Show Notes: techsnap.systems/421

The post Firewall Fun | TechSNAP 421 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Zoneminder – Open Source Security Cameras
• Home Assistant – Open Source Home Automation
• NMap – Open Source Network Scanning
• Metasploit – Open Source Exploit Scanner
• Tripwire – Open Source Intrusion Detection System
• VoxTeleSys

Vote for your favorite Distro

• Vote For Your Distro!

Join us for the AMA Episode

• Ask Noah anything you want about any topic personal or tech!
• Call In 1-855-450-NOAH
• Monday, December 25th
• Listen Live
• Watch Live

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Hacking on Linux | Ask Noah 40 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Imgur’s blog post Re: notice of data breach

• Imgur Confirms 2014 Breach Of 1.7 Million User Accounts

• Troy Hunt praised Imgur’s “exemplary handling” of the incident

• Firefox to collaborate with HaveIBeenPwned to alert users on data breach

• What’s the correct date? 2013 or 2014?

Contrast Imgur’s breach handling wth that of DJI

• developers had left the private keys for both the “wildcard” certificate for all the company’s Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub

• Findings of developer: Why I walked away from
  $30,000 of DJI bounty money – PDF

• But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA).

• “At one point… DJI even offered to hire me directly to consult with them on their security,” Finisterre wrote.

• Ultimately, Finisterre received an e-mail containing an agreement contract that he said “did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech.” It seemed clear to Finisterre that “the entire ‘Bug Bounty’ program was rushed based on this alone,” he wrote.

how can I prevent myself from getting hacked?

• not everyone agrees with Motherboard so see also Basic security precautions for non-profits and journalists in the United States, mid-2017. but to be fair, Bruce say’s it’s pretty good

• see also other Motherboard guides

• Do you want to stop criminals from getting into your Gmail or Facebook account? Are you worried about the cops spying on you? We have all the answers on how to protect yourself.

• The Electronic Frontier Foundation guide to Assessing Your Risks

• … if you come away with one lesson from this guide is: update, update, update, or patch, patch, patch.

• Use a password manager

• Two factor authentication: You should, if the website allows it, use another 2FA option that isn’t SMS-based, such as an authentication app on your smartphone (for example, Google Authenticator, DUO Mobile, or Authy), or a physical token. If that option is available to you, it’s great idea to use it.

• use an ad blocker (e.g. uBlock Origin). Why? A great deal of malware comes through ads.

• Get an iPhone and don’t jailbreak it

• Use Signal instead of WhatsApp

• Even if you keep your privacy settings on lockdown, social media companies are subject to subpoenas, court orders, and data requests for your information. And often times, they’ll fork over the information without ever notifying the user that it’s happening. For the purposes of social media, assume that everything you post is public. This doesn’t mean you should stop using social media, it just means you have to be mindful of how you use it.

Feedback

• Tape Drives and Jails – FreeNAS jails

• From Samir, based on question from Episode 346 : Linux Containers vs Virtual Machines

• Jonathan Davis mentioned Schrodingers Backup Mug

• I will Miss you Mr. Dan

• Reverse SSH as Poor-Man’s VPN

Round Up:

• Potential impact of the Intel ME vulnerability

• Mostly for ZFS: Policy-driven snapshot management and replication tools. & see also zfstools : OpenSolaris-compatible auto snapshotting for ZFS

• The strongest KASLR, ever?

• Better Random Number Generation for OpenSSL, libc, and Linux Mainline – But what’s really exciting for us is that, in the course of working on libc, we were also able to get traction on another important change, in Linux itself. Last year, we suggested a new madvise() option for the Linux kernel. Based on OpenBSD’s MINHERIT_ZERO, the option marks memory regions as WIPEONFORK, which means that those regions are zeroed in a child process immediately after a fork() call.

• How a single PostgreSQL config change improved slow query performance by 50x

• Troy Hunt testifies before Congress and you should be able to watch it live here

• A minimalist guide to tmux

• Top SSL Issuers

The post A Farewell to Dan | TechSNAP 347 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The Ethics of Running a Data Breach Search Service

• HIBP – have i been pwned?

Is the NSA Doing More Harm Than Good in Not Disclosing Exploits?

Post a boarding pass on Facebook, get your account stolen

How Israel Caught Russian Hackers Scouring the World for U.S. Secrets

• See also Israel hacked Kaspersky, then tipped the NSA that its tools had been breached

Feedback

• CERN using tapes

• New to FreeBSD – rc scripts see also Practical rc.d scripting in BSD & man rc.subr & man periodic & daemontools

• Steam Reporting Zero Free Space on ZFS disk

• SSH Reverse Tunnel Gateway Port

• Tapes – beware of Maxell

Round Up:

• On Oct 5 High Sierra update fixes bug which exposed the passwords of encrypted Apple File System See also the original post from Sep 27

• When you turn something off, it really should be off

• disqus.com – Security Alert: User Info Breach

• U.S. lawmakers want to restrict internet surveillance on Americans

• Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs

The post Spy Tapes | TechSNAP 340 first appeared on Jupiter Broadcasting.

Video Feed | MP3 Feed | HD Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

• The biggest scandal you’ve never heard of
• New conflicts threaten Syria after Islamic State defeat | Reuters
• Democrats lay foundation to remove Trump on mental grounds | Daily Mail Online
• Legal marijuana sales begin in Nevada – Las Vegas Review-Journal
• Podesta: ‘It’s on the FBI’ That DNC Servers Weren’t Turned Over | Fox News Insider
• ‘Your worst nightmare: a successful Donald Trump presidency’ | US news | The Guardian
• House Dem Staffers Took Iraqi Politician’s Ca | The Daily Caller
• Busted Iran front group loaded Clinton Foundation with cash
• CNN ‘New Day’: CNN Promised Not To Identify Pro-Trump Reddit User If He Apologized; “A Nice Thing” | Video | RealClearPolitics
• EXCLUSIVE: Documents expose how Hollywood promotes war on behalf of the Pentagon, CIA and NSA
• Philip DeFranco on Twitter: “Is that normal? Is @CNN essentially threatening to dox him, or am I reading that wrong? https://t.co/7LMMqo1fK5”
• How CNN found the Reddit user behind the Trump wrestling GIF – CNNPolitics.com
• New York police officer fatally shot in ‘unprovoked attack’ – CNN.com
• Egyptian FM: Qatar’s response to demands ‘negative’ – CNN.com
• Trump’s long list of disagreements with G20 nations – CNNPolitics.com
• Vatican Police Find Drugs, Sex in Raid of Cardinal Secretary’s Apartment | National News | US News
• CNN Story About Source of Trump Wrestling Video Draws Backlash – The New York Times

The post Low Road Journalism | Unfilter 243 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Tails 3.0 Security Distro

• Tails 3.0 is out

• Tails Version 3.0 Features

• Steam is Now on Flatpak

• Telegram Approached by US Intelligence

— Noobs Corner —

Check out the Ask Noah Dashboard

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —

• Noah – Kernellinux
• Ask Noah Show
• Altispeed Technologies
• Jupiter Broadcasting

The post Tails of Privacy | Ask Noah 13 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Yellow dots give you away

• How to remove the yellow dots

• List of Printers Which Do or Do Not Display Tracking Dots – no longer updated

• More on Steganography: in pornography

Hiding command and control in plain text

• The ESET report

libtrue

• HOME page

• GitHub page

• FreeBSD port

• Code of Conduct

• 34 watches on GitHub

• Libraries.io entry

• subreddit

Feedback

• Quadrupled photos

• Apple laptop repair place – Brickfence

• Low power pfSense & pfSense 2.5

Round Up:

• 8,000 Vulnerabilities Found in Pacemakers
  

• Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA

• Ex-Admin Deletes All Customer Data and Wipes Servers of Dutch Hosting Provider

• Microsoft Azure adds OpenBSD support

• Watch what government is looking at

The post Comment & Control | TechSNAP 323 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Who controls the internet?

Windows privacy not so private

zomato data breach – what happened?

• https://www.zomato.com/about

Feedback

• Can you please discuss capacity planning with ZFS and Snapshots?

• cheap but very good managed switch

• Btrfs and Net Neutrality

Round Up:

• How to improve uptime and integrity of operations

• Cloak & Dagger is a new class of potential attacks affecting Android devices

• ‘Major incident’ at Capita data centre: Multiple services still knackered : “I can’t say who I work for but let’s just say I did nothing for two days.”

• 83 percent of security staff waste time fixing other IT problems

The post #NotMyInternet | TechSNAP 322 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Bacula Deep Dive – as requested by Matt Yakel

• Bacula: Cross-Platform Client-Server Backups – from 2004, FYI only

• Sony SDT 10000 Tape Drive

• Bacula – Digital DLT MiniLibrary – TL891

• Integrating the Tape Library with an existing Bacula installation

Feedback

• Open Source remote monitoring and management recommendations

  • OCS Inventory NG use an agent which launch an inventory on the clients computers…

• FreeNAS 10 Corral

• File syncing

Round Up:

• How Discord Indexes Billions of Messages

• Using Let’s Encrypt for phishing

• Firefox gets complaint for labeling unencrypted login page insecure

• Man jailed indefinitely for refusing to decrypt hard drives loses appeal

• SHA-1 collision detection added to GitHub.com

• How I Store My 1’s and 0’s: ZFS + Bargain HP Microserver = JOY

• 300 models of switches it sells contain a critical vulnerability

• More on Alexsey Belan, the Yahoo hack

• Four Men Charged With Hacking 500M Yahoo Accounts

• What computer users see in security warning boxes

The post Check Yo Checksum | TechSNAP 311 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

• In this case, it was the accountants who noticed something was wrong.

• What? No centralised real-time monitoring?

• IN EARLY JUNE 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.

• Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.

• He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky. The man would parlay a $20 to $60 investment into as much as $1,300 before cashing out and moving on to another machine, where he’d start the cycle anew. Over the course of two days, his winnings tallied just over $21,000. The only odd thing about his behavior during his streaks was the way he’d hover his finger above the Spin button for long stretches before finally jabbing it in haste; typical slots players don’t pause between spins like that.

• On June 9, Lumiere Place shared its findings with the Missouri Gaming Commission, which in turn issued a statewide alert. Several casinos soon discovered that they had been cheated the same way, though often by different men than the one who’d bilked Lumiere Place. In each instance, the perpetrator held a cell phone close to an Aristocrat Mark VI model slot machine shortly before a run of good fortune.

• By examining rental-car records, Missouri authorities identified the Lumiere Place scammer as a 37-year-old Russian national. He had flown back to Moscow on June 6, but the St. Petersburg–based organization he worked for, which employs dozens of operatives to manipulate slot machines around the world, quickly sent him back to the United States to join another cheating crew. The decision to redeploy him to the US would prove to be a rare misstep for a venture that’s quietly making millions by cracking some of the gaming industry’s most treasured algorithms.

• Russia has been a hotbed of slots-related malfeasance since 2009, when the country outlawed virtually all gambling. (Vladimir Putin, who was prime minister at the time, reportedly believed the move would reduce the power of Georgian organized crime.) The ban forced thousands of casinos to sell their slot machines at steep discounts to whatever customers they could find. Some of those cut-rate slots wound up in the hands of counterfeiters eager to learn how to load new games onto old circuit boards. Others apparently went to the supect’s bosses in St. Petersburg, who were keen to probe the machines’ source code for vulnerabilities.

• By early 2011, casinos throughout central and eastern Europe were logging incidents in which slots made by the Austrian company Novomatic paid out improbably large sums. Novomatic’s engineers could find no evidence that the machines in question had been tampered with, leading them to theorize that the cheaters had figured out how to predict the slots’ behavior. “Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers.

• Recognizing those patterns would require remarkable effort. Slot machine outcomes are controlled by programs called pseudorandom number generators that produce baffling results by design. Government regulators, such as the Missouri Gaming Commission, vet the integrity of each algorithm before casinos can deploy it.

• But as the “pseudo” in the name suggests, the numbers aren’t truly random. Because human beings create them using coded instructions, PRNGs can’t help but be a bit deterministic. (A true random number generator must be rooted in a phenomenon that is not manmade, such as radioactive decay.) PRNGs take an initial number, known as a seed, and then mash it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example—in order to produce a result that appears impossible to forecast. But if hackers can identify the various ingredients in that mathematical stew, they can potentially predict a PRNG’s output. That process of reverse engineering becomes much easier, of course, when a hacker has physical access to a slot machine’s innards.

• Knowing the secret arithmetic that a slot machine uses to create pseudorandom results isn’t enough to help hackers, though. That’s because the inputs for a PRNG vary depending on the temporal state of each machine. The seeds are different at different times, for example, as is the data culled from the internal clocks. So even if they understand how a machine’s PRNG functions, hackers would also have to analyze the machine’s gameplay to discern its pattern. That requires both time and substantial computing power, and pounding away on one’s laptop in front of a Pelican Pete is a good way to attract the attention of casino security.

• On December 10, not long after security personnel spotted the suspect inside the Hollywood Casino in St. Louis, four scammers were arrested. Because he and his cohorts had pulled their scam across state lines, federal authorities charged them with conspiracy to commit fraud. The indictments represented the first significant setbacks for the St. Petersburg organization; never before had any of its operatives faced prosecution.

• The Missouri and Singapore cases appear to be the only instances in which scammers have been prosecuted, though a few have also been caught and banned by individual casinos. At the same time, the St. Petersburg organization has sent its operatives farther and farther afield. In recent months, for example, at least three casinos in Peru have reported being cheated by Russian gamblers who played aging Novomatic Coolfire slot machines.

• The economic realities of the gaming industry seem to guarantee that the St. Petersburg organization will continue to flourish. The machines have no easy technical fix. As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose PRNGs have been cracked “would have to pull all the machines out of service and put something else in, and they’re not going to do that.” (In Aristocrat’s statement to WIRED, the company stressed that it has been unable “to identify defects in the targeted games” and that its machines “are built to and approved against rigid regulatory technical standards.”) At the same time, most casinos can’t afford to invest in the newest slot machines, whose PRNGs use encryption to protect mathematical secrets; as long as older, compromised machines are still popular with customers, the smart financial move for casinos is to keep using them and accept the occasional loss to scammers.

• So the onus will be on casino security personnel to keep an eye peeled for the scam’s small tells. A finger that lingers too long above a spin button may be a guard’s only clue that hackers in St. Petersburg are about to make another score.

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

• This came to our attention from Shawn
• For most people, routers are the little boxes which sit between you and your ISP. They do NAT, possibly firewall, and general stop the outside world from getting in without your permission. Well, that’s what they are supposed to do. The issue, long standing, is updates. When vulnerabilities are found, the code needs to be patched. With these devices, that issues can be troublesome, given that everyday consumers cannot be expected to update them. For us geeks, this isn’t so much as an issue, if the updates are made available to us
• We patch our own systems already, patching the firmware on a device… we can do that too.
• The vast majority of router users are unaware that they require an update. They sit there waiting, and sometimes they are found. When they are found to have a vulnerability, they can become part of a bot-net, a huge collection of devices ready to do the bidding of those with ill-intent. These bot-nets can be used for a variety of malicious purposes. Why do this? Most often, it’s money.
• This story is about someone discovering a problem with their router, and then exploring it.

GitLab.com melts down after wrong directory deleted, backups fail

• This also came from Shawn

• Source-code hub GitLab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.

• On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we’ve listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.

• Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.

• That Google Doc mentioned in the last tweet notes: “This incident affected the database (including issues and merge requests) but not the git repos (repositories and wikis).”

• So some solace there for users because not all is lost. But the document concludes with the following:

• So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.

• The world doesn’t contain enough faces and palms to even begin to offer a reaction to that sentence. Or, perhaps, to summarise the mistakes the startup candidly details as follows:

  • LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage

  • Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.

  • SH: It looks like pg_dump may be failing because PostgreSQL 9.2 binaries are being run instead of 9.6 binaries. This happens because omnibus only uses Pg 9.6 if data/PG_VERSION is set to 9.6, but on workers this file does not exist. As a result it defaults to 9.2, failing silently. No SQL dumps were made as a result. Fog gem may have cleaned out older backups.

  • Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.

  • The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost

  • The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented

  • Our backups to S3 apparently don’t work either: the bucket is empty

• Making matters worse is the fact that GitLab last year decreed it had outgrown the cloud and would build and operate its own Ceph clusters. GitLab’s infrastructure lead Pablo Carranza said the decision to roll its own infrastructure “will make GitLab more efficient, consistent, and reliable as we will have more ownership of the entire infrastructure.”

• See also GitLab.com Database Incident

• see also Catastrophic Failure – Myth Weavers – My thanks to Rikai for bringing this to our attention.

• example of why making sure your backup solution is solid as hell is extremely important

• The guy is completly honest and takes ownership of the mistakes he made. Hopefully others can learn from his mistakes.

• For context, myth-weavers is a website that handles things like the creation/managing and sharaing of D&D (and other tabletop RPG) character sheets online ( https://www.myth-weavers.com/sheetindex.php ), they lost about 6 months of data.

• Backup automation is good, because people will fail and skip steps more often than computers will, and this is a perfect example of that.

• The trick is getting it done RIGHT and having it NOTIFY you when something ISN’T right. As well as making it consistent, reproducible and redundant if possible. This is also an example of why if you have data you care about, that step should not be skipped.

• Automated backups are a lot of up-front work that people often avoid doing, at least partially and regret it later. This is a well documented postmortem of what happens when you do that and why you should set aside the time and get it done

• Not exactly mission-critical data, but still very important data for the audience they cater too. Handcrafted, imagination-related kinda stuff

• This GitLab outage and database deletion & lack of backups is a great reminder to routinely test your disaster recovery strategies

• Dataloss at GitLab

• Thoughts On Gitlab Data Incident

• Blameless PostMortems and a Just Culture

Feedback:

• Mesos and software that is impossible to back up

• Windows backup to FreeNAS

• FreeNAS Transmission Permissions

Round Up:

• AT&T and Verizon just got a free pass from the FCC to divide up the internet

• These 10 cities have the worst malware infection rates in the US

• Anonymous Hacks and Takes Down 10,613 Dark Web Portals

• We don’t want to alarm you, but PostScript makes your printer an attack vector – From Shawn

• A Hacker Just Pwned Over 150,000 Printers Left Exposed Online

• Dark net markets moving to adopt bug bounty programs

• FOSDEM video recordings

• 70% of D.C. CCTV cameras infected with Ransomware 8-days before presidential inauguration

• iOS Cracking Tools Allegedly Stolen from Cellebrite Get Dumped Online by Hackers

• Microsoft’s DRM can expose Windows-on-Tor users’ IP address

• Got an OpenBSD Web server? Better patch it

• LibTLS: Rethinking the TLS/SSL API

The post Gambling with Code | TechSNAP 305 first appeared on Jupiter Broadcasting.

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links and References

• NYPD: Hillary Clinton Was Wearing “Invisible” Earpiece To Receive Stealth Coaching During Live NBC TV Town Hall | True Pundit
• Gary Johnson Wants to Be President, Doesn’t Know What Aleppo Is – The Daily Beast
• Guccifer 2.0 angry about his DNC hack being blamed on Russians – WSJ — RT America
• I Am A Syrian Living in Syria: “It was Never a Revolution nor a Civil War. The Terrorists are sent by your Government” | Global Research – Centre for Research on Globalization
• Timeline suggests Team Clinton obstructed justice | Power Line
• Hillary Clinton refuses to explain what she told the FBI about her concussion | Daily Mail Online
• Google Program to Deradicalize Jihadis Will Be Used for Right-Wing American Extremists Next
• Clinton campaign warns media to tread carefully | TheHill
• 2 men arrested in the US for hacking e-mails of top officials, including CIA chief, United States News & Top Stories – The Straits Times
• SITE Cyber Security on Twitter: “Pro-#ISIS Caliphate Cyber Army advertised a forthcoming hack with image of #Obama & #DonaldTrump in orange jumpsuits https://t.co/Oavz7hSloY”
• Kerry announces US-Russia deal on Syrian ceasefire – CNNPolitics.com
• Hillary Clinton’s National Security Advisers Are a “Who’s Who” of the Warfare State
• Zdenek Gazda on Twitter: “Hillary Clinton 9/11 NYC https://t.co/q9YnsjTxss”
• USATODAY.com – Bush faints at White House, recovers quickly
• US election: Hillary Clinton diagnosed with pneumonia – BBC News
• David Shuster on Twitter: “Clarification from dem operatives @HillaryClinton pneumonia: Expect emergency DNC meeting to CONSIDER replacement. #HillarysHealth”
• The Clinton campaign’s bad damage control just made the health story even worse – The Washington Post
• toddstarnes on Twitter: “From NBC Pool Report: “We are told by the campaign that we are no longer allowed to shoot anything from the ceremony.””
• BOMBSHELL: AAA Safety Foundation Finds No Scientific Basis that THC in Blood Impairs Driving
• I Aver on Twitter: “.@smellyfed’s point annotated. That’s a neuro test, not 1 for heat exhaust’n or pneumonia, which’d be a stethoscope. https://t.co/RHrTm6yVm3”
• Secret Service followed atypical protocol with Clinton’s early departure from Sunday 9/11 event – The Washington Post
• Lisa R. Bardack, MD – Mount Kisco, NY – Internal Medicine | Lisa R. Bardack
• Trump Plans to Keep Quiet on Clinton’s Health Issues – Bloomberg Politics
• #HillarysDouble : POLITIC
• DeplorablePatriot on Twitter: “Pay attention to the nose! #HillarysBodyDouble https://t.co/uhnmTPwXlo”
• Deplorable Char on Twitter: “So, this is what Stronger Together meant. . When one falls, the other is tagged in. #HillarysBodyDouble https://t.co/RBbUlTEQrJ”
• Pneumonia my ass. This “squeeze my fingers” moment shown here is a neurological test. It has gotten to the point that I would be surprised if the Clinton campaign told the truth about anything anymore. : The_Donald
• Parkinson’s Disease | Swallowing and Parkinson’s Disease
• Mike Cernovich on Twitter: “Sick Hillary is trailed by her hypnotist/handler while a nurse monitors her pulse. #ClintonCollapse https://t.co/nRIEJBR7wa”
• Mike Cernovich on Twitter: “Is the mysterious woman dragging sick Hillary forward her doctor? #ClintonCollapse https://t.co/937cvbH3cg”
• CNN.com – Hillary Clinton faints during speech – Jan 31, 2005
• Clinton’s former CIA director advising Trump on national security – POLITICO
• Clinton team avoided ER to conceal details of her medical treatment | New York Post
• Chelsea Clinton to buy $10.5 million apartment – NY Daily News
• Voters doubt Clinton’s pneumonia explanation, poll shows | US news | The Guardian
• Hillary Clinton to release additional medical records
• Hillary Clinton Had Convulsions Then Collapsed: What Actually Happened on 9.11.2016 – Medium
• Hillary Clinton’s Pneumonia Bug Also Sickened Campaign Staff : People.com
• Hillary Clinton’s Illness Revealed – YouTube
• Is Iowa a Caucus or a Mental Health Problem?… | Scott Adams’ Blog
• Checking My Predictions About Clinton’s Health | Scott Adams’ Blog
• Bryan Pagliano defies subpoena to avoid testifying on Clinton emails – Washington Times
• Clinton Aides Complain About Double Standard, But Media Also Went After Bush Foundation
• This Is The Most CONVINCING Diagnosis Of Hillary Clinton I’ve Seen Yet
• John Cardillo on Twitter: “Most telling part is flawless calm choreography of her staff and detail. They do this often. #HillarysHealth https://t.co/UOCNH3YQHl”
• Former Secret Service Agent For The Clintons Reveals The ONE Detail Of Hillary’s ‘Medical Episode’ That Concerns Him The Most
• I Protected Hillary Clinton In The Secret Service – Here’s Why Her ‘Fainting’ Video Really Scares Me
• Exclusive: Chelsea Clinton’s NY Apartment Is The Listed Address For A Senior Citizen Care Facility, “Metrocare Home Services Inc.” : WikiLeaks
• CBS News Edits Out Embarrassing Verbal Slip in Bill Clinton Interview (UPDATED) | Mediaite
• After “September Disaster For Clinton”, Democrats Near “Full-On Panic Mode” | Zero Hedge
• IJR: “I Protected Hillary Clinton In The Secret Service – Here’s Why Her ‘Fainting’ Video Really Scares Me” | Zero Hedge
• Michigan marijuana vote kept off ballot with federal court ruling | MLive.com
• Bill to Scrap Dodd-Frank Advances Amid Wells Fargo Backlash – Bloomberg
• Hillary Clinton’s nurse appears to check pulse before her collapse at 9/11 memorial | Daily Mail Online
• Guccifer 2.0: New Clinton DNC Leaks Reveals Donor List. Big Donors Awarded Federal Positions After Their Donations. – MagaFeed
• Lee Fang on Twitter: “Also back in 2015, Leeds & Powell discussed Hillary’s health https://t.co/dm4G1WJvus”
• WikiLeaks – Search the DNC email database
• LEAKED: Take a peek inside the Clinton campaign’s “hospital on wheels” | Channel 7 News
• CBS “clarifies” editing Bill Clinton’s remarks on Hillary fainting – Hot Air Hot Air
• Most Blatant Pro-Hillary Lies Yet as MSM Cites Oppressive Weather, Pantsuit for Collapse | Truth Revolt
• Signs and symptoms of Parkinson’s disease – Wikipedia, the free encyclopedia
• Friends of Hillary say she has Parkinson’s
• WikiLeaks – Hillary Clinton Email Archive
• Do You Suffer From Decision Fatigue? – The New York Times
• Complete Timeline of Hillary’s Health #HillarysHealth
• So Shady! Hillary’s Glasses ‘Are For People With Neurological Problems,’ Says Top Doc – Radar Online
• Leaked Emails Show Colin Powell Was Worried About Hillary’s Health Over A Year Ago
• Theory On Metal Object That Dropped From Hillary’s Pant Leg – MagaFeed
• The Matt Lauer Flap
• As Russia reasserts itself, U.S. intelligence agencies focus anew on the Kremlin – The Washington Post
• Doctors Raise Concerns over Clinton’s Pneumonia Diagnosis and Treatment – Breitbart
• Colin Powell Mocks Clintons: Hillary ‘Greedy’ — Bill Home With ’Bimbos’ – Breitbart
• Hillary Clinton ‘HATES’ President Obama for defeating her in the 2008 election | Daily Mail Online
• Bill Clinton Mistakenly Claims That Hillary Clinton Has The Flu | Need To Know Network
• Sales of Hillary Clinton’s New Book Are Off to a Slow Start – The New York Times
• Snowden backers press Obama for pardon before presidency ends
• Trump’s Asheville North Carolina visit : unfilter
• Russian Hackers Leak Olympic Athletes’ Confidential Medical Data | Hacked
• Hillary Clinton Releases More Medical Information After Pneumonia Diagnosis – ABC News
• Hillary Clinton ‘healthy and fit’, says doctor – BBC News
• Clinton’s doctor declares her ‘fit to serve’ as president – POLITICO
• Powell in leaked email: ‘I didn’t tell Hillary to have a private server at home’ – POLITICO
• ‘We Misled You’: How the Saudis Are Coming Clean on Funding Terrorism – POLITICO Magazine
• Will Rahn on Twitter: “This is a good Colin Powell email https://t.co/66krJvciYL”
• Hillary Clinton could cost the Democrats the Senate – The Washington Post
• Powell in leaked email slams Bill Clinton on continuing affairs with ‘bimbos’ | TheHill
• ‘Edward Snowden did this country a great service. Let him come home’ | US news | The Guardian
• Leaked documents reveal secretive influence of corporate cash on politics | US news | The Guardian
• It’s laughable to blame scrutiny of Clinton’s health on gender | TheHill
• American trust in news media falls to lowest level in history: Gallup poll – Washington Times
• WikiLeaks drops latest Guccifer 2.0 data on Hillary Clinton, DNC, Democrats
• Alcohol Industry Bankrolls Fight Against Legal Pot in Battle of the Buzz
• STOCK PHOTO: Registered nurse Jacquelyn Maxton, left, listens to Claire Gordon’s… News Photo | Getty Images

The post Clinton Collapse | Unfilter 204 first appeared on Jupiter Broadcasting.

Noah’s back from Defcon! He shares his experience at this infamous conference, his Linux in the wild sightings & his surprising takeaway.

Plus Btrfs’ RAID 5/6 code has been found “unsafe”, the FossHub compromise, an Internet of Things failure that struck close to home & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Noah Visits Defcon

• Badges are more than the sum of their parts – Imgur

• Ham Radio Exams at DEF CON 24 brought to you by dc408

Hackers Fool Tesla S’s Autopilot to Hide and Spoof Obstacles

In a series of tests they plan to detail in a talk later this week at the Defcon hacker conference, they found that they could use off-the-shelf radio-, sound- and light-emitting tools to deceive Tesla’s autopilot sensors, in some cases causing the car’s computers to perceive an object where none existed, and in others to miss a real object in the Tesla’s path.

Hacking Hotel Keys and Point of Sale Systems at DEFCON

Hecker is scheduled to talk about his research at the DEFCON security conference in a talk where he will also reveal flaws in the magnetic stripe approach used in point-of-sale (POS) systems. In an interview ahead of the talk, Hecker detailed some of his key findings and the widespread risks.

— PICKS —

Runs Linux

This Sewer Camera that my plumber used, Runs Linux

Desktop App Pick

Lifeograph

Private offline journal, encrypted note taking.

Features

• Search and play audio/video from YouTube
• Search tracks of albums by album title
• Search and import YouTube playlists
• Create and save local playlists
• Download audio/video
• Convert to mp3 & other formats (requires ffmpeg or avconv)
• View video comments
• Works with Python 3.x
• Works with Windows, Linux and Mac OS X
• Requires mplayer or mpv
• This project is based on mps, a terminal based program to search, stream and download music. This implementation uses YouTube as a source of content and can play and download video as well as audio. The pafy library handles interfacing with YouTube.

Spotlight

Stellarium 0.15.0 has been released

New big features

• We introduce a major internal change with the StelProperty system.

• This allows simpler access to internal variables and therefore more ways of operation.

• Most notably this version introduces an alternative control option via RemoteControl, a new webserver interface plugin.

• We also introduce another milestone towards providing better astronomical accuracy for historical applications:

• experimental support of getting planetary positions from JPL DE430 and DE431 ephemerides. This feature is however not fully tested yet.

The major changes:

• Added StelProperty system
• Added new plugin for exhibitions and planetariums – Remote Control
• Added new skycultures: Macedonian, Ojibwe, Dakota/Lakota/Nakota,
  Kamilaroi/Euahlayi
• Updated code of plugins
• Added Bookmarks tool and updated AstroCalc tool
• Added new functions for Scripting Engine and new scripts
• Added Miller Cylindrical Projection
• Added updates and improvements in DSO and star catalogues (include initial
  support of The Washington Double Star Catalog)
• azimuth lines (also targeting geographic locations) in ArchaeoLines plugin
• Many fixes and improvements…

— NEWS —

• Ting data price drop
• Ting drops data prices to $10 GB beyond the first gig

PSA – Do not download Classic SHELL! read comments (MBR overwrite!!) mbr.rootkit

Classic Shell itself wasn’t compromised. FossHub was and some download links were replaced by another program, not signed, that do only one thing: overwrite the MBR. It’s not an infected version of Classic Shell, Audacity or whatever, it’s only a small program that targets your MBR. If at the end of the installation process nothing happens beside a short cmd window then you have downloaded the malware.

• Hacker Compromises Fosshub to Distribute MBR-Hijacking Malware

“In short, a network service with no authentication was exposed to the internet,” the hacker told Softpedia in an email. “We were able to grab data from this network service to obtain source code and passwords that led us further into the infrastructure of FOSSHub and eventually gain control of their production machines, backup and mirror locations, and FTP credentials for the caching service they use, as well as the Google Apps-hosted email.”

• FossHub serves up MBR-compromising versions of Audacity and Classic Shell

Corrupt .exe’s downloads of both Audacity and Classic Shell have been removed from FossHub.com after being found laden with a Master Boot Record-overwriting Trojan.

Never Trust a Found USB Drive, Black Hat Demo Shows Why

“Despite the dangers of hackers, viruses and other bad things, almost half of those who found one of our flash drives plugged it into a computer,” Bursztein said.

• What are malicious USB keys and how to create a realistic one?

Btrfs RAID 5/6 Code Found To Be Very Unsafe & Will Likely Require A Rewrite

“more or less fatally flawed, and a full scrap and rewrite to an entirely different raid56 mode on-disk format may be necessary to fix it. And what’s even clearer is that people /really/ shouldn’t be using raid56 mode for anything but testing with throw-away data, at this point. Anything else is simply irresponsible.”

@ahl I assume you actually tested it before shipping it though

— Allan Jude (@allanjude) August 6, 2016

• Re: [BUG] Btrfs scrub sometime recalculate wrong parity in raid5

Couldn't turn on my bedroom lights last night because there is no way to dismiss this dialog. Thank you @tweethue! pic.twitter.com/2EJUgujzLF

— Thomas Roth (@StackSmashing) July 30, 2016

• JB1 Studio Hit too

• Huemote App

• Amazon.com: CHAUVET SlimPAR 56: Musical Instruments

• Amazon.com: ADJ Products AC3PDMX25 25 ft 3 pin DMX Cable for lighting products: Musical Instruments
• Amazon.com: DMXking ultraDMX Micro USB DMX adapter/dongle: Musical Instruments

MeetBSD California 2016

• Any tips where I can park Lady Jupiter near the Clark Kerr Campus
• Meet up?

Mail Bag

• https://slexy.org/view/s2NuBRmc2H

• https://slexy.org/view/s2usaSqiSk

• https://slexy.org/view/s2vRzbEICz

• Audio Only for Live Show?

Call Box

• Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Fear and Linux in Las Vegas | LAS 429 first appeared on Jupiter Broadcasting.

The “28 Pages” of the 9/11 report the media never talked about… Until they did. What’s in the 28 pages? Why is it getting so much attention now? We’ll reveal how the Obama administration is using vital information about 9/11 as leverage with the Saudis & why these 28 pages are getting so much attention now.

Plus details on how the FBI hacked the iPhone 5c, the Bern starts to fade & Trump takes the lead on the right.

Then we end it all on a high note & an epic Overtime segment!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links

• Panama Papers data dump in May – Business Insider
• A Void in the History of September 11th – The New Yorker
• The Saudi arms deal: What we’ve learned so far, and what could happen next – The Globe and Mail
• Trump and Clinton share Delaware tax ‘loophole’ address with 285,000 firms | Business | The Guardian
• Bernie Sanders: Path to nomination is not easy – CNNPolitics.com
• Harry Reid Says Sanders Has No Path to the Nomination – ABC News
• Saudis warn of economic reprisals if Congress passes 9/11 bill – CNNPolitics.com
• Ted Cruz Names Carly Fiorina as His Running Mate, Seeking a Jolt – The New York Times
• Firefox and Thunderbird: A Fork in the Road – Mark Surman
• US Special Forces Are ‘Dropping Cyberbombs’ on ISIS
• Ted Cruz, John Kasich join forces to stop Donald Trump – CNNPolitics.com
• White House Set To Release Secret Pages From Sept 11 Report
• ‘No-Buzz’ Medical Pot Laws Prove Problematic for Patients, Lawmakers – NBC News
• ‘Groups sabotaging Syrian truce should be put on UN terrorist list’ – Lavrov — RT News
• You may hate Donald Trump. But do you want Facebook to rig the election against him? | Opinion | The Guardian
• Utah Declares Online Porn a “Public Health Crisis” — But It’s Got Much Bigger Problems
• Many Middle-Class Americans Are Living Paycheck to Paycheck – The Atlantic
• The FBI has gotten no new leads from the San Bernardino iPhone | The Verge
• How Hundreds of Superdelegates were “bought” by the Clinton Campaign.
• Obama Went From Condemning Saudis for Abuses to Arming Them to the Teeth
• IRS Urges Americans: Come Clean Now, Before We Read Panama Papers
• Obama under pressure to declassify secret 9/11 report amid worries of Saudi retaliation – CBS News
• UW study says Seattle’s $15 wage hasn’t raised prices – seattlepi.com
• Bin Laden Family Evacuated – CBS News
• The Time Ted Cruz Defended a Ban on Dildos | Mother Jones
• Report: CIA Has Drafted “Plan B” to Arm Syrian Rebels | Democracy Now!

The post The Saudi Connection | Unfilter 185 first appeared on Jupiter Broadcasting.

A common vulnerability is impacting Firefox, LibreOffice, and others, the 7 problems with ATM security, and the Enterprise grade protection defeated with a batch script.

Plus some great questions, our answers, a rockin roundup, and much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The 7 problems with ATM security

• Kaspersky presents a list of the 7 reasons why ATMs are so easily compromised, based on a talk given at the SAS2016 conference
• “Automated teller machines (ATM) have always a been a big target for criminals. In the past hunting for ATMs included some heavy tools like a cutting torch or explosives. However with the dawn of the Digital Age, everything has changed. Nowadays culprits can ‘jackpot’ an ATM without such special effects.”

1. ATMs are basically just computers (PCs)
2. That PC is likely running an old operating system (in early 2014, 95% of all ATMs still ran Windows XP)
3. The software other than the OS is also likely vulnerable. Many ATMs still have the bundled version of flash that came with stock Windows XP, which now has 9000 known vulnerabilities
4. ATMs have no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.
5. Weak physical security for the PC part of the ATM. While the deposit box and cash dispenser are armored against attack, the PC is usually only hidden behind some thin plastic. “There is no money in that part of the ATM”
6. ATM control PCs have standard interfaces, that are not secured. Let me just plug this USB stick into your ATM, now it is my ATM
7. ATMs are increasingly directly connected to the Internet. You can find ATMs on Shodan

• ATMs are not replaced very often, so upgrades to the physical protections of the PC component will likely not happen very soon
• When was the last time you saw an ATM down for software updates?
• Maybe if the criminals keep stealing large amounts of money, the banks will be more interested in replacing the ATMs
• This of course doesn’t cover the private ATMs you often see in convenience stores

FireEye Detection Evasion and Whitelisting of Arbitrary Malware

• Researchers at Blue Frost Security have developed a way to evade the dynamic analysis of the FireEye suite of security appliances
• The FireEye appliance works by starting untrusted binaries and applications in virtualization and observing what they do
• If the application is found to be malicious, it is blocked
• Only applications allowed by the FireEye device can be run on the protected computers
• “The analysis engine evasion allows an attacker to completely bypass FireEye’s virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal whitelist of binaries for which the analysis will be skipped until the whitelist entry is wiped after a day”
• “FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.”
• “No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.”
• Let’s take the filename FOO%temp%BAR.exe which results in:
• copy malware.exe “%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe”
• The filename, directory name, or volume label syntax is incorrect.
• “The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”
• “Afterwards the behavioral analysis inside the virtual machine is started which is running for a certain amount of time looking for malicious behavior. Since the binary was not started in the virtual machine in the first place, an empty virtual machine will be analyzed and no malicious behavior will be detected.”
• “Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.”
• The issue was reported to FireEye on September 14th, and responded quickly
• FireEye released updates for some of its products on October 5th and 15th
• On December 31st FireEye published their Q4 security advisory
• FireEye Security Advisory
• On January 14th, FireEye asked that BFS delay publication of the vulnerability for another 30 days, as too many clients had not yet installed the update

Libgraphite Vulnerabilities Impact Firefox, OpenOffice, and Others

• Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library
• Which is used for font processing in Linux, Firefox, OpenOffice, and other major applications.
• The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution.
• A second vulnerability is an exploitable heap overflow.
• Finally, the last two vulnerabilities result in denial of service situations.
• To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities.
• Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).
• Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors.
• Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions.
• The issues that Talos identified include the following:

• An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
• A specially crafted font can cause a buffer overflow resulting in potential code execution.
• An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

• If a malicious font is provided then an arbitrary length buffer overflow can occur when handling context items.
• The first denial of service issue results from a NULL pointer dereference.

• The second denial of service issue results from an out of bounds read that can not only cause a DoS, but it can also cause a leak of information. When reading an invalid font where the local table size is set to 0, an out of bounds read will occur.

• Known Vulnerable Versions:

• Libgraphite 2-1.2.4

• Firefox 31-42
• Firefox ESR before 38.6.1

Feedback:

• Booting on ZFS

• Open Source Security Systems?

• openHAB

• OpenSSL vs OpenSSH

• pfSense Question

Make sure you patch your linux machines for the glibc vulnerability

• In-Depth Analysis
• Additional Coverage
• FreeBSD base unaffected, but update your linux emulation ports

Round Up:

• Why you should side with Apple, not the FBI, in the San Bernardino iPhone case
• Distribution packages considered insecure
• Google Cloud Platform Blog: Google and Red Hat announce cloud-based scalable file servers
• ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
• U.S. Hacked Into Iran’s Critical Civilian Infrastructure For Massive Cyberattack, New Film Claims
• IRS warns of a 400% increase in phishing and malware for this tax year
• Hospital paid hackers 40 bitcoins to get its network back
• “changing the date to May 1970 or earlier can prevent your iOS device from turning on after a restart” Public WiFi + Rouge NTP server = Bucket of bricked iPhones
• Bitcoin startup Butterfly Labs settles with FTC for $38.6M, but it can’t pay
• Mine 30% more bitcoins be allowing errors
• First tech expert on NSA Advisory board: Steve Bellovin, co-director of Columbia’s Cybersecurity and Privacy Center, and author of such papers as “Keys Under Doormats”, a spectacular broadside against government backdoors in crypto
• Ringo Starr’s twitter account hacked after email address of digital marketing manager compromised
• Cryptolocker-like malware found signed with real code-signing certificate, likely stolen
• Backblaze releases 2015Q4 study on hard drive reliability, and why they use Seagate drives

The post Weaponized Comic Sans | TechSNAP 254 first appeared on Jupiter Broadcasting.

The Hacking Team fallout continues with more zero day patches you need to install, a new attack against RC4 might finally kill it & how to save yourself from a DDoS attack.

Plus a great batch of your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Hacking Team fallout includes more Flash patches

• After a number of flash 0-days were found in the data stolen from “Hacking Team”, there has been a mad dash to fix the vulnerabilities before they are actively exploited further
• This resulted in nearly back-to-back Adobe Flash updates, confusing some users who thought they had already patched for the vulnerabilities
• Additional Coverage: Krebs
• Adobe Bulletin – July 8th, released 18.0.0.203
• Adobe Advisory – July 10th, Upcoming patch
• Adobe Bulletin – July 14th, released 18.0.0.209
• This has started quite a few conversations about Flash
• Facebook CSO wants Adobe to announce an EOL date for flash ~18-24 months from now
• Mozilla has taken the unusual step of disabling flash by default requiring click to activate
• Additional Coverage: BBC

New attack against RC4 cipher might finally kill it

• RC4 is one of the oldest ciphers still used as part of HTTPS
• It was often selected for its lower CPU overhead, but as processors got faster and ssl terminators offloaded the work, this became less of a reason to use RC4
• It looked like RC4 would finally die, but then attacks against SSL/TLS that only affected block ciphers emerged: BEAST, Lucky 13, and POODLE
• This propelled RC4 back up the priority list
• RC4 is also the most compatible cipher, older systems that do not support stronger crypto, all have RC4
• RFC 7465 proposed by Microsoft and others, was approved by the IETF and requires that RC4 not be used
• Researchers have presented a new paper at the USENIX Security conference that details a new attack against RC4
• RC4 is still widely used for HTTPS and also for some types of WiFi
• The flaw allows the attacker to steal cookies and other encrypted information in your HTTPS session
• This might allow the attack to impersonate / login as you on the site. Posting to your Twitter account, or initiating a transfer from your PayPal account.
• “The research behind the attack will be presented at USENIX Security. Summarized, an attacker can decrypt a cookie within 75 hours. In contrast to previous attacks, this short execution time allows us to perform the attack in practice. When we tested the attack against real devices, it took merely 52 hours to successfully perform the attack”
• “When the victim visits an unencrypted website, the attacker inserts malicious JavaScript code inside the website. This code will induce the victim to transmit encrypted requests which contain the victim’s web cookie. By monitoring numerous of these encrypted requests, a list of likely cookie values can be recovered. All cookies in this list are tested until the correct one is found.”
• Attack Method:
  • Step 1: Attacker injects code into victims HTTP stream, causing them to make known requests to a secure site with their cookie
  • Step 2: Attacker captures the encrypted requests going to the site secured with RC4
  • Step 3: Attacker computes likely cookies and tries each one until they successfully guess the correct cookie
  • Step 4: Profit, empty the bank account
• “To successfully decrypt a 16-character cookie with a success probability of 94%, roughly 9⋅2^27 encryptions of the cookie need to be captured. Since we can make the client transmit 4450 requests per seconds, this amount can be collected in merely 75 hours. If the attacker has some luck, less encryptions need to be captured. In our demonstration 52 hours was enough to execute the attack, at which point 6.2⋅2^27 requests were captured. Generating these requests can even be spread out over time: they do not have to be captured all at once. During the final step of the attack, the captured requests are transformed into a list of 2^23 likely cookie values. All cookies in this list can be tested in less than 7 minutes.”
• “In the paper we not only present attacks against TLS/HTTPS, but also against WPA-TKIP. Our attack against WPA-TKIP takes only an hour to execute, and allows an attacker to inject and decrypt arbitrary packets.”
• How does this compare to previous attacks? “The first attack against RC4 as used in TLS was estimated to take more than 2000 hours”
• Paper: All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS

Feedback:

• Anybody got recommendation for a DDoS protection service?
  • EuroBSDCon 2013 – Mitigating DDoS Attacks at Layer 7

• Wi-fi security

• Internet routing

• Linux Compatible KVM Crash Cart Adapter

Round Up:

• Pawn Storm APT group using first new Java 0-day exploit in 2 years
• Pawn Storm APT group adds TrendMicro IPs as C&C servers, no one is sure why. Could be DDoS, to get IPs blacklisted, etc
• Facebook security lead wants Adobe to say when it’s killing Flash
• HD Moore interview on the Social Engineering podcast
• FBI used Hacking Team services to unmask Tor user
• Netflix: Tracking Down Villains, finding servers that have more errors than their peers
• Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable
• Defender’s Dilemma vs Intruder’s Dilemma

The post A Bias to Insecurity | TechSNAP 223 first appeared on Jupiter Broadcasting.

More details about the massive government breach show 21.5 million people impacted, Pluto’s big weekend is coming up & we share the historic goodies already beamed home.

Plus our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Hacking of Government Computers Exposed 21.5 Million People
• New Horizons space probe ready to make history at Pluto
• Pluto pictures from Nasa’s New Horizons spacecraft making scientists ‘drool’ – video
• Pluto and Charon: New Horizons’ Dynamic Duo | NASA
• trakkies. a multifunctional microcomputer for your things. by trakkies.

The post Remember Your Pluto | TTT 196 first appeared on Jupiter Broadcasting.

From hacking to hacked, hacking team gets owned & what gets leaked is the best part, we’ll share the details.

Plus, a new OpenSSL vulnerability revealed, Apple tweaks their two factor authentication.. Your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Italian intrusion software vendor Hacking Team Breached, Data Released

• Hacking Team, a vendor known for selling spyware to governments, suffered a serious data breach
• The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network.
• Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
• Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
• A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
• Adobe released a patch on July 7th 2015
• Researches also have found that the Adobe Flash zero-day has already been used in the wild.
• “In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.
• The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.
• In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
• Did the “Hacking Team” find these zero days themselves? With the intent to sell them? Or did they discover them being used by others, and then added them to their own arsenal? Why were they not reported to the vendors?
• Additional Coverage: Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
• Additional Coverage: Security Week
• Additional Coverage: CSO Online
• Additional Coverage: Net Security
• Additional Coverage: Daily Dot
• Additional Coverage: Threat Post — Update: Hacking Team to continue operations
• Hacking Team bought Flash 0-days from Russian hacker

iOS 9 will drop the recovery key from two-factor authentication

• After a hacker used social engineering against Apple Support to take over the Apple ID of Mat Honan, a Wired.com reporter, in order to take over his coveted 3 letter twitter handle, everyone raced to setup Two Factor Authentication for their Apple ID
• The hacker was able to remotely erase Honan’s iPhone and iPad, destroying personal data, family photos, and all other content.
• The hacker was able to reset the password for the Apple ID account by socially engineering the operation at Apple by using stolen information from public data, and from a hacked Amazon account
• In the aftermath, Apple promised to increase training of its support operators and improve security
• As part of this, when you enable two factor authentication, Apple issues you a recovery key. A short text string that you should print and store in a safe place
• Without it, you cannot recover your account if you lose the password
• This system is far more secure, but it has its drawbacks
• Journalist loses recovery key, and Apple ID
• If you, like Owen from the link above, lose your recovery ID, and your account is compromised or you lose your password, you have no way to get it back
• Apple has drawn a hard line in the sand, for the sake of security, they can’t recovery an account without that recovery key. You specifically asked to be protected from impersonation etc.
• In the wake of scandals such as “the fappening”, this strong stance on security makes sense
• However, Apple has decided to abandon it, because, as always, they are more focused on customer satisfaction than security.
• But, can you blame them?
• “Apple said at WWDC it would build a more integrated and comprehensive two-factor security system into its next OS releases”
• “Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.”
• Apple has posted more details about the new system on their Developer site

OpenSSL vuln revealed, while critical, not wide spread. All that hype for nothing

• “During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL).”
• Impact: “An attacker could cause certain checks on untrusted certificates, such as the
  CA (certificate authority) flag, to be bypassed, which would enable them to
  use a valid leaf certificate to act as a CA and issue an invalid certificate.”
• If you installed the OpenSSL update from June 11th, which blocks DH parameters shorter than 768 bits, your system is affected
• This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
• Older versions of OpenSSL (1.0.0 and 0.9.8) are not affected, but reminder: support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015
• This suggests further than OpenSSL needs to separate new features from bug and security fix releases
• Why are any new features being added to OpenSSL 1.0.1?
• Shouldn’t all new development happen only in the bleeding edge version?
• Why has a sane release model not been adopted yet?

Feedback:

• SSDs and ZFS

• storing your salty password hashes

• hp-ux, owncloud investigation?

Round Up:

• FBI’s James Comey: I Know All The Experts Insist Backdooring Encryption Is A Bad Idea, But Maybe It’s Because They Haven’t Really Tried
• 14 world renowned security experts including: Whitfield Diffie, Ronald L. Rivest, and Bruce Schneier have write a paper to the US and UK governments informing them that their ask for crypto backdoors are impossible and unsafe. Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
• The FBI Spent $775K on Hacking Team’s Spy Tools Since 2011
• Click-Fraud trojan helpfully updates your flash player so you don’t get exploited by ads
• All US United Airlines Flights Are Grounded Due to “Automation Issues”
• The story of a company changing their proprietary code to an open source license
• NPR and Panoply on the economics of podcasting
• Bitcoin miners running outdated software are generating invalid blocks. However the hashing power of the invalid miners is high enough that the block chain is building on those blocks
• Windows Server 2003 end of support
• Data centers dropped into war zones

The post ZFS does not prevent Stupidity | TechSNAP 222 first appeared on Jupiter Broadcasting.

Google’s datacenter secrets are finally being revealed & we’ll share the best bits. Why The US Government is in no position to teach anyone about Cyber Security, how you can still get hacked offline, A batch of great questions, a huge round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

After years of wondering, we can finally find out about Google’s Data Center Secrets

• “Google has long been a pioneer in distributed computing and data processing, from Google File System to MapReduce to Bigtable and to Borg. From the beginning, we’ve known that great computing infrastructure like this requires great datacenter networking technology.”
• “For the past decade, we have been building our own network hardware and software to connect all of the servers in our datacenters together, powering our distributed computing and storage systems. Now, we have opened up this powerful and transformative infrastructure for use by external developers through Google Cloud Platform.”
• ““We could not buy, for any price, a data-center network that would meet the requirements of our distributed systems,” Vahdat said. Managing 1,000 individual network boxes made Google’s operations more complex, and replacing a whole data center’s network was too disruptive. So the company started building its own networks using generic hardware, centrally controlled by software. It used a so-called Clos topology, a mesh architecture with multiple paths between devices, and equipment built with merchant silicon, the kinds of chips that generic white-box vendors use. The software stack that controls it is Google’s own but works through the open-source OpenFlow protocol.“
• “At the 2015 Open Network Summit, we are revealing for the first time the details of five generations of our in-house network technology.”
• “Our current generation — Jupiter fabrics — can deliver more than 1 Petabit/sec of total bisection bandwidth. To put this in perspective, such capacity would be enough for 100,000 servers to exchange information at 10Gb/s each, enough to read the entire scanned contents of the Library of Congress in less than 1/10th of a second.”
• “We use a centralized software control stack to manage thousands of switches within the data center, making them effectively act as one large fabric, arranged in a Clos topology”
• “We build our own software and hardware using silicon from vendors, relying less on standard Internet protocols and more on custom protocols tailored to the data center”
• “Putting all of this together, our datacenter networks deliver unprecedented speed at the scale of entire buildings. They are built for modularity, constantly upgraded to meet the insatiable bandwidth demands of the latest generation of our servers. They are managed for availability, meeting the uptime requirements of some of the most demanding Internet services and customers. Most importantly, our datacenter networks are shared infrastructure. This means that the same networks that power all of Google’s internal infrastructure and services also power Google Cloud Platform. We are most excited about opening this capability up to developers across the world so that the next great Internet service or platform can leverage world-class network infrastructure without having to invent it.”
• ““The amount of bandwidth that we have to deliver to our servers is outpacing even Moore’s Law,” Vahdat said. Over the past six years, it’s grown by a factor of 50. In addition to keeping up with computing power, the networks will need ever higher performance to take advantage of fast storage technologies using flash and non-volatile memory, he said.”
• “For full details you’ll have to wait for a paper we’ll publish at SIGCOMM 2015 in August”
• Official Google Cloud Platform Blog Post

The US Government is in no position to teach anyone about Cyber Security

• “Why should anyone trust what the US government says on cybersecurity when they can’t secure the systems they have full control over?”
• “IRS employees can use ‘password’ as a password? No wonder they get hacked”
• As I have long said, you have to assume the worst until you can prove otherwise: “The effects of the massive hack of the Office of Personnel Management (OPM) continue to ripple through Washington DC, as it seems every day we get more information about how the theft of millions of government workers’ most private information is somehow worse than it seemed the day before. (New rule: if you read about a hack of a government or corporate database that sounds pretty bad, you can guarantee it be followed shortly thereafter by another story detailing how the same hack was actually much, much “worse than previously admitted.”)”
• “It’d be one thing if this incompetence was exclusively an OPM problem, but despite the government trying to scare private citizens with warnings of a “cyber-Armageddon” or “cyber-Pearl Harbor” for years, they failed to take even the most basic steps to prevent massive data loss on their own systems. As OTI’s Robyn Greene writes, 80-90% of cyber-attacks could be prevented or mitigated with basic steps like “encrypting data, updating software and setting strong passwords.””
• Of course, using Multi-Factor Authentication would help a lot too
• “The agency that has been singled out for some of the worst criticism in recent years is the Department of Homeland Security, the agency that is supposedly in charge of securing all other government systems. The New York Times reported this weekend that the IRS’s systems still allow users to set their passwords to “password,” along with other hilariously terrible mistakes. “
• “Instead of addressing their own problems and writing a bill that would force the government to upgrade all its legacy systems, implement stronger encryption across federal agencies and implement basic cybersecurity best practices immediately, members of both parties have been pushing dangerous “info-sharing” legislation that will end with much more of citizens’ private data in the hands of the government. And the FBI wants tech companies to install “backdoors” that would give the government access to all encrypted communications – thereby leaving everyone more vulnerable to hackers, not less. Two “solutions” that won’t fix any of the glaring problems staring them in the face, and which may make things a lot worse for ordinary people.”
• There are plenty of examples of large networks that are fairly well secured, so it isn’t impossible to secure a large network. However, the number of insecure government and corporate networks suggests that more needs to be done.
• The solution isn’t something sold by a vendor, it is the same stuff security experts have been preaching for decades:
  • Need to know — Only those who actually need data should have access to it. Lets not just store everything in a giant shared network drive with everyone having read/write access to it
  • Patching — Software has flaws. These flaws get fixed and then become public (sometimes the other way around, the dreaded Zero-Day flaw). If you do not patch your software quickly, you increase the chance of the flaw being used against you
  • Strong Authentication — Password complexity requirements can be annoying, because they are often too vague. Requiring a number, a lower case letter, an upper case letter, and a symbol isn’t necessarily as secure as a passphrase which is longer. Worse, many systems do not securely store the passwords, making them less secure
  • Multi-Factor Authentication — Requiring more than one factor, to ensure that if an attacker does shoulder surf, key log, phish, or otherwise gain access to someones password, that they cannot access the secure data
  • Encryption — This one is hard, as many solutions turn out to not be good enough. “The harddrive on my laptop is encrypted”, this is fine, except if the attacker gets access while your machine is powered on and logged in. Sensitive data should be offlined when it is not in use, rather than being readily accessible in its decrypted form
  • Logging — Knowing who accessed what, and when is useful after-the-fact. Having an intelligence system that looks for anomalies in this data can help you detect a breach sooner, and maybe stop it before the baddies make off with your data
  • Auditing — A security appliance like the FUDO to only allow access to secure systems when such access is recorded. This way the actions of all contractors and administrators are recorded on video, and there is no way to access the protected systems except through the FUDO.
• As we discussed before in TechSNAP 214, there are other techniques that can be used to help safeguard systems, including whitelisting software, and only allowing approved applications on sensitive systems. The key is deciding which protections to use where, while generating the least amount of ‘user resistance’

Google Project Zero researcher discloses 15 new vulnerabilities

• Researcher Mateusz Jurczyk has disclosed 15 new remote code execution vulnerabilities
• The most interesting of these including a flaw in Adobe Reader and Windows that appears to get past all known exploit defenses.
• “The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
• “Any of the 15 vulnerabilities Jurczyk pulled from this old but seemingly unexplored area could trigger remote code execution or privilege escalation in Adobe Reader or the Windows kernel.”
• Researcher Blog
• Video of Exploit
• PDF of Slides
• Project Zero has also published some other interesting vulnerabilities recently
• Owning Internet Printing — A Case Study in Modern Software Exploitation
• Microsoft’s MemoryProtector feature actually counters Microsoft’s new extended ASLR protections
• “It is possible to use a timing attack on MemoryProtector to reveal the offset used by High-Entropy Bottom-Up Randomization, thus completely bypassing it.”
• Analysis and Exploitation of an ESET Vulnerability — Do we understand the risk vs. benefit trade-offs of security software?
  
• In-Console-Able — Developing a sandbox escape chain for Chrome

Feedback:

• Somewhat nervous: how to mitigate Samsung SSD firmware + Linux major corruption risk?

• To delta sync or not to delta sync

• Changing domain registrars and want to maximize email up-time

• Keys

Round Up:

• Samsung deliberately disabling Windows Update
• Adobe issues out-of-band patch for Flash Player after zero-day exploit is discovered being used in the wild
• Google reveals that it was forced to hand over journalist’s data during wikileaks grand jury investigation
• As many as 1 in 3 servers in data centers are powered on but not doing anything
• Chinese may have had access to US Security Clearance data for over a year
• Bruce Schneier: China and Russia Almost Definitely Have the Snowden Docs
• Default Authorized SSH key found in many Cisco security appliances
• Richard Bejtlich: If you can’t keep hackers out, find and remove them faster
• Snowden leak shows NSA and GCHQ attacked security software vendors
• Stealing your GPG private key using a cell phone and an AM radio
• Secunia will block access to vulnerabilities less than 9 months old for non-members after they “frequently encounter organizations engaged in wrongful use of Secunia Advisories”
• Great tool for building regular expressions, better than most in that it supports lookbehind, which most basic javascript implementations do not
• Many Android apps do HTTPS wrong, or not at all
• US Navy Warfare Systems command paid $9.1 million to get security updates for 100,000 Windows XP and 2003 computers. Contract could be worth up to $30 million and extend to 2017
• Sony has killed off the Aibo robots, making replacement parts hard to come by. This raises questions about the next generation of robots. Softbank is soon to release a “Child” robot called Pepper. What will people do when spare parts for their child can only be gotten by cannibalizing other children?
• Google, Mozilla, Webkit, and Microsoft team up to launch ‘Webassembly’ a new binary format for web applications
• HP’s Adventures with the Zero-Day Initiative and bug bounties
• 5 intrusion vectors that cannot be spotted by going offline
• Cryptography jokes

The post Homeland Insecurity | TechSNAP 220 first appeared on Jupiter Broadcasting.

Samsung is actively disabling Windows Update on at least some computers, Car Hacking is ‘Distressingly Easy’, new iOS feature auto-deletes apps & Chromium follow up!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Samsung is actively disabling Windows Update on at least some computers | VentureBeat | Security | by Emil Protalinski
• Car Hacking is ‘Distressingly Easy’ – Slashdot
• From Russia with Love | Unfilter 56 | Jupiter Broadcasting
• Here’s the first official net neutrality complaint to the FCC – The Washington Post
• Google Play Music gets ad-supported radio stations in the US | Ars Technica
• Apple Music Signs Beggars Group, Merlin: Sources | Billboard
• iOS 9 Includes New Auto App Delete/Reinstall Feature for OS Updates on Devices With Insufficient Space – Mac Rumors
• Chromium Bugging Bug | Tech Talk Today 187 : techtalktoday

The post Agonizing over Adoption | Tech Talk Today 188 first appeared on Jupiter Broadcasting.

Preparing for a camping trip in the woods has never been more stressful, we debate how much tech to take. Plus the US suspects China breached about 4 million government records, Steam Machines get a ship date & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• U.S. Suspects Hackers in China Breached About 4 Million People’s Records, Officials Say – WSJ
• Meet Cinch!– The ultimate pop-up tent with solar power & LED by Jake Jackson — Kickstarter
• Apple Still Negotiating With Music Labels Over Streaming Terms Days Before WWDC Launch – Mac Rumors
• Review #Jolla #SailfishOS: [News] New Sailfish OS phone manufacturer confirmed
• Steam Machines, Steam Link, & Steam Controller Launching November 10th
• Spotify Client 1.x beta for Linux has been release… – The Spotify Community
• Skype for Web (Beta) in US and UK | Skype Blogs – – Skype Blogs
• Jupiter Broadcasting Meetup (Seattle, WA) – Meetup
• Support Tech Talk Today creating DAILY PODCASTS
• Portable Generators – Power Practical

The post Solar Freaking Tents! | Tech Talk Today 179 first appeared on Jupiter Broadcasting.