Video Feed | MP3 Feed | HD Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Links:

• Donna Brazile: Hillary’s Campaign Bigs Were ‘Condescending and Dismissive’ | Mediaite
• Donna Brazile wasn’t even allowed to swear in front of Clinton’s people | New York Post
• WATCH: Podesta Group Linked to Saudis Arrested For Corruption | One America News Network
• Saudi Arabia: King Salman to ‘stand down and hand power to son after jailing rivals’ | World | News | Express.co.uk
• How Brazile’s book exposes liberal media’s Hillary health coverup | New York Post
• Hacks review: Donna Brazile lifts lid on Hillary and the Democrats’ disaster | US news | The Guardian
• Danica Roem wins in Virginia, becoming first openly transgender state representative – The Washington Post
• Elections bring wins for minority, LGBT candidates – CNN
• BRAZILE VS BEHAR: Watch Donna Brazile SHUT DOWN Joy Behar On LIVE TV | The Sean Hannity Show
• WikiLeaks on Twitter: “Reward for the killers of Seth Rich is now $130,000 https://t.co/KAiNFJusIb”
• Weinstein used ‘army of spies’ to get dirt on accusers | Daily Mail Online
• Fusion GPS official met with Russian operative before and after Trump Jr. sit-down | Fox News
• Diplomats fear Tillerson transparency push is linked to Clinton emails – POLITICO
• Donna Brazile: DNC perks kept Debbie Wasserman Schultz ‘fat and happy’ – Hot Air
• Brazile blasts ‘incompetence’ in response to email hack at Wasserman Schultz-led DNC | Fox News
• Drudge tweets that Donna Brazile was “HAUNTED” by the murder of Seth Rich
• James Comey changes his Twitter handle to @Comey | TechCrunch
• CIA Director Met Advocate of Disputed DNC Hack Theory — at Trump’s Request
• The mystery of the attack on Sen. Rand Paul grows yet again – The Washington Post
• DNC Subpoenaed in ‘Dossier’ Lawsuit – Foreign Policy
• Carter Page congressional testimony corroborates Steele dossier parts
• DNC’s Donna Brazile Dedicated Her Book to ‘Patriot’ Seth Rich, Whose Death Made Her Fear for Her Own Life
• Clinton Campaign Staffers Accuse Brazile Of Buying Into ‘Russian Propaganda’ | HuffPost
• Sen. Rand Paul’s injuries far more severe than initially thought
• Four Viral Claims Spread by Journalists on Twitter in the Last Week Alone That Are False
• Paradise Papers leak reveals secrets of the world elite’s hidden wealth | News | The Guardian
• Amazon.com: Natural Vitality Natural Calm Diet Supplement, Raspberry Lemon, 8 Ounce: Health & Personal Care
• Inside story: How Russians hacked the Democrats’ emails
• Sen. Feinstein Supports “Backdoor” Warrants, So Why Don’t Reps. Nunes and Schiff? | Electronic Frontier Foundation
• Fox News on Twitter: “Report: Ongoing feud leads to neighbor assaulting @RandPaul https://t.co/dtNAXKVUab https://t.co/TRLX8XAWls”
• Glenn Greenwald on Twitter: “Shouldn’t the journalists who cited this NBC report to claim DNC agreement applied only to GE cite this update? And: https://t.co/GK1PXFzfzH https://t.co/i1EhLGxldc”
• Big Three Networks skip Donna Brazile bombshell that DNC was rigged for Clinton | Fox News
• Teen Cannabis Use Falls To 20 Year Low, Defying Legalization Opponents’ Predictions – The Cannabis Telegraph
• Sen. Rand Paul assaulted at his Kentucky home, man arrested
• Breaking News: Jeff Sessions to Stand Trial in Cannabis De-Scheduling –
• Nikolaos Chrysaidos on Twitter: “Fake WhatsApp Update on #GooglePlay . Under the “same” dev name. Incl. a Unicode whitespace. One Million downloads https://t.co/qjqxd6n6HP https://t.co/dmvTksqpuP”
• JFK Files: New documents allege Martin Luther King Jr. had secret affairs, orgies | The Sacramento Bee
• Dem Pundits Spent Yesterday Lying About DNC Primary Rigging Document
• Mueller braces for challenges to his authority – POLITICO
• Angry About the DNC Scandal? Thank Obama.
• Secret Martin Luther King document included in JFK file release
• Hillary Clinton defends Trump dossier as opposition research, makes dubious claims about its release – Washington Times
• Alt-right Twitter blogger Jenna Abrams unmasked as creation of Russian ‘troll factory’
• Elizabeth Warren agrees Democratic race ‘rigged’ for Clinton – BBC News
• Donna Brazile allegations highlight mounting schism within DNC | Fox News
• 11-minute Trump Twitter outage prompts company investigation | Fox News
• Carter Page testifies he told Sessions about Russia trip – CNNPolitics
• 10 ways the Democratic primary has been rigged from the start – Salon.com
• Paul Manafort wife Kathleen Manafort – Business Insider
• Inside Hillary Clinton’s Secret Takeover of the DNC – POLITICO Magazine
• Major Shake-Up Hits DNC On Same Day Donna Brazile Admits Clinton Campaign Was “Money Laundering”

The post Donna's Closet | Unfilter 258 first appeared on Jupiter Broadcasting.

From the Orlando shooting, secret drone emails, to the Brexit this episode of Unfilter covers a lot of ground. We share our thoughts & questions about the shooting, discuss the DNC hack & the latest scandals in the 2016 race.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links

• FBI ‘manufacturing terrorism cases’ – Business Insider
• Bill Boyarsky: AP’s Clinton ‘Victory’ Story Breaches Journalism Ethics and Public Trust – Bill Boyarsky – Truthdig
• Hillary Clinton Google suggestions accused of favoring candidate – Election 2016 – CBS News
• Was Hillary Caught Colluding With AP To Announce Delegate Win Before California | Zero Hedge
• The AP Announcing Clinton’s “Victory” Was an Embarrassment to Journalism and U.S. Politics :: Politics :: Features :: Paste
• Google involved with Clinton campaign, controls information flow – Assange — RT America
• Google Public Policy Blog: The Trans-Pacific Partnership: A Step Forward for the Internet
• The Eric Schmidt-Backed Startup Working to Put Hillary Clinton in the White House – Tech – GovExec.com
• I am being sued, in East Texas, for using Google – YouTube
• How Clinton Donor Got on Sensitive Intelligence Board – ABC News
• Marijuana News 2016: Scientists, Frustrated By Funding Shortfalls, Launch Institute For Research On Cannabinoids
• Why Microsoft just bought LinkedIn: It’s all about the data | ZDNet
• Vladimir Putin ‘Complete Works’ Made Available In A Multi-Volume Edition
• The New York Times – Breaking News, World News & Multimedia
• When it comes to the Clintons, always follow the money « The Hugh Hewitt Show
• Orlando shooting gunman Omar Mateen was gay, say ex-wife Sitora Yusufiy and friend | Daily Mail Online
• Jeh Johnson: Gun control is now a matter of homeland security – CBS News
• Leaked Direct Messages from BlackLivesMatter Leader’s Twitter Account Preparing for Massive Riots. 10,000 are Planned to Arrive at Convention. : The_Donald
• Trevor Timm on Twitter: “”Solutions” post-Orlando: 1. More spying powers—even tho he was under surveillance 2. Use watch list for guns—even tho he wasn’t on the list”
• Russian Hackers Penetrate Democratic National Committee, Steal Trump Research : NPR One
• Judge links Clinton aide’s immunity to ‘criminal investigation’ – POLITICO
• Cameron Slammed in Sweden as EU Rancor Over Brexit Vote Mounts – Bloomberg
• Democrats shout down Paul Ryan after Orlando shooting moment of silence – CBS News
• Orlando Shooting Victim Recalls Horrifying Moment Gunman Returned to Kill Him – ABC News
• Armed Hostage Taker at Texas Walmart Identified as 54-Year-Old Longtime Employee: Walmart – ABC News
• 504 Gateway Time-out
• Will EU roaming become more expensive after Brexit? | iMore
• Hillary Clinton Had Secret Memo on Obama Admin ‘Support’ for ISIS
• Hillary and Bernie Met Privately Last Night, And Everyone Is Talking About It
• NATO to send troops to deter Russia, Putin orders snap checks | Reuters
• Orlando survivor Patience Carter: Gunman tried to spare black people – CBS News
• Clinton, Sanders Discuss Party Unity, Path Forward Against Trump : NPR
• ISIS Praises Mateen as ‘Lion of Caliphate,’ Urges Attacks at Theaters, Hospitals, Amusement Parks | PJ Media
• McConnell: I might be open to “serious suggestions” on gun control after I meet with the FBI « Hot Air
• EU judges could limit UK surveillance powers before referendum | World news | The Guardian
• Orlando Shooter Wasn’t the First Murderer Employed By Global Mercenary Firm
• Media Refusing to Cover Numerous Witness Accounts of Multiple Shooters in Orlando Massacre
• Shades of San Bernardino: Orlando shooters apt. left wide open for media TRUNEWS with Rick Wiles
• Orlando shooter Omar Mateen’s home has Star Wars themed bathroom | Daily Mail Online
• ORLANDO SHOOTING DAD A LONGTIME CIA ASSET – Daniel Hopsicker’s MadCowNewsDaniel Hopsicker’s MadCowNews
• Søk | Scanpix
• Do F.B.I. Stings Help the Fight Against ISIS? – The New Yorker
• Brexit Countdown: 8 days to go – FT.com
• Saudi Crown Prince: We Fund 20% Of Clinton’s Presidential Campaign

The post Pulsed Gun Control | Unfilter 192 first appeared on Jupiter Broadcasting.

A typo stops a billion dollar bank hack, a vulnerability in 7zip that might surprise you & the best solutions for secure remote network access.

Your great questions, our answers, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Attackers compromise banks and steal millions

• Attackers compromised the credentials of Bangladesh Bank (the Country’s central bank), and used those credentials to make SWIFT wire transfers
• “Cyber criminals broke into Bangladesh Bank’s system and in early February tried to make fraudulent transfers totaling $951 million from its account at the Federal Reserve Bank of New York.”
• Using the credentials, they started a wave of transfers. The first four went through, transferring a total of more than $81 million, the largest bank heist in history
• The fifth, was stopped only because of a typo
• “a transfer for $20 million, to a Sri Lankan non-profit organization was held up because the hackers misspelled the name of the NGO, Shalika Foundation. Hackers misspelled “foundation” in the NGO’s name as “fandation”, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction”
• “The details of how the hacking came to light and was stopped before it did more damage have not been previously reported. Bangladesh Bank has billions of dollars in a current account with the Fed, which it uses for international settlements.”
• “The transactions that were stopped totaled $850-$870 million, one of the officials said”
• So if it wasn’t for the typo, the hackers may have made off with almost $1 billion
• “Bangladesh Bank has said it has recovered some of the money that was stolen, and is working with anti-money laundering authorities in the Philippines to try to recover the rest.”
• “More than a month after the attack, Bangladeshi officials are scrambling to trace the money, shore up security and identify weaknesses in their systems. They said there is little hope of ever catching the hackers, and it could take months before the money is recovered, if at all.”
• Additional Coverage
• “Bangladesh’s central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 switches to network computers connected to the SWIFT global payment network”
• “The shortcomings made it easier for hackers to break into the Bangladesh Bank system earlier this year and attempt to siphon off nearly $1 billion using the bank’s SWIFT credentials, said Mohammad Shah Alam, head of the Forensic Training Institute of the Bangladesh police’s criminal investigation department.”
• Experts in bank security said that the findings described by Alam were disturbing. “You are talking about an organization that has access to billions of dollars and they are not taking even the most basic security precautions”
• “Two (SWIFT) engineers came and visited the bank after the heist and suggested to upgrade the system”
• “Bangladesh police said earlier this week they had identified 20 foreigners involved in the heist but they appear to be people who received some of the payments, rather than those who initially stole the money.”
• “The SWIFT room is roughly 12 feet by 8 feet, a window-less office located on the eight floor of the bank’s annex building in Dhaka. There are four servers and four monitors in the room”
• “The SWIFT facility should have been walled off from the rest of the network. That could have been done if the bank had used the more expensive, “managed” switches, which allow engineers to create separate networks, said Alam, whose institute includes a cyber-crime division.”
• My kingdom for a vlan…
• Last week, a second bank was hit
• Additional Coverage
• “The second case targeted a commercial bank, Swift spokeswoman Natasha de Teran said, without naming it. It was not immediately clear how much money, if any, was stolen in the second attack.”
• Swift said in a statement that the attackers exhibited a “deep and sophisticated knowledge of specific operational controls” at targeted banks and may have been aided by “malicious insiders or cyber attacks, or a combination of both”.
• “News of a second case comes as law enforcement authorities in Bangladesh and elsewhere investigate the February cyber theft from the Bangladesh central bank account at the New York Federal Reserve Bank. Swift has acknowledged that that scheme involved altering Swift software to hide evidence of fraudulent transfers, but that its core messaging system was not harmed.”
• “In the second case SWIFT said attackers had also used a kind of malware called a “Trojan PDF reader” to manipulate PDF reports confirming the messages in order to hide their tracks.”
• That sounds a lot more sophisticated than the first attack. Of course, it could just be that sophisticated attackers hit an unsophisticated bank, and so did not need to use such techniques, or that they just went undetected, because of the lax security at the first bank
• SWIFT network issues security advisory about malware targetting banks
• “In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT. The attackers have been able to bypass whatever primary risk controls the victims have in place, thereby being able to initiate the irrevocable funds transfer process. In a second step, they have found ways to tamper with the statements and confirmations that banks would sometimes use as secondary controls, thereby delaying the victims’ ability to recognise the fraud.”

Cisco TALOS finds vulnerability in 7zip

• “Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries. This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”
• For example, a number of virus and malware scanners using the 7-Zip library to scan inside various archive formats
• This means an attacker could send you a file, which would automatically be scanned by your virus scanner, which would trigger the exploit
• The Talos article includes a link to a Google search for the 7-Zip license, which you can find embedded in a huge number of open and closed source applications
• “An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format (UDF) files. The UDF file system was meant to replace the ISO-9660 file format, and was eventually adopted as the official file system for DVD-Video and DVD-Audio.”
• “Central to 7-Zip’s processing of UDF files is the CInArchive::ReadFileItem method. Because volumes can have more than one partition map, their objects are kept in an object vector. To start looking for an item, this method tries to reference the proper object using the partition map’s object vector and the “PartitionRef” field from the Long Allocation Descriptor. Lack of checking whether the “PartitionRef” field is bigger than the available amount of partition map objects causes a read out-of-bounds and can lead, in some circumstances, to arbitrary code execution.”
• “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip. In the HFS+ file system, files can be stored in compressed form using zlib. There are three different ways of keeping data in that form depending on the size of the data. Data from files whose compressed size is bigger than 3800 bytes is stored in a resource fork, split into blocks.”
• “Block size information and their offsets are kept in a table just after the resource fork header. Prior to decompression, the ExtractZlibFile method reads the block size and its offset from the file. After that, it reads block data into static size buffer “buf”. There is no check whether the size of the block is bigger than size of the buffer “buf”, which can result in a malformed block size which exceeds the mentioned “buf” size. This will cause a buffer overflow and subsequent heap corruption.”
• “Sadly, many security vulnerabilities arise from applications which fail to properly validate their input data. Both of these 7-Zip vulnerabilities resulted from flawed input validation. Because data can come from a potentially untrusted source, data input validation is of critical importance to all applications’ security. Talos has worked with 7-Zip to responsibly disclose, and then patch these vulnerabilities. Users are urged to update their vulnerable versions of 7-Zip to the latest revision, version 16.00, as soon as possible.”
• 2016-03-03 – Vendor Notification
• 2016-05-10 – Public Disclosure

Two large middle eastern banks hit by hackers

• “A massive collection of documents from Qatar National Bank, based in Doha, was leaked and posted online to the whistleblower site Cryptome on April 26. The leaked data, which totals 1.4 GBs, apparently includes internal corporate files and sensitive financial data for QNB’s customers.”
• “Cryptome reports that the leak comprises 15,460 files, containing details, including passwords, PINs and payment card data, for hundreds of thousands of the bank customers’ accounts. Multiple experts have also examined the data, and likewise report that it appears to be legitimate. But Cryptome offered no insights into how the data was obtained, for example, if it was via an external hack attack, or an inside job.”
• “Multiple sources who have reviewed the data dump have also confirmed to ISMG that the data appears to be genuine. One researcher, speaking on condition of anonymity, also confirmed that he had successfully used leaked customer internet banking credentials from the data dump to begin logging in to the customer’s account, purely for research purposes. But he said the bank’s systems then sent a one-time password to the customer’s registered mobile number, which would serve as a defense against any criminals who might now attempt to use the leaked data to commit fraud.”
• Additional Coverage: IBTimes
• “Although analysis of the leaked data remains ongoing, there are reports that it contains additional, unusual information. U.K.-based digital media news site IBTimes, for example, reports that in addition to consumer data, the leaked information also includes documents with information on Qatar’s Al-Thani royal family as well as the broadcaster Al Jazeera, which is partly funded by the same family.”
• “In addition, some leaked folders are marked “Spy” and contain what appear to be intelligence dossiers on individuals, according to IBTimes. Some files contained in the dump are labeled as “MI6” – in apparent reference to the British intelligence agency – with others naming Qatar’s state security bureau, known as the Mukhabarat, as well as French and Polish intelligence agencies, IBTimes reports.”
• “Interestingly, there is also additional data about mainly foreign bank account holders, which includes information such as their Facebook and LinkedIn profiles, along with ‘friends’ associated through those social networks. This data doesn’t appear to have come directly from the bank itself, rather the perpetrator used the data held by the bank to then build up profiles of further targets.”
• A second breach occurred at InvestBank, in the UAE
• Additional Coverage
• “A massive tranche of nearly 10GB of files alleged to be from Sharjah, UAE-based InvestBank appears to have been dumped online by the hacking group “Bozkurtlar” – Turkish for “Gray Wolves” – on May 7. The zip archive released by the attackers appears to contain internal files and sensitive financial documents, including InvestBank customers’ data.”
• “The Bozkurtlar hacker or hacking group appears to have Turkish ties, and also claimed credit for a similar data dump on April 26, involving Doha-based Qatar National Bank. In that case, leaked customer data for QNB was quickly posted online by the Cryptome.org whistleblower site”
• “The dumped data appears to include a massive amount of information tied to InvestBank’s systems, including SQL databases and some backup folders. Speaking on condition of anonymity, one expert who’s reviewed the data says it appears to date from 2011 to September 2015.”
• “Customer data included in the leak includes copies of ID documents, photographs of individuals, documents relating to land purchases – such as stamp papers and financials, as well as bank statements and nearly 100,000 credit card numbers, including expiry dates in clear text. Security researchers, however, note that customer credentials such as account passwords and PINs appear to be encrypted.”
• “The dump also contains comprehensive details on InvestBank’s IT setup, including clear-text credentials for its production systems, switches, routers, virtual machines and Windows servers – many of which appear to have been using easily guessable vendor default passwords. Screenshots of server settings and diagrams of server and data center layouts have also been found in the dump, in addition to details of VPN setups with the bank’s branch offices.”
• “The dump also appears to contain complete details of InvestBank’s Oracle FLEXCUBE core banking solution implementation, including costs, deliverables, scope of work, licensing information and the entire database pertaining to InvestBank’s FLEXCUBE implementation.”
• “In December 2015, a hacker broke into InvestBank’s systems and released records for thousands of customers, after the bank refused to pay the $3 million bitcoin ransom demanded by the attacker”
• InvestBank claims this is not a new hack, but just the old data being fully released
• It is possible the original attacker gave up on trying to ransom or sell the data, and just released it publicly

Feedback:

• Remote access possibilities

• Episode 266 – OwnCloud Cloud Proxy

• Pagekite – The fast, reliable localhost tunneling solution

• Storing client sensitive data

• Dynamic DNS via scp, and remote support for my mother’s computer

• Researchers get United Airlines bug bounty of 1 million air miles. Find out that that has a “street value” of $20,000, and it will be considered income by the IRS, so they donate it to Charity instead.

Round Up:

• Federal Judge Says Internet Archive’s Wayback Machine A Perfectly Legitimate Source Of Evidence
• Backblaze releases their 2016Q1 hard drive reliability stats
• Senators introduce bill to block expansion of FBI hacking authority
• Backwards compatibility layer used to bypass EMET, defeating advanced protections in Windows
• Cisco Adaptive Security Appliance VPN Memory Block Exhaustion Vulnerability
• How do you deal with a petabyte of disks with sensitive data you need to destroy? Basically a wood chipper.
• Internet Speed Test by Netflix
• The “Ping of Death” is back, this time in the Linux Kernel
• Sites Turn to Audio Fingerprinting to Track Users
• Remember back to the last US Presidential Election, and some guy claimed he hacked Mitt Romney’s lawyers and stole his tax records? It was fake, but, you can still go to jail for that
• Microsoft Disables Wi-Fi Sense on Windows 10
• The printer works fine, except on Tuesdays…
• High CPU use by taskhost.exe when Windows 8.1 user name contains “user”
• A kickstarter campaign full of nonsense and false buzzwords. Watch what people promise you
• How the internet works, a story in pictures

The post My Kingdom for a VLAN | TechSNAP 267 first appeared on Jupiter Broadcasting.

Is the Librem 15 the ultimate Linux laptop? We review Purism’s Librem 15 laptop, crowd funded and pitched as “the first high-end laptop in the world that ships without mystery software in the kernel, operating system, or any software applications.” Does it live up to the promise? Have we found the true Linux powered MacBook killer?

Plus Linux Mint gets attacked, Ubuntu Touch on hardware you really want, why real ZFS support on Linux is near….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Librem 15 Review

Chris announces his backing of the Librem 15

• Chris Introduces the Librem 15 for the first time on Nov 23, 2014

Todd from Purism Interviewed: Perfect Linux Laptop | LUP 69

The founder of Purism Librem 15, a laptop that promises to respect your freedom and be the perfect Linux machine joins us to discuss the hardware, software & goals of the project & how he hopes to encourage manufacturers to free the entire stack. But are the goals of this project too ambitions? We’ll ask!

Original Specs

• Librem 15: A Laptop That Respects Your Rights | Crowd Supply
• 15.6″ diagonal LED backlit 1920×1080 FHD (Full High Definition) pixel display
• 4 Core (8 Threads) 2.3GHz Intel i7-4712MQ
• Intel 4600 HD Graphics, and
• nVidia GT840M Graphics
• 375mm x 244mm x 22mm, 2.0Kg
• 14″ x 9.6″ x 0.86″, 4.4lbs
• 4GB memory (up to 8GB)
• 500GB HD (up to 1TB HD or 250GB SSD)
• CD/DVD ROM Drive
• 48 Wh lithium polymer battery
• 65W power adapter
• Up to 8 hours usage
• Three USB ports
• One HDMI port
• One Pop-Down RJ45 Network port
• 802.11n WiFi
• 720p camera
• Full-size backlit keyboard
• SDXC card slot
• Purism 64bit GNU/Linux Operating System (Trisquel based)

Upgrades I added

Librem Laptop – Earliest Bird

• Memory: 8GB +$100
• Storage: 500GB SSD +$275
• Drive Bay: CD/DVD ROM
• Screen: Full HD (1920×1080)
• Keyboard: English (US)
• AC Adapter Power Plug: US

Crowdfunding pledge, expected to ship April 2015

Qty 1 $1,824.00 ea.

Backed on Nov 22, 2014
Shipped on Feb 10, 2016
Shipped 286 days late! Originally expected to ship on April 2015

What I Got (different from what I ordered)

• CPU Core i7-5557U CPU (2 Core, not 4 Core, but Broadwell instead of Haswell. Should be Skylake by now)
• GPU Intel Iris 6100 (Not an Nvidia GPU)
• No “Pop-Down RJ45 Network port”

The Fan Noise

Enemy #1 the Librem 15 is really loud. Too loud to use when on mic, and too loud to focus when working. It had to be solved.

Things attempted:

1. Power management under Pure OS
2. Re-Load the system to Ubuntu 16.04 and check for drivers/firmware
3. On suggestion from the IRC, installed Windows 10.
4. Installed Arch, tried messing with an Intel_pstate controller.
5. Unplugged Fan!

No Ethernet

Media production sucks over Wifi. For me, a high-end laptop needs to have Ethernet, my workflow basically requires it. So I had compensated by buying a USB-C adapter.

• Amazon.com: Anker USB-C to 3-Port USB 3.0 Hub with Ethernet Adapter

Pros

• It is well built, compares with any other well built PC laptop very well.
• When plugged in, speed feels very responsive.
• Easy to hold, feels good in the hand.
• LG screen is high-end, has some side address challenges.
• USB-C is kinda cool, want to play with that more.
• Very easy to nuke and pave. Did not have trouble loading any distro, or even Windows.
• It is undeniably unique, and rare. That’s sorta special, and feels a bit like a kit car at the same time.
• More Pictures

— PICKS —

Runs Linux

• Endless

• endlessm on GitHub
• Linux’s Victory Blow | LAS 363 | Jupiter Broadcasting

Desktop App Pick

• .clayo – osmo

Osmo is a handy personal organizer, which includes calendar, tasks
manager, address book and notes modules. It was designed to be a small, easy
to use and good looking PIM tool to help to manage personal information.
In its current state the organizer is quite convenient to use – for
example, the user can perform nearly all operations using the keyboard.
Also, a lot of parameters are configurable to meet the user’s
preferences. On the technical side, Osmo is GTK+ based tool which uses
a plain XML database to store all personal data.

Weekly Spotlight

• Log.io – Real-time log monitoring in your browser

Harvesters watch log files for changes, send new log messages to the server, which broadcasts to web clients. Log messages are tagged with stream, node, and log level information based on user configuration.

• Monitor Server Logs in Real-Time with “Log.io” Tool on RHEL/CentOS 7/6 Howto

— NEWS —

MINT Hacked: Beware of hacked ISOs. Reset Forum Passwords

We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below.

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.

It seems compromised @linuxmint forum data is already for sale on darknet markets. The seller is quite interesting. pic.twitter.com/7yZl2SR9KT

— Yonathan Klijnsma (@ydklijnsma) February 21, 2016

Check your ISO

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO

• Bad version of linuxmint-17.3-cinnamon-64bit.iso is :

7d590864618866c225ede058f1ba61f0 / CD6DEF080EC08BC0D6159A7168F2F85800EB93C1

• Clean version of linuxmint-17.3-cinnamon-64bit.iso is

E71A2AAD8B58605E906DBEA444DC4983 / EA7C906066D2D8E63FC6C0175482196F13AEF8DE

• Another story of Unix Trojan: Tsunami (IRC/Bot)

This case is actually a same old flaw’s story: looks like the system was exploited via web admin panel abuse by HTTP access (sorry, can not tell you which web panel right now) using the tools that can send rapid packet fetch/wget requests (later on we know that the malware discussed here also have that function), the root privilege was gained via crontab UID (root, indeed), and practically overall server’s security was compromised from that hole. And the bad guys was compiling nasty downloader/IRC Bot backdoor (known previously named as TSUNAMI) with deleting all source traces+logs related, thus run & hide its service using the fake bash process (ever see a BSD system with bash shell process before? *smile*).

man.cy from malicious Linux Mint iso

man.cy from malicious Linux Mint iso

All forums users should change their passwords.

It was confirmed that the forums database was compromised during the attack led against us yesterday and that the attackers acquired a copy of it. If you have an account on forums.linuxmint.com, please change your password on all sensitive websites as soon as possible.

The database contains the following sensitive information:

• Your forums username
• An encrypted copy of your forums password
• Your email address
• Any personal information you might have put in your signature/profile/etc…
• Any personal information you might written on the forums (including private topics and private messages)

ZFS filesystem will be built into Ubuntu 16.04 LTS by default

A new long-term support (LTS) version of Ubuntu is coming out in April, and Canonical just announced a major addition that will please anyone interested in file storage. Ubuntu 16.04 will include the ZFS filesystem module by default, and the OpenZFS-based implementation will get official support from Canonical.

• What Does Support REALLY mean?

You’ll find zfs.ko automatically built and installed on your Ubuntu systems. No more DKMS-built modules!

Canonical Presents Sony Xperia Z1 and OnePlus One as Ubuntu Phones

“Today, we’re celebrating the arrival of two new Ubuntu phone community ports! If you’re the lucky owner of a Sony Xperia Z1, you will soon be able to download an image to turn it into an Ubuntu phone and PC! Alternatively, if you’re the owner of a OnePlus One you will be able to flash and use Ubuntu on your phone,” Thibaut Rouffineau explained.

• Community collaborates on new convergent Ubuntu phones | Ubuntu Insights

We owe a big thank to the Ubuntu community for porting Ubuntu to these devices and especially Marius Gripsgard for his work on the OnePlus One! More widely, this is a meeting of the minds with phone vendors who have been pushing open source in their devices and their developer community for a while. The Sony open source efforts in particular have been essential to this work. Similarly OnePlus’ commitment to open source has helped tremendously towards this port becoming available.

• Meizu PRO 5 Ubuntu Edition launches globally

Getting Started | Mimic by Mycroft and VocaliD

Mimic is a fast, lightweight Text-to-speech engine developed by Mycroft A.I. and VocaliD, based on Carnegie Mellon University’s FLITE software. Mimic takes in text and reads it out loud to create a high quality voice. Mimic’s low-latency, small resource footprint, and good quality voices set it apart from other open source text-to-speech projects.

• mimic on GitHub

Mimic is a lightweight run-time speech synthesis engine, based on
Flite (Festival-Lite). The Flite project website can be found
here: https://www.festvox.org/flite/ – further information can be found
in the ACKNOWLEDGEMENTS file in the Mimic repo.

Microsoft Brings Red Hat Enterprise Linux To Azure

Microsoft is now selling Red Hat Enterprise Linux licenses. Starting today, you will be able to deploy Red Hat Linux Enterprise (RHLE) from the Azure Marketplace and get support for your deployments from both Microsoft and Red Hat.

• Red Hat Cloud Access now available on Azure! | Blog | Microsoft Azure

Being recognized as a Red Hat CCSP means Microsoft Azure is a trusted destination for customers to move their Red Hat subscriptions, as part of the Red Hat Cloud Access program. Red Hat products enabled for Cloud Access include Red Hat Enterprise Linux 6.7 and above and 7.1 and above, Red Hat JBoss Middleware, OpenShift Enterprise by Red Hat and Red Hat Gluster Storage.

• Microsoft Azure Now Offering Red Hat Enterprise Linux, but Not for China and US Gov

In the announcement made on February 17, 2016, Microsoft brags with the fact that it loves Linux and that more than 60 percent of their Azure cloud images are based on Linux.

Feedback:

Brought to you by: System76

Mail Bag

• https://stikked.luisaranguren.com/view/451a2533
• https://stikked.luisaranguren.com/view/1b6f898c
• https://stikked.luisaranguren.com/view/d3135cc8

Call Box

• [Chris’ call out for the community to help him with his background for the Linux Action ](https://www.reddit.com/r/LinuxActionShow/comments/40cw9x/chris_call_out_for_the_comm

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post The High Price of Purism | LAS 405 first appeared on Jupiter Broadcasting.

The state of the tech press is downright embarrassing, today we call out some examples of “click bait journalism” that plagues the tech news.

Amazon has a snailmail solution to your “big” data, LoopPay gets hacked, Lyft and Uber have a public spat & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Amazon Launches Snowball, A Rugged Storage Appliance For Importing Data To AWS By FedEx | TechCrunch
• Dell refreshes XPS 13 and XPS 15, and debuts XPS 12 tablet hybrid | Ars Technica
• Chinese Hackers Breached LoopPay, Whose Tech Is Central to Samsung Pay – The New York Times
• IP Address May Associate Lyft CTO With Uber Data Breach – Slashdot
• Support Tech Talk Today creating DAILY PODCASTS

The post Clickity Clack Content Crap | TTT 216 first appeared on Jupiter Broadcasting.

LastPass discloses it’s been compromised, we discuss the scope of the hack & what our best and worst options are moving forward.

Plus a recap of the most interesting things from E3 so far & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• LastPass Security Notice | The LastPass Blog
• Microsoft unveils new $150 Xbox One Elite controller—and we’ve held it | Ars Technica
• Microsoft is building a special version of Minecraft for HoloLens | The Verge
• Microsoft is also partnering with Valve for VR on Windows 10
• The Kinect is dead | Polygon
• LeanChair: The portable, reclining standing desk by Wayne Yeager — Kickstarter
• Nintendo Digital Event @ E3 2015 – YouTube
• “For the Love of Spock” – A Documentary Film by Adam Nimoy — Kickstarter

The post LostPass | Tech Talk Today 183 first appeared on Jupiter Broadcasting.

There is some major smoke around the Google I/O fire, we dig into an in depth discussion about the big Google Picture. Plus Vox buys up Re/Code in a move that consolidates tech news & OnePlus teases us with a new device!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Vox Media Adds ReCode to Its Stable of Websites – NYTimes.com

• Comcast, investor in Vox Media and Recode, could end up buying them both – Quartz

One reason for the renewed discussions may be Comcast’s role in encouraging Vox Media’s acquisition of Recode, the technology news site with a small audience but growing events business. Sources say Comcast, which owns minority stakes in both companies, gave its blessing to the deal several months ago. David Zilberman, a managing director of Comcast Ventures, its venture capital arm, sits on Vox Media’s board. He didn’t reply to a message seeking comment.

APNewsBreak: IRS says thieves stole tax info from 100,000

The thieves accessed a system called “Get Transcript,” where taxpayers can get tax returns and other filings from previous years. In order to access the information, the thieves cleared a security screen that required knowledge about the taxpayer, including Social Security number, date of birth, tax filing status and street address, the IRS said.

Microsoft partners with LG, Sony, other OEMs to sell Android tablets featuring Office, OneDrive, Skype

In total, Microsoft has now partnered with 31 global and local OEMs (11 in March and 20 today) to preinstall its apps onto Android devices throughout this year. Only time will tell if Microsoft’s apps end up actually being used more because of these deals.

OnePlus teases next smartphone announcement on Twitter

OnePlus says it is “Time to change” in its latest tweet, teasing a possible smartphone announcement for June 1. Chinese smartphone maker, OnePlus, relies heavily on Twitter for making announcements and promoting products and now the company would like to shake things up according to its latest tweet.

Update on Extension Signing and New Developer Agreement

Next week, we will activate two new features on AMO: signing of new add-on versions after they are reviewed, and add-on submission for developers who wish to have their add-ons signed but don’t want them listed on AMO. We will post another update once this happens. When this is done, all extension developers will be able to have their extensions signed, with enough time to update their users before signing becomes a requirement in release versions of Firefox.

Google I/O 2015 Preview: We’re doubling down on Android M, Chrome, Wear and more

Obviously Android M(arshmallow?), Wear updates including the next Moto 360 are at the top of the list. I’ve been hearing whispers that the new 360 is smaller, uses more modern/efficient SoC and a better OLED display. I’m praying to the robot dog overlords at Google that they have these as developer demo units (read: presents) at I/O. Use on iOS as has been found in code would also be nice for us who use both platforms. I’ve heard Samsung might have something round for us to feast on soon, and who knows, maybe we’ll see a $1,400 Tag Heuer Watch somehow with Intel Inside.

The post Google's Tech Tease | Tech Talk Today 176 first appeared on Jupiter Broadcasting.

Home Depot is breached, and the scale could be much larger than the recent Target hack & we discuss the explosion of fake cell towers in the US, and whats behind it. Then the tools used in the recent celebrity photo leak & the steps that need to be taken.

Plus a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Krebs: Banks report breach at Home Depot. Update: Almost all home depot stores hit

• Sources from multiple banks have reported to Brian Krebs that the common retailer in a series of stolen credit cards appears to be Home Depot
• Home Depots Spokesperson Paula Drake says: “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
• “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period”
• “The breach appears to extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico”
• Zip-code analysis shows 99.4% overlap between stolen cards and home depot store locations
• This is important, as the fraud detection system at many banks is based on proximity
• If a card is used far away from where the card holder normally shops, that can trigger the card being frozen by the bank
• By knowing the zip code of the store the cards were stolen from, the criminal who buys the stolen card information to make counterfeit cards with, can use cards that are from the same region they intent to attack, increasing their chance of successfully buying gift cards or high value items that they can later turn into cash
• The credit card numbers are for sale on the same site that sold the Target, Sally Beauty, and P.F. Chang’s cards
• “How does this affect you, dear reader? It’s important for Americans to remember that you have zero fraud liability on your credit card. If the card is compromised in a data breach and fraud occurs, any fraudulent charges will be reversed. BUT, not all fraudulent charges may be detected by the bank that issued your card, so it’s important to monitor your account for any unauthorized transactions and report those bogus charges immediately.”
• Some retailers, including Urban Outfitters, say they do not plan to notify customers, vendors or the authorities if their systems are compromised

Fake cell towers found operating in the US

• Seventeen mysterious cellphone towers have been found in America which look (to your phone) like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose. Source: Popular Science
• Mobile Handsets are supposed to warn the user when the tower does not support encryption, as all legitimate towers do support encryption, and the most likely cause of a tower not supporting encryption, is that it is a rogue tower, trying to trick your phone into not encrypting calls and data, so they can be eavesdropped upon
• The rogue towers were discovered by users of the CryptoPhone 500, a Samsung SIII running a modified Android that reports suspicious activity, like towers without encryption, or data communications over the baseband chip without corresponding activity from the OS (suggesting the tower might be trying to install spyware on your phone)
• “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one near the South Point Casino in Las Vegas.”
• “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
• Documents released last week by the City of Oakland reveal that it is one of a handful of American jurisdictions attempting to upgrade an existing cellular surveillance system, commonly known as a stingray.
• The Oakland Police Department, the nearby Fremont Police Department, and the Alameda County District Attorney jointly applied for a grant from the Department of Homeland Security to “obtain a state-of-the-art cell phone tracking system,” the records show.
• Stingray is a trademark of its manufacturer, publicly traded defense contractor Harris Corporation, but “stingray” has also come to be used as a generic term for similar devices.
• According to Harris’ annual report, which was filed with the Securities and Exchange Commission last week, the company profited over $534 million in its latest fiscal year, the most since 2011.
• Relatively little is known about how stingrays are precisely used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances.
• Last year, Ars reported on leaked documents showing the existence of a body-worn stingray. In 2010, Kristin Paget famously demonstrated a homemade device built for just $1,500.
• According to the newly released documents, the entire upgrade will cost $460,000—including $205,000 in total Homeland Security grant money, and $50,000 from the Oakland Police Department (OPD). Neither the OPD nor the mayor’s office immediately responded to requests for comment.
• One of the primary ways that stingrays operate is by taking advantage of a design feature in any phone available today. When 3G or 4G networks are unavailable, the handset will drop down to the older 2G network. While normally that works as a nice last-resort backup to provide service, 2G networks are notoriously insecure.
• Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
• Cities scramble to upgrade “stingray” tracking as end of 2G network looms

The Nude Celebrity Photo Leak Was Made Possible By Law Enforcement Software That Anyone Can Get

• Elcomsoft Phone Password Breaker requires the iCloud username and password, but once you have it you can impersonate the phone of the valid user, and have access to all of their iCloud information, not just photos
• “If a hacker can obtain a user’s iCloud username and password, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.”
• “It’s important to keep in mind that EPPB doesn’t work because of some formal agreement between Apple and Elcomsoft, but because Elcomsoft reverse-engineered the protocol that Apple uses for communicating between iCloud and iOS devices. This has been done before —Wired specifically refers to two other computer forensic firms called Oxygen and Cellebrite that have done the same thing — but EPPB seems to be a hacker’s weapon of choice. As long as it is so readily accessible, it’s sure to remain that way”
• All of this still requires the attacker to know the celebrities username and password
• This is where iBrute came in
• A simple tool that takes advantage of the fact that when Apple built the ‘Find My iPhone’ service, they failed to implement login rate limiting
• An attacker can sit and brute force the passwords at high speed, with no limitations
• The API should block an IP address after too many failed attempts. This has now been fixed
• Another way to deal with this type of attack is to lockout an account after too many failed attempts, to ensure a distributed botnet cannot do something like try just 3 passwords each from 1000s of different IP addresses
• When it becomes obvious that an account is under attack, locking it so that no one can gain access to it until the true owner of the account can be verified and steps can be taken to ensure the security of the account (change the username?)
• The issue with this approach is that Apple Support has proven to be a weak link in regards to security in the past. See TechSNAP Episode 70 .
• Obviously, the iPhone to iCloud protocol should not depend of obscurity to provide security either. We have seen a number of different attacks against the iPhone based on reverse engineering the “secret” Apple protocols
• Security is often a trade-off against ease-of-use, and Apple keeps coming down on the wrong side of the scale

Feedback:

• Server Setup: Windows Man Gone To The Darkside.

• ZFS Snapshots

• Puppet or CFEngine

• Question about online banking security

• PFSense Bandwidth Limiters Don’t Work with Squid Web Cache Package

Round Up:

• Watch Infected Windows Machines Interact with Each Other in a “Virus Farm” – We Can Has The Technology
• Prolexic (owned by Akamai) sounding alarm about IptabLes and IptabLex infections. Attackers are using unmaintained servers to launch large DDoS attacks
• WordPress 4.0 “Benny”
• Stick Figure’s guide to AES encryption
• Twitter now pays bounties for vulnerabilities
• Another WPS flaw, crack some wireless routers in a single try
• IEEE publishes paper “Avoiding the top 10 software security design flaws”
• Technical Difficulties with home delivery by drones
• Microsoft still struggling with last months patch tuesday patches
• Shortage of skilled security people leads to hiring problems for enterprises. Skilled people change jobs every 2-3 years for large pay bumps, leads to a lack of retained ‘institutionalized security’ and ‘operational knowledge’
• NameCheap reports bit russian list of usernames and passwords being used against accounts, some successful logins
• Intel announces new i7-5960x processor and new X99 chipset. 8 cores (16 with hyperthreading), 3ghz (turbo boost to 3.5ghz), 20mb cache, support for up to 64 gigabytes of DDR4 across 4 channels, 40 lanes of PCI-E 3.0, 10 SATA3 ports, 6 USB3 and 8x USB2
• Microsoft to defy federal court order and not turn over emails stored in europe to US authorities

The post Home Depot Credit Repo | TechSNAP 178 first appeared on Jupiter Broadcasting.

You won’t believe how terrifying simple it is to control traffic lights and cameras, Cisco gets the boot and the hospital hack enabled by Heartbleed, plus a great batch of your emails, our answers and much, more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Researchers find startling lack of security in traffic management systems

• Researchers started investigating the traffic management system (that controls the traffic lights at intersections) in an unnamed city in Michigan
• They found that the system uses IP traffic transmitted over two different wireless protocols, a 5.8ghz line-of-sight protocol (turns out to be very similar to 802.11n) and an over-the-horizon 900mhz protocol
• Traffic over the wireless links is unencrypted, and has no authentication
• While it would have been possible to reverse engineer the custom wireless protocols, to save time the researchers managed to get ahold of one of the radios used by the system instead
• They found that the management system uses VxWorks 5.5, a proprietary RTOS for embedded devices from the 90s
• VxWorks is usually built from source so it can be customized. The vendor, as many do, left the debugging options enabled, this includes an open TCP port that can be used to read and write memory locations, kill running tasks, restart the OS and more
• By using this debugging feature, and capturing network traffic, the researchers were able to reverse engineer the protocol that the controller used to communicate with the traffic signals
• Each command is essentially the same with only the last bit or two being different
• There is no encryption, so anyone can see the commands being sent
• There is no authentication, so the devices will accept commands from anyone, not just the controller
• There are no firewalls, so a malactor on the network can completely take over
• An attacker can trip the failsafe mode, where the traffic lights revert to flashing red in every direction and have to be physically reset by a technician
• An attacker could before a type of denial of service attack, by tripping the traffic lights into this mode at random, and faster than crews could repair the lights
• The biggest problem is the 5.8ghz network, since most all laptops and mobile devices have a radio capable of communicating on that band built in. Someone will undoubtedly take the time to reverse engineer the radio protocol and gain access to the network
• Both the 5.8ghz network (WPA2) and the 900mhz network (WEP or WPA) support encryption, but it is not used
• The traffic management system supports username and password authentication, but the default credentials are used
• The paper was presented at USENIX: WOOT (Workshop on Offensive Technologies)
• PDF: Green Lights Forever: Analyzing the Security of Traffic Infrastructure
• The researchers point out an alarming quote they got from the vendor that sells the traffic management system: The vendor “has followed the accepted industry standard and it is that standard which does not include security.”

Secret Language, or Unlikely Bug?

• “Imagine discovering a secret language spoken only online by a knowledgeable and learned few”
• A researcher who wishes to be identified only as “Kraeh3n” was proofreading a document for a colleague
• The opening part of the document had standard lorem ipsum filler text
• Then the document was pasted into Google Translate, it was auto-detected as latin, and the translation to english was startling, key words included China, NATO, Internet, Business and “the Company” (a euphemism for the CIA)
• Kraeh3n immediately shared the revelation with Michael Shoukry, a researcher as FireEye
• This was later shared with Lance James, head of Cyber Intelligence at Deloitte, who then shared it with Brian Krebs
• Brian’s blog contains a number of screenshots showing different translations
• While Google Translate uses machine learning, and could be tricked by brute force into creating false translations like this, the fact that capitalization affects the translation suggests something more may be at work here
• Brian Krebs then started adding other latin words, specifically from a work by Cicero that spawned Lorem Ipsum in the first place
• Now he had “Russia may be suffering” and “The main focus of China”
• “Translate [is] designed to be able to evolve and to learn from crowd-sourced input to reflect adaptations in language use over time,” Kraeh3n said. “Someone out there learned to game that ability and use an obscure piece of text no one in their right mind would ever type in to create totally random alternate meanings that could, potentially, be used to transmit messages covertly.”
• However, not all of it makes that much sense, none of the translations constructed full sentences
• Sadly, around midnight on August 16th, Google Translate abruptly stopped translating the word “lorem” into anything.
• Google Translate still produces amusing and peculiar results when translating Latin to English in general.
• “A spokesman for Google said the change was made to fix a bug with the Translate algorithm (aligning ‘lorem ipsum’ Latin boilerplate with unrelated English text) rather than a security vulnerability”
• Inside Google Translate
• It is also possible that all of these keywords just came from recent news articles Google had been translating, as much of the current news is about China and the Internet, and Russia and NATO

Computers of Nuclear Regulatory Commission hacked 3 times in 3 years

• According to an inspector general report, two different foreign nationals, and one unidentified individual, have compromised the computer systems of the NRC over the course of last 3 years
• One of the attacks was a phishing attempt, sent from a compromised computer inside the NRC to 215 NRC employees asking them to verify their username and password
• A dozen NRC employees fell for the scam, and delivered their login credentials to a google spreadsheet
• The IG’s office was able to track the google account and found out it belonged to a foreigner
• In another spear phishing attack, emails were sent from outside to specific employees linking them to malware hosted on Microsoft skydrive, that would take over their machine
• “In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee’s contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment”
• Despite the sensationalism of the headline, it does not appear that any type of APT (Advanced Persistent Threat) was detected, but these techniques are how an attacker gets a foothold in the network to set up such an attack
• Infographic: 70% of the worlds critical utilities have been breached

Feedback:

• How do you know for sure the country of origin of hackers?

• Websites that email your password to you in plaintext

• co-lo with lots of IPs.

• Question

• Server Watchdog?

Round-Up:

• Community Health hospitals hacked; 4.5M patient records stolen – because of heartbleed – Health records usually worth between $50 and $250 each, more than credit cards
• Krebs: How secure is your security badge?
• UPS says 51 stores infected with credit card stealing malware
• Hardened, tuned, reliable operating system still important in the world of containerization
• Microsoft Supports Scam Artists By Not Pulling Bogus Apps For Two Years
• Krebs: Why are there so many credit card breaches?
• New Research Blames iMessage for 30% of Mobile Spam Messages
• Inventor appologizes for creating popup ads
• Why does my Cisco switch keep resetting? Because you plugged a cable into it
• The “Chinese Menu” of what the GCHQ can do to your computer

The post Heartbleed Hospital | TechSNAP 176 first appeared on Jupiter Broadcasting.

Are you excited about Smart Watches? Or does the current crop fall to far below expectations to be a serious item? Plus a look at how hackers remotely owned a Tesla, and the broader ramifications as computer systems are further integrated into our cars.

Plus the interesting secret buried in Google’s quarterly results & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tesla Model S hack reportedly controls locks, horn, headlights while in motion | Ars Technica

The hacks were carried out at the Syscan 360 security conference in Beijing, an article published by Bloomberg News reported. The report cited a brief post on Chinese social media site Weibo from a representative of China-based Qihoo 360 Technology Co., which said the experiment was carried out by members of the company’s information technology department.

Tesla Motors officials vowed to investigate reports that its Model S sedan is susceptible to hacks that can remotely control the car’s locks, horn, headlights, and skylight while the car is in motion, according to a published report.

Google beats Q2 2014 revenue estimates with $15.96 billion, misses on EPS | Ars Technica

Google announced its earnings for Q2 2014 today. The company reported $15.96 billion in revenue, a 22 percent increase over last quarter, and earnings of $6.08 per share. This is a mixed bag compared to what Wall Street was expecting, which was a net revenue of about $15.62 billion and earnings of $6.25 a share.

Selling hardware and apps on the Play Store now makes up 10 percent of Google’s revenues, up 53 percent over last year for 1.60 billion in revenue.

• Google reports strong revenue growth but misses profit expectations, ad rates still falling

CPC was down 7 percent in the quarter, but for network sites it was down almost twice as much at 13 percent. The growth of mobile usage has been a big part of this decline, since mobile ads tend to cost less.

Continued erosion of the CPC number (down 2% Q2Q, 6% y/y) so for those who haven’t been following this like I have here are the last fourteen quarters:

Paid Clicks Cost Per Click Paid Distribution
Q-2-Q Y-A-Q Q-2-Q Y-A-Q In $M
2011Q1 18 4 8 -1 337
2011Q2 18 -2 6 12 355
2011Q3 13 28 -5 5 383
2011Q4 17 34 -8 -8 442
2012Q1 7 39 -6 -12 468
2012Q2 1 42 1 -16 507
2012Q3 6 33 -3 -15 556
2012Q4 9 24 -2 -6 634
2013Q1 3 20 -4 -4 680
2013Q2 4 23 -2 -6 706
2013Q3 8 26 -4 -8 755
2013Q4 13 31 -2 -11 824
2014Q1 1 26 0 -9 845
2014Q2 2 25 -2 -6 893

Cost per click is the money that Google gets per click, it keeps going down suggesting to me that the “value” of this advertising is going down.

• Not slowing down at all, Google spent $2.65B on data centers in Q2 — Tech News and Analysis

Google’s quarterly infrastructure spending has been skyrocketing for several quarters now, and the past three months were no exception. Google spent nearly $2.65 billion on data centers during the second quarter — more than $1 billion over last year’s second quarter and more than triple what it spent two years ago.

Does Anyone Even Want a Smartwatch?

Fewer than half of the respondents to a recent Accenture survey said they would consider buying a smartwatch, and even the most optimistic experts predict only 20 million smartwatch sales this year, a pittance compared with phone and tablet sales.

To understand the smartwatch hype, it helps to know that the consumer-tech world is going through an identity crisis. Smartphones and their affiliated apps have powered Silicon Valley’s profit engines for years, but growth in the phone market is slowing as more people make do with the devices they already have. (Research firm IDC expects smartphone growth to fall to single digits by 2018.)

Since at the moment smartwatches need to be tethered to your phone’s data connection in order to work properly, they actually don’t allow you to streamline at all. And while it was convenient not to have to reach into my pocket every time I got a Facebook message, Twitter reply, or email, the constant buzzing raised my stress level considerably. Then there’s the matter of having a $300 gadget strapped to my wrist, which creates anxiety of its own.

Android Wear Review: Putting the Smartphone on Your Wrist – YouTube

WSJ Personal Tech columnist Joanna Stern reviews the first truly “smart” watches.

The post Not So Smart Watches | Tech Talk Today 30 first appeared on Jupiter Broadcasting.

After five years the Senate’s investigation into the Central Intelligence Agencies torture programs has bursted into the light when a massive fight between top Senate officials and the CIA went public in a big way.

Taking to the floor, traditionally an intelligence agency apologist, blasted the CIA we’ll break it all down.

Plus Snowden makes his first public appearance, Greenwald reveals how the NSA spreads malware, your feedback, and much much more.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is Crazy

Snowden rocks SXSW: FULL SPEECH

Speaking remotely from Russia on Monday, former National Security Agency contractor Edward Snowden told attendees at the SXSW Interactive conference in Austin, Texas that encryption is still a powerful deterrent against government surveillance.

• Snowden calls on the geeks to save us from the NSA

The surprising thing was how much time Snowden spent on technical details like the mechanics of end-to-end encryption or the importance of solid encryption standards, rather than the political problems of NSA reform. “They are setting fire to the future of the internet,” he told the crowd, in what seemed designed to be the standout quote of the talk “And the people in the room now, you guys are the firefighters.”

“Giving Hypocrisy a Bad Name”: NSA-Backing Senate Intel Chair Blasts CIA for Spying on Torture Probe

How the NSA Plans to Infect ‘Millions’ of Computers with Malware – The Intercept

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.”

The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware.

Documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”

TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”

In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure said

The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)

Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.

The TURBINE implants system does not operate in isolation.

It is linked to, and relies upon, a large network of clandestine surveillance “sensors” that the agency has installed at locations across the world.

The NSA’s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England.

The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet.

When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis.

The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.

The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”

In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through a Virtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session.

The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted “Real-time Transport Protocol” packets, the implants can covertly record the audio data and then return it to the NSA for analysis.

But not all of the NSA’s implants are used to gather intelligence, the secret files show. Sometimes, the agency’s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target’s file downloads.

Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.

What’s more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks.

Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance – the United Kingdom, Canada, New Zealand, and Australia.

:– William P
:– Robert T
:– Jonathan H
:– Oscar C
:– Martin S
:– Austin J
:– John G
:– Carl M

– Thanks for Supporting Unfilter –

• Thanks to our 362 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

CIA vs the Senate

Behind Clash Between C.I.A. and Congress, a Secret Report on Interrogations

What the C.I.A. did next opened a new and even more rancorous chapter in the struggle over how the history of the interrogation program will be written. Agency officials began scouring the digital logs of the computer network used by the Senate staff members to try to learn how and where they got the report. Their search not only raised constitutional questions about the propriety of an intelligence agency investigating its congressional overseers, but has also resulted in two parallel inquiries by the Justice Department — one into the C.I.A. and one into the committee.

A deal was struck between Leon E. Panetta, the director of the C.I.A., and Senator Dianne Feinstein of California, the intelligence committee’s Democratic chairwoman, to make millions of documents available to the committee at a C.I.A. facility near the agency’s headquarters in Langley, Va. The documents covered roughly five years: from the inception of the program until September 2006, when all of the C.I.A.’s prisoners were transferred to the American military prison at Guantánamo Bay, Cuba.

At the same time, Mr. Panetta ordered the C.I.A. to conduct its own review of the documents, a move designed to help the agency better understand the volumes of the material it had agreed to hand over to its congressional overseers.

Some people who have read the review memos said that parts of them were particularly scorching in their analysis of extreme interrogation methods like waterboarding, which the memos described as providing little intelligence of any value.

According to a recent court filing in a Freedom of Information Act lawsuit, the C.I.A. created a “network share drive” segregated from the main agency network, a provision intended to allow the committee to work in private.

It is unclear how or when committee investigators obtained parts of the Panetta review. One official said that they had penetrated a firewall inside the C.I.A. computer system that had been set up to separate the committee’s work area from other agency digital files, but exactly what happened will not be known until the Justice Department completes its inquiry.

Senator Mark Udall of Colorado disclosed the existence of the review during an open hearing on Dec. 17.

C.I.A. officials had come to suspect that committee investigators working at the Virginia facility had seen at least a version of the internal review. Senior officials at the agency ordered a search of several years’ worth of digital audit logs that the C.I.A. uses to monitor its computer systems.

In January, the C.I.A. presented the results of its search to the intelligence committee in a tense meeting that ignited the most recent confrontation. The day after the meeting, Senator Feinstein wrote a letter to Mr. Brennan demanding answers for why the C.I.A. carried out the search, which she suggested had violated the constitutional separation of powers and undermined the committee’s oversight role.

Dianne Feinstein launches scathing attack on CIA over alleged cover-up

• Intelligence committee chair accuses CIA of smear campaign
• Feinstein alleges CIA broke law and violated constitution
• CIA director John Brennan denies thwarting investigation
• Dianne Feinstein statement – full text

Feinstein: CIA searched Intelligence Committee computers

Feinstein described the escalating conflict as a “defining moment” for Congress’s role in overseeing the nation’s intelligence agencies and cited “grave concerns” that the CIA had “violated the separation-of-powers principles embodied in the United States Constitution.”

The CIA: the double life of Dianne Feinstein

The senator’s contradictory nature was on show for all to see on Tuesday, when she delivered an extraordinary speech from the Senate floor. It amounted to the biggest and most public rift between Congress and the spy community since the 9/11 attacks. Ms Feinstein, who chairs the Senate intelligence committee, which has oversight of America’s myriad spy agencies, accused the CIA of breaking into the committee’s computers. It is an extremely serious charge: a breach of the constitution, the executive branch tampering with the elected branch. She described it as “a defining moment for the oversight of our intelligence community”.

The day after Edward Snowden revealed himself as a whistleblower last June, she was among the first to brand him a traitor. In the face of revelation after revelation, she praised the professionalism of the NSA. She defended mass data collection as a necessity, arguing that the NSA had to have access to the whole “haystack” to find the one needle, the terrorist.

Panetta Review

The Panetta Review was a secret internal review conducted by Leon Panetta, then the Director of the United States Central Intelligence Agency, of enhanced interrogation techniques previously used by the CIA during the administration of George W. Bush. The review led to a series of memoranda that, as of March 2014, remained classified. According to The New York Times, the memoranda “cast a particularly harsh light” on the Bush-era interrogation program, and people who have read them have said parts of the memos are “particularly scorching” of techniques such as waterboarding, which the memos describe as providing little valuable intelligence

Legacy of Ashes: The History of the CIA

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post CIA vs Senate | Unfilter 89 first appeared on Jupiter Broadcasting.

Striking a balance between performance and reliability can be a challenge, we’ll share our thoughts. Hackers figure out how to take over twitter account they want, while Adobe stores your private data in reversible encryption.

Plus your questions, our answers, and much much more.

Thanks to:

Adobe encrypted passwords, rather than cryptographically hashing them

• This is a detail reporters often get wrong, saying that passwords were ‘encrypted’ when they meant ‘hashed’
• Turns out, Adobe actually did it WRONG
• The Adobe breach gave the attackers access to a 9.3 GB database containing 130 million user accounts and their passwords
• The problem is that the passwords are stored using ‘reversible’ encryption (standard symmetric encryption, normally used on files), rather than cryptographic hashes (one-way encryption)
• This means that if the attacker manages to get or brute force the private key that was used to encrypt the passwords, they would be able to decrypt EVERY password, in one go
• Many of the accounts in the Adobe database belong to government organizations including the FBI, as well as many large corporations
• The passwords were encrypted using 3DES (Triple DES)
• DES was originally introduced in 1977, and 3DES in 1998 because the 56 bit keys in DES were no longer strong enough
• Adobe also used ECB (Electronic Code Book) mode, which is known to leak information about the passwords
• 3DES was superseded in 2001 by AES
• Unliking with a cryptographic hashing algorithm, where the server does not know each users’ password, upgrading from 3DES to AES would have been easy, just decrypt all passwords and encrypt them with the new algorithm
• Or better yet, decrypt all passwords, and properly cryptographically hash them and then throw away the plain text
• “For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored.”

Hackers Take Limo Service Firm for a Ride

• A break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
• The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc.
• Suggesting that the same attacker(s) may have been involved in all three compromises.
• The name on the file archive reads “CorporateCarOnline.”
• That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
• Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses.
• More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts.
• Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion.

Researcher finds way to take over ANY twitter account

• Security researcher Henry Hoggard discovered a cross-site request forgery (CSRF) vulnerability in Twitter’s “add a mobile device” feature
• Using this, he was able to read any user’s tweets and DMs
• A victim that went to a malicious page, would unexpectedly authorize a new device to access their twitter account
• This should have been prevented by Twitter’s verification step, except it seems that twitter was not actually checking the value, so an attacker would authorize their mobile device on your account by entering any value in place of the verification code
• Twitter fixed the issue within 24 hours of it being reported

Feedback:

• My First Home Server: Noob question

• 24TB freenas

• deploy FreeBSD jails

• Learning Nagios?

  • FAN « Fully Automated Nagios

• ZPool recovered

• ZFS Question

• UPDATE: A plea from a weary sysadmin

Round Up:

• Internet Archive building damaged by fire
• Krebs finds humourous ad placement on pastebin
• DEF CON 19 Presentations
• Cryptolocker ransomware FAQ
• Microsoft warns of zero-day attack on MS Office
• The truth about big data
• Attackers link to your site with SQL injection urls, google bot does the damage
• Making vim better
• Redhat fixes missing commands in OpenSSL packages
• Helium filled disks, first to 6 TB
• What every admin should know about email
• Cisco fixes blank admin password flaw in their Telepresence product

The post Ideal ZFS Configurations | TechSNAP 135 first appeared on Jupiter Broadcasting.

Adobe blows it. A treasure trove of customer information and source code has been found, we’ll share the details.

The DNS hijacking hijinks continue, after several big sites are brought offline. Then its a huge batch of your questions, our answers, and much much more!

Thanks to:

Adobe hacked, 3 million customer records leaked

• Adobe’s servers was compromised sometime between July 31 and Aug. 15, but the attack was not discovered until Sept. 17
• The source code for “numerous” products was stolen, including Adobe Acrobat, Publisher, ColdFusion, and ColdFusion Builder
• The source code leak could allow the attackers to much more easily generate a slew of 0-day attacks against Adobe products, resulting in exploits against which there is no defense
• Sensitive information on people with Adobe accounts was also taken, including names, encrypted credit numbers, expiration dates, order history and more
• “At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems” said Adobe chief security officer Brad Arkin
• “Krebs also saw a list of 1.2 million potential .org domains running ColdFusion that the attackers could use as targets stored among the stolen data”
• “Holden and Krebs discovered a 40 GB file of stolen data, Krebs reported yesterday, on the same server hosting data stolen from brokers LexisNexis, Dun & Bradstreet and Kroll.”
• Additional companies were also compromised
• Additional Coverage – Threatpost
• Additional Coverage – ZDNet
• Adobe Blog – Illegal Access to Adobe Source Code
• Adobe – Important Customer Security Announcement
• Adobe – Customer Security Alert

WhatsApp, AVG, Avira, Alexa websites hacked in apparent DNS hijack

• Network Solutions is investigating an attack by a pro-Palestinian hacking group that redirected websites belonging to several companies.
• A group calling itself the KDMS Team claimed responsibility on Twitter.
• KDMS posted several screenshots on Twitter, including one that affected WhatsApp\’s domain. + The message asserted that the region known as Palestine has been stolen, and that prisoners should be released from Israeli jails.
• The websites affected included those of the security companies AVG and Avira; the messaging platform WhatsApp; a pornography site, RedTube; and Web metrics company Alexa.
• Stated on the company’s blog:
  > \”It appears that our account used to manage the DNS records registered at Network Solutions has received a fake password-reset request which was honored by the provider.\”
  > \”Using the new credentials, the cybercriminals have been able to change the entries to point to their DNS servers.\”
• Additional Coverage:
  • WhatsApp Web site hijacked, shows pro-Palestinian message
  • DNS-Based Attack Brings Down New Victim: WhatsApp

Feedback:

vBSDCon Oct 25-27

• freenas – to upgrade or not? and another question

• Is RAID dead?

• Too many computers not enough….

• Next steps in edu

• Faster VPN

• How fast are your Pipes (tubes)

• Allan, Zero Day was an excellent book pick

[asa]0399160450[/asa]

• Threat Vector Audiobook | Tom Clancy, Mark Greaney | Audible.com

Round Up:

• NSA tracks Google ads to find Tor users
• Patch Tuesday two-for-one sale. Microsoft fixes 2nd unannounced 0-day exploit in IE being exploited in the wild
• Malware authors scramble to become the next exploit kit after Blackhole author arrested
• Reclaim disk space, Microsoft finally releases a tool to remove unneeded windows update backup files
• Why attacks on the internet need to be public
• Google adds rewards for improving security in critical infrastructure open source projects including OpenSSH, Bind and ISC DHCP
• What pentesters can learn from spammers
• Most popular BSDCan talk ever – 2010 Everything you need to know about cryptography in 1 hour
• Police demand ability to arbitrarily take down and redirect domain names
• Great lightning talk from DestroyAllSoftware, “WAT”
• Gameover trojan using SSL to encrypt command and control functions
• Bulletproof hoster Santrex shutdown

The post Adobe's Leaky Source | TechSNAP 131 first appeared on Jupiter Broadcasting.

A mobile provider is hacked, customer records are breached, and the authorities suspect it was an inside job, we’ll share the details.

Then we’ll discuss the NSA induced crisis of trust we now collectively share, plus your questions, our answers, and much much more!

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Vodafone Germany breached, possibly by insiders

• The internal servers of Vodafone Germany were compromised, and data for over 2 million customers was stolen
• The breach only disclosed information on German customers, who will be notified by mail
• The way the attackers managed to compromise the servers suggest they had help from an insider
• Vodafone turned their evidence over to German police, “An individual has been identified by the police and their assets have been seized.”
• Compromised data:
• customer names
• address
• gender
• birth date
• bank account numbers and bank sort codes
• Other data including phone numbers, credit card numbers and passwords are currently thought to be safe. “No personal call information or browsing data was accessed by the attacker”
• The attack was originally discovered on September 5th, however Police asked the company to withhold the notification while they executed their investigation and made arrests and seizures
• “German news agency DPA reported that the suspect had worked for a contractor of the company and was not a Vodafone employee”
• Additional Coverage
• Vodafone is advising customers to be on the lookout for targeted Phishing scams that might use the personal information gained from this attack to make successful attacks against the victims and their banking and credit card accounts
• eu data breach notification law

Trust

• to believe that someone is good and honest and will not harm you, or that something is safe and reliable
• Bruce Schneier – Trust in Man/Machine Security Systems
• Colin Percival – Don\’t trust me: I might be a spook
• Kevin Mitnick – Use a VPN
• Bruce Schneier – The US Government Has Betrayed the Internet. We Need to Take It Back
• TechRepublic – Escaping the dragnet of surveillance
• Kurt Roeckx – State of encryption
• Bruce Schneier – How Advanced Is the NSA\’s Cryptanalysis—And Can We Resist It?
• The Guardian – How to foil NSA sabotage: use a dead man\’s switch
• Matthew Green – On the NSA
• BoingBoing – Firsthand account of NSA sabotage of Internet security standards
• BBC – \’Money reduces trust\’ in small groups, study shows – Bruce Schneier – The Effect of Money on Trust
• Ed Felton – NSA Apparently Undermining Standards, Security, Confidence
• Bruce Schneier – Americans Must Sacrifice Some Security to Reform the NSA

You can buy a 2 letter domain name like IG.com sells for $4.7 million – Or you can buy your .com from GoDaddy for $1.99

Feedback

• Thoughts on fingerprint scanners?

• Syncing of contacts?

• Home Fileserver

• Question about fail2ban

• TechSnap is on Halloween this year…

Round Up:

• NSA surveillance: how to stay secure | Bruce Schneier
• ISC looking for help tracking a new adaptive botnet, possibly related to Blackhole malware toolkit
• LastPass : The last password you\’ll have to remember: LastPass and the NSA Controversy
• Intel announces new Atom Z3000 series
• Google’s plan to make it harder for the NSA to spy on users
• Seagate announces new ‘Shingled Magnetic Recording’, layers tracks on top of each other to increase bit density.
• Researchers find flaws in the installation mechanism of of the GameHouse platform
• New paper details keylogged that stealthily runs on your GPU
• Google, Yahoo and Facebook ammend requests to publish transparency reports
• The challenges of running a PriateBay Proxy to defeat Censorship
• New zeroday exploit for USB internet modem puts millions of PCs at risk

The post NSA SSLeaze | TechSNAP 127 first appeared on Jupiter Broadcasting.

A compromise at Apple turns Mike’s week upside down. Reeling from the setback we dig into Mike’s concerns with Canonical’s crowd sourced Ubuntu Edge phone.

Why we\’re a bit dismayed at Firefox OS’ attempts to kill the app store…

And we answer your hard questions.

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• ZOMG, MIKE! Crypto is NOT broken… except that it is….
• Patrick’s Email
• Kyle was inspired by our Pomo love and wrote this web app
• Cary’s email: [In defense of Apple(https://slexy.org/view/s216d3rIzI)
• David is working on a project for a school system and though the law does not require that he encrypt the data itself in the database (make it not human readable that is) he wonders if he should anyway.
• Matty’s email: Could talk about \”environments\”
• Chris asks if we believe that devs who focus on langs that are run by corps are hurting their careers long term.
• Isak’s email: Working on a Game

Dev World Hoopla

• Apple Dev Center Down

• Apple Developer Website Hacked: Developer Names, Addresses May Have Been Taken

In an email to developers today, Apple revealed that its Developer Center website was breached by unknown hackers and was taken offline last Thursday as a precaution.

• UPDATE: Turkish hacker posts video of Apple Dev Centre breach | ITProPortal.com

\”This is definitely not an hack attack. I have reported all the bugs I have found to the company and waited for approval. I am being accused of hacking but I have not given any harm to the system and i did notwanted to damage [sic],\” writes the user Ibrahim Baliç.

He has since told the Guardian, \”My intention was not attacking. In total I found 13 bugs and reported [them] directly one by one to Apple straight away. Just after my reporting [the] dev center got closed. I have not heard anything from them, and they announced that they got attacked. My aim was to report bugs and collect the datas [sic] for the purpose of seeing how deep I can go with it.\”

• FireFox wants to kill App Stores

• How Firefox OS plans to kill — not reinvent — the app store | VentureBeat

\”In essence, with Firefox OS, we made app discovery as easy as browsing the web, and we give you a very good reason to brush up the mobile optimised web sites you already have on the web,\” writes Mozillan Chris Heilmann on the company blog.

• Ubuntu Edge | Indiegogo

In the car industry, Formula 1 provides a commercial testbed for cutting-edge technologies. The Ubuntu Edge project aims to do the same for the mobile phone industry — to provide a low-volume, high-technology platform, crowdfunded by enthusiasts and mobile computing professionals.

Tool of the Week

[asa]B005JN9310[/asa]

Hard Drives for Jupiter:

• Hard Drives for Jupiter

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Sour Apple | CR 59 first appeared on Jupiter Broadcasting.

It’s way past time to turn off Universal Plug and Play, we’ll give you the details on the exploit that only requires a single network packet.

Plus how we’ve built our VM storage setup, our favorite network monitoring tools, and much much more! In this week’s episode of TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go28off2 to save 28% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: