | LINUX Unplugged 66 first appeared on Jupiter Broadcasting.

A major flaw in iOS allows any Enterprise signed Ad-Hoc app to silently replace any non-system iOS app and steal user data, Google now owns a NASA airfield, Gnome battles for its trademark & China hacks the US Postal service.

Plus Mozilla beefs up TOR & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Masque Attack: All Your iOS Apps Belong to Us | FireEye Blog

In July 2014, FireEye mobile security researchers have discovered that an iOS app installed using enterprise/ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier. This in-house app may display an arbitrary title (like “New Flappy Bird”) that lures the user to install it, but the app can replace another genuine app after installation. All apps can be replaced except iOS preinstalled apps, such as Mobile Safari. This vulnerability exists because iOS doesn’t enforce matching certificates for apps with the same bundle identifier. We verified this vulnerability on iOS 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta, for both jailbroken and non-jailbroken devices. An attacker can leverage this vulnerability both through wireless networks and USB. We named this attack “Masque Attack”.

China suspected of breaching U.S. Postal Service computer networks

Chinese government hackers are suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees — including the postmaster general’s.

The intrusion was discovered in mid-September, said officials, who declined to comment on who was thought to be responsible. The FBI is leading the investigation into the hack.

The news, announced by U.S. Postal Service, came as President Obama arrived Monday in Beijing for high-level talks with his counterpart, President Xi Jinping, as well as for an economic summit.

Mozilla will start hosting Tor relays as part of Polaris privacy push

Mozilla will give the Tor Project a capacity boost as part of the Firefox maker’s new strategic privacy initiative, Polaris, which it unveiled on Monday as part of its tenth anniversary celebrations.

The Polaris initiative will see Mozilla work alongside partners such as the Tor Project and the Center for Democracy & Technology (CDT) to promote online privacy, largely through the inclusion of new features in Firefox. In a Monday blog post, Mozilla said it wants to “accelerate pragmatic and user-focused advances in privacy technology for the web,” which appears to denote a focus on user-friendliness.

Also on Monday, Mozilla added the privacy-focused DuckDuckGo search engine as a pre-installed option for Firefox users across Windows, Mac, Linux and Android. There’s also a new Firefox feature called Forget, which gives users a simple way to clear out all tracking information covering the last five minutes, two hours or 24 hours – as opposed to going through a relatively technically-phrased list asking whether users want to clear cookies, history and so on.

Google now runs an airfield after signing a 60-year NASA lease

It’s official: following months of negotiations, Google now has an airfield to call its own. The company’s Planetary Ventures wing has signed a lease with NASA that lets it manage Moffett Federal Airfield, including three hangars, two runways and even a golf course. The 60-year (!) deal will have the internet giant shell out $6.3 million per year in upkeep, and a total of $1.16 billion in rent.

Open-Source Vs Groupon: GNOME Battle To Protect Their Trademark – OMG! Ubuntu!

Groupon, famed for its ‘deal-of-the-day’ website, recently unveiled a “tablet-based platform” called ‘GNOME’, and has filed requisite trademark filings — 10 so far — seeking ownership of the name.

Naturally, this has the GNOME Foundation ‘concerned’. GNOME is a registered trademark of the foundation, and has been since 2006. This mark was issued under a number of sections, including ‘operating system’ — which the Chicago-based Groupon is also claiming against.

Could it just be that they’ve never heard of GNOME before?

Help the GNOME Foundation defend the GNOME trademark

The post All Your iOS Belong to Us | Tech Talk Today 89 first appeared on Jupiter Broadcasting.

How many times have your credentials been leaked online? Think your safe? Chris thought he was. In today’s episode he’ll find out how many times his information has been leaked online, and we tell you how you check for your self.

Plus we’ll cover how to build your own layered spam defense, and why you probably want to leave that USB thumb drive, on the ground!