HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Ansible vulnerability

• “Ansible is an open-source automation engine that automates cloud provisioning, configuration management, and application deployment. Once installed on a control node, Ansible, which is an agentless architecture, connects to a managed node through the default OpenSSH connection type.”
• Similar tools are Puppet, Chef, SaltStack, cfEngine
• Summary: Command execution on Ansible controller from host
• Why is this important? First, if one of your ansible-controlled hosts is compromised, they can execute a command on your ansible controller.
• So what you might ask? Your ansible controller accesses all your systems….
• Computest notes: Not a full audit, might be other issues
• Affected versions: < 2.1.4, < 2.2.1
• A big threat to a configuration management system like Ansible, Puppet, SaltStack and others, is compromise of the central node. In Ansible terms this is called the Controller. If the Controller is compromised, an attacker has unfettered access to all hosts that are controlled by the Controller. As such, in any deployment, the central node receives extra attention in terms of security measures and isolation, and threats to this node are taken even more Seriously.
• Fortunately for team blue (team blue is the defense team), in the case of Ansible the attack surface of the Controller is pretty small. Since Ansible is agent-less and based on push, the
  Controller does not expose any services to hosts.
• A very interesting bit of attack surface though is in the Facts. When Ansible runs on a host, a JSON object with Facts is returned to the Controller. The Controller uses these facts for various housekeeping purposes. Some facts have special meaning, like the fact “ansible_python_interpreter” and “ansible_connection”. The former defines the command to be run when Ansible is looking for the python interpreter, and the second determines the host Ansible is running against. If an attacker is able to control the first fact he can execute an arbitrary command, and if he is able to control the second fact he is able to execute on an arbitrary (Ansible-controlled) host. This can be set to “local” to execute on the Controller itself.
• Because of this scenario, Ansible filters out certain facts when reading the facts that a host returns. However, we have found 6 ways to bypass this filter.
• Bypass #1: Adding a host – Ansible allows modules to add hosts or update the inventory. This can be very useful, for instance when the inventory needs to be retrieved from a IaaS platform like as the AWS module does. If we’re lucky, we can guess the inventory_hostname, in which case the host_vars are overwritten and they will be in effect at the next task. If host_name doesn’t match inventory_hostname, it might get executed in the play for the next hostgroup, also depending on the limits set on the commandline.
• Bypass #2: Conditionals – Ansible actions allow for conditionals. If we know the exact contents of a “when” clause, and we register it as a fact, a special case checks whether the
  “when” clause matches a variable. In that case it replaces it with its
  contents and evaluates them.
• Bypass #3: Template injection in stat module – The template module/action merges its results with those of the stat module.This allows us to bypass the stripping of magic variables from ansible_facts, because they’re at an unexpected location in the result tree.
• Bypass #4: Template injection by changing jinja syntax – Remote facts always get quoted. Set_fact unquotes them by evaluating them.
  UnsafeProxy was designed to defend against unquoting by transforming jinja
  syntax into jinja comments, effectively disabling injection.
• Bypass #5: Template injection in dict keys – Strings and lists are properly cleaned up, but dictionary keys are not.
• Bypass #6: Template injection using safe_eval – There’s a special case for evaluating strings that look like a list or dict. Strings that begin with “{” or “[” are evaluated by safe_eval [2]. This allows us to bypass the removal of jinja syntax: we use the whitelisted Python to re-create a bit of Jinja template that is interpreted.
• Computest is not aware of mitigations short of installing fixed versions of the
  software.
• Ansible has released new versions that fix the vulnerabilities described in this advisory: version 2.1.4 for the 2.1 branch and 2.2.1 for the 2.2 branch.
• The handling of Facts in Ansible suffers from too many special cases that allow for the bypassing of filtering. We found these issues in just hours of code review, which can be interpreted as a sign of very poor security. However, we don’t believe this is the case.
• The attack surface of the Controller is very small, as it consists mainly of the Facts. We believe that it is very well possible to solve the filtering and quoting of Facts in a sound way, and that when this has been done, the opportunity for attack in this threat model is very small.
• Furthermore, the Ansible security team has been understanding and professional in their communication around this issue, which is a good sign for the handling of future issues.

Who is Anna-Senpai, the Mirai Worm Author?

• Way too long to go into full detail, so I will only outline a few interesting bits
  +On September 22, 2016, this site was forced offline for nearly four days after it was hit with “Mirai,” a malware strain that enslaves poorly secured Internet of Things (IoT) devices like wireless routers and security cameras into a botnet for use in large cyberattacks. Roughly a week after that assault, the individual(s) who launched that attack — using the name “Anna-Senpai” — released the source code for Mirai, spawning dozens of copycat attack armies online.
• After months of digging, KrebsOnSecurity is now confident to have uncovered Anna-Senpai’s real-life identity, and the identity of at least one co-conspirator who helped to write and modify the malware.
  +Before we go further, a few disclosures are probably in order. First, this is easily the longest story I’ve ever written on this blog. It’s lengthy because I wanted to walk readers through my process of discovery, which has taken months to unravel. The details help in understanding the financial motivations behind Mirai and the botnet wars that preceded it. Also, I realize there are a great many names to keep track of as you read this post, so I’ve included a glossary.
• The story you’re reading now is the result of hundreds of hours of research. At times, I was desperately seeking the missing link between seemingly unrelated people and events; sometimes I was inundated with huge amounts of information — much of it intentionally false or misleading — and left to search for kernels of truth hidden among the dross. If you’ve ever wondered why it seems that so few Internet criminals are brought to justice, I can tell you that the sheer amount of persistence and investigative resources required to piece together who’s done what to whom (and why) in the online era is tremendous.
• As noted in previous KrebsOnSecurity articles, botnets like Mirai are used to knock individuals, businesses, governmental agencies, and non-profits offline on a daily basis. These so-called “distributed denial-of-service (DDoS) attacks are digital sieges in which an attacker causes thousands of hacked systems to hit a target with so much junk traffic that it falls over and remains unreachable by legitimate visitors. While DDoS attacks typically target a single Web site or Internet host, they often result in widespread collateral Internet disruption.
• A great deal of DDoS activity on the Internet originates from so-called ‘booter/stresser’ services, which are essentially DDoS-for-hire services which allow even unsophisticated users to launch high-impact attacks. And as we will see, the incessant competition for profits in the blatantly illegal DDoS-for-hire industry can lead those involved down some very strange paths, indeed.
• Talks about the variants of the IoT botnet, mentions Minecraft webservers were a frequent target.
• Goes into a lot of detail of DDoS protection services, how Minecraft customers would come under attack, and how a competing DDoS protection company made threats directly preceding attacks
• Discusses how the attacks where are way to boost business by not attacking your own customers, but by attacker customers of other DDoS proection services.
• Boils down to the classic: nice business you have here, it’d be a shame if anything happened to it.

TechSNAP Career Challenge

• I was at the [Grace Hopper Celebration(https://ghc.anitaborg.org/) of Women in Computing is the world’s largest gathering of women technologists. It is huge. I met people from many different technology areas (medicine, robotics, software design, someone who built a chip for the iPhone).
• I was there on behalf of The FreeBSD Foundation to give a talk about how to contribute to open source.
• Many were students and often were not sure of what part of technology they wanted to pursue.
• I’ve seen many people go for years in their careers then suddenly discover a passion they previously didn’t know about and their life completely changes.
• This point was mentioned to me by a Google Employee who gave me this list of steps which I then incorporated into my talk, then I wrote a blog post about it.
• Seeing the eyes light up made me think we need to send this wider.
• Allan Jude suggested I include this into the show
• Here is what you do
• Here is what I challeng our listeners to do:
• Take this challenge
• Blog about it
• Then send us your blog URL and tell us what you got out of the challenge

Feedback:

• Bareos/bacula for which I suggest my jail snapshot script
• Malware in the browser

Round Up:

• Dan’s t-shirt challenge
• straight stick, curved slot – tweet by Amanda Rousseau
• Google Infrastructure Security Design Overview
• Criminal cases, public and police safety put at risk by IT failures, RCMP documents say – Politics
• The 32-Bit Dog Ate 16 Million Kids’ CS Homework
• Oren Jacob’s answer to Did Pixar accidentally delete Toy Story 2 during production? – Quora
• Heartbleed Report (2017-01)
• Already on probation, Symantec issues more illegit HTTPS certificates

The post DDos Mafia | TechSNAP 303 first appeared on Jupiter Broadcasting.

It’s a special holiday edition of the Linux Action Show & we get thankful for some super important, innovative, and critically necessary open source projects. We throw out the format and cover many projects listed in our notes & off the tops of our heads.

Plus some really unique weekly picks, through providing feedback…

AND A FEW SURPRISES!

All this week on, the Linux Action Show!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

Projects we are Thankful For

View post on imgur.com

SimpleScreenRecorder

SimpleScreenRecorder is ‘simple’ in the sense that it’s easier to use than ffmpeg/avconv or VLC, because it has a straightforward user interface.

The input selection page:

Features

• Graphical user interface (Qt-based).
• Faster than VLC and ffmpeg/avconv.
• Records the entire screen or part of it, or records OpenGL applications directly (similar to Fraps on Windows).
• Synchronizes audio and video properly (a common issue with VLC and ffmpeg/avconv).
• Reduces the video frame rate if your computer is too slow (rather than using up all your RAM like VLC does).
• Fully multithreaded: small delays in any of the components will never block the other components, resulting is smoother video and better performance on computers with multiple processors.
• Pause and resume recording at any time (either by clicking a button or by pressing a hotkey).
• Shows statistics during recording (file size, bit rate, total recording time, actual frame rate, …).
• Can show a preview during recording, so you don’t waste time recording something only to figure out afterwards that some setting was wrong.
• Uses libav/ffmpeg libraries for encoding, so it supports many different codecs and file formats (adding more is trivial).
• Can also do live streaming (experimental).
• Sensible default settings: no need to change anything if you don’t want to.
• Tooltips for almost everything: no need to read the documentation to find out what something does.

Why Chris’ Thankful:

*This is a first class screen capture app. Multithreaded is critical for me (my rig is constantly busy during pre-production). It does a fantastic job at capturing audio playing from video, and multiple ways to select the area I want to capture. This is my secret weapon to capture those un-capturable broadcasts for Unfilter *

Mumble, the open source VoIP solution

Mumble is an open source, low-latency, high quality voice chat software primarily intended for use while gaming.

Why Chris’ Thankful:

I might think it has its quirks, but there are tons of reasons to love Mumble. It sounds good, offers great organizational abilities, allows for recording, and we use it every single LINUX Unplugged for our Virtual LUG and Tech Talk Today for insights into the news

Why Noah is Thankful:

• An alternative to TeamSpeak that even many TeamSpeak people like better.
• Easy to spin up your own server
• Has allowed me to develop a group of friends outside the IRC

FFmpeg

Projects using FFmpeg

FFmpeg is used by software such as VLC media player, xine, HandBrake, Plex, Blender, YouTube,[47] and MPC-HC;[48] it handles video and audio playback in Google Chrome,[48] and Linux version of Firefox.[49] Graphical user interface front-ends for FFmpeg have been developed, including Avanti,[50] and XMedia Recode. JavaCV, a Java wrapper for OpenCV, includes a supplementary Java wrapper for FFmpeg.[51]

FFmpeg is used by ffdshow, LAV Filters, GStreamer FFmpeg plug-in, Perian and OpenMAX IL to expand the encoding and decoding capabilities of their respective multimedia platform.

Why Chris’ Thankful:

Not only does it power tons of tools we all love, but it’s one of the most critical piece of machinery in the Jupiter Broadcasting factory. We encode every episode with ffmpeg. It powers critical tools that many JB staffers use every day

Why Noah is Thankful:

• Was the first tool I ever used to send a remote video feed to JB
• Seems to be limited only by creativity
• One of the tools that exemplifies how FOSS tools can far exceed anything proprietary.

youtube-dl

youtube-dl is a small command-line program to download videos from YouTube.com and a few more sites. It requires the Python interpreter (2.6, 2.7, or 3.2+), and it is not platform specific.

• youtube-dl options

Why Chris’ Thankful:

*Meet one of my new best friends. This is one of the best tools of the year, with support for WAY more sites that YouTube, it makes it possible for JB to grab clips from a WIDE range of sources, store them off-line for immediate playback while on air, and convert/transcode them on the fly into a format suitable for us. Updates are quick, and fix issues with reliability. *

Why Noah is Thankful:

• Use it daily to download YouTube clips that are bound to be taken off of youtube.
• Because it’s CLI and not a browser extension it’s invisible until I need it
• Because it’s CLI I can run it in the background and continue work in the browser, or even close the browser without any real consequences.

Avidemux

Avidemux is a free video editor designed for simple cutting, filtering and encoding tasks.

Why Chris’ Thankful:

*When working with any kind of long clip, an interview, news report, an episode outtake, Avidemux makes it crazy simple to select JUST the area of the video I want, and copy it out without any quality loss/transcoding. Or I can choose to transcode (say from h.264 video, with mp3 audio in an flv, to vp8, with opus audio, in a webm container) just the portion of the video I want. Another option would be just grabbing an audio portion of a clip, saving it as an MP3, and making an easy ringtone. *

Why Noah’s Thankful:

• Allows Chris to edit under Linux.
• Any alternative video editor on Linux provides competition to all improve.
• No video editor is perfect and so anyone could be “the” video editor under LInux in the near future.

Open Broadcaster Software

What is OBS?

Open Broadcaster Software is free and open source software for video recording and live streaming. Supported features include:

• Encoding using H264 (x264) and AAC.
• Support for Intel Quick Sync Video (QSV) and NVENC.
• Unlimited number of scenes and sources.
• Live RTMP streaming to Twitch, YouTube, DailyMotion, Hitbox and more.
• File output to MP4 or FLV.
• GPU-based game capture for high performance game streaming.
• DirectShow capture device support (webcams, capture cards, etc).
• Windows 8 high speed monitor capture support.
• Bilinear or lanczos3 resampling.

Why Chris’ Thankful:

*While I’m not sure it’s quite there yet, this promises to free us from one huge proprietary monster *

Why Noah is Thankful:

• One of the big road blocks for JB going all Linux.
• Can be installed on practically any machine making remote broadcasting much simpler to plan
• Can be used to build appliance like devices
• Shortcomings not withstanding it’s usable today

Core Infrastructure Initiative

View post on imgur.com

The stakes have never been higher for open-source software security. With millions of people around the world relying on open source software — and vulnerabilities like Heartbleed putting everyone at risk — it’s time to change the way we support, protect, and fortify open software.

Why Chris’ Thankful:

HeartBleed reminds us that those core infastrucutre projects are vitally important and need funding just as much as the flashy front end facing projects

Why Noah is Thankful:

*A great start to streamline open source software in a way that will allow it to compete at scale with it’s proprietary alternatives.

Wayland Support is REALLY Taking Off

Toolkit support

Toolkits supporting Wayland include the following:

• Clutter has complete Wayland support.[64]
• EFL has complete Wayland support, except for selection.[65]
• GTK+ 3.10 has complete Wayland 1.2 support.[66]
• Qt 5 has complete Wayland support.
• SDL support for Wayland debuts with the 2.0.2 release, but as experimental and disabled by default.[67]
• GLFW 3.1 will have experimental unadvertised Wayland support.[68]
• FreeGLUT has initial Wayland support[69]

Desktop environments supporting Wayland include the following:

• KDE support:
  • KWin: is in the process of becoming a Wayland compositor, but support is incomplete;[70] support for OpenGL ES output was added in 2010,[71] in version 4.7.[72] In January 2013 KWin’s main developer Martin Grässlin started working for Blue Systems with one of the goals being a complete Wayland port.[73] Experimental Wayland support is now working in current KWin 4.11.[74]
  • KDE Frameworks 5: it is possible to run most applications built on top of Frameworks 5 under a Wayland compositor, without X11 as X11-dependent codepaths have become optional.[70]
  • KDE Plasma 5: is based on Frameworks 5, but as e.g. interfaces between the workspace shell, the compositor (KWin) and the display server are not yet well-defined or implemented up-stream, support is incomplete.[70]
  • Calligra Suite already has an unofficial but working port to Wayland.[75]
• Glx-Dock has been ported to Wayland.[76]
• The Hawaii desktop environment exclusively supports Wayland.
• GNOME: In March 2013 GNOME developers announced plans for a complete Wayland port within a year.[77] GNOME 3.10 includes initial support that “will enable the project to fully adopt the next generation display and input technology in the future”.[78][79] The current roadmap targets GNOME 3.18 as the first version to be fully ported to Wayland.[80][81]
• MATE: Wayland support is on MATE’s roadmap for “when MATE will become GTK+3 only”.[82]

Other software

Other software supporting Wayland includes the following:

• Intelligent Input Bus is working on Wayland support, it could be ready for Fedora 22[83]
• RealVNC published a Wayland developer preview in July 2014[54][84][85]
• Maliit: Maliit, an input method framework, runs under Wayland.[86][87][88]
• kmscon supports Wayland with wlterm[89]
• Mesa: Mesa, to which AMD and Intel directly contribute to support their graphics processors, has Wayland support integrated.[90] Within the Mesa projects, drivers for Qualcomm Snapdragon (freedreno)[91][92] and Nvidia GPUs (nouveau)[93][94] are being developed by Red Hat and community contributors.[95][96]
• Eclipse was made to run on Wayland during a GSoC-Project in 2014.[97]

Mobile and embedded hardware

Mobile and embedded hardware supporting Wayland includes the following:

• GENIVI Alliance: The GENIVI automotive industry consortium for in-vehicle infotainment (IVI) supports Wayland.[98]
• Tizen: Tizen up to 2.x supports Wayland in in-vehicle infotainment (IVI) setups[99] and from 3.0 onward defaults to Wayland.[100]
• Raspberry Pi: The Raspberry Pi Foundation in collaboration with Collabora released Maynard and work on improving performance and memory consumption, but do not expect to be able to replace X11 as the default display server until later in 2013[101][102]
• Sailfish OS: Smartphones from Jolla use Wayland as standard. It is also used as standard when Linux Sailfish OS is used with hardware from other vendors or when it is installed into Android devices by users.[103][104][105]

Wayland Protocols v1.0 Released

The Wayland Protocols 1.0 release includes support for Fullscreen Shell, Input Method, Linux DMA-BUF, Pointer Gestures, Presentation Timing, Text Input, and XDG Shell. All of these protocols are considered unstable for the v1.0 release with no protocols being declared stable yet in this repository.

Why Chris’ Thankful:

*The path to Wayland has been long, and sometimes treacherous. As a long time Linux user it warms my holiday heart to see so much wide spread support, and so much collaboration in moving to Wayland and the future of the Linux graphics stack (also something, something, Mir) *

— PICKS —

Runs Linux

This Wheat Farm, Runs Linux

Here’s some videos of Mathew Reimer, a canadian wheat/canola grower using a drone software/hardware to autonomously pilot his tractor. You can see him in his combine harvester running mavproxy drone software on an ubuntubox.

• Awesome shot of driverless tractor controlled via Ubuntu Tablet:

Desktop App Pick

Atraci

Atraci is an application for Windows, Mac and Linux that lets you listen instantly to more than 60 million songs (way more than iTunes’s 26 million). It requires no sign up, displays no ads and is 100% safe.

Weekly Spotlight

Sandstorm.io

Install apps to create documents, spreadsheets, blogs, git repos,
task lists, and more as easily as you’d install apps on your phone.

• Designed for Humans – It’s as easy as your phone. No command lines, no config files, no database provisioning.
• Secure By Default = Sandstorm’s unparalleled security measures keep you safe even when apps are buggy.
• Freedom – Run any app you want — even write your own. Don’t get locked into walled gardens.

Sandstorm is open source and can be installed anywhere.

Sent in by Andrew F

LAS Jacket Returns!

• LAS Jacket Returns! | US

Celebrate your new year with Linux on your mind and on your body!

• LAS Jacket in the EU!

We are excited to offer this LAS zip up hooded jacket that will ship from the
EU!

— NEWS —

0 A.D. | A free, open-source game of ancient warfare

Wildfire Games, an international group of volunteer game developers, proudly announces the release of “0 A.D. Alpha 19 Syllepsis”, the nineteenth alpha version of 0 A.D., a free, open-source game of ancient warfare. This alpha features building and siege engine capture, a new pathfinder, visual replay and more!

# Why Chris’ Thankful:

*0 AD here is becoming a true blue serious game. Better than commercial stuff.

And it does not get enough attention. I’m thankful this team sticks to their guns, and keeps releasing a better and better product. They are becoming a shining example of what an open source project can be, let alone a game.*

Software Freedom Conservancy

Conservancy needs 750 Supporters to continue its basic community services &
2,500 to avoid hibernating its enforcement efforts! The next 48 supporters who sign up before next Friday will count twice thanks to an anonymous match donor!

• Black Friday Deal for Software Freedom! – Software Freedom Conservancy

One of our Supporters has generously come forward to offer an anonymous match donation. We have one week to sign up 83 Supporters and have their donations count twice (making it a match of $10,000 for Conservancy). If you sign up as a Supporter now, we’ll add you as a Supporter on the left of our status bar, but on the right you’ll also see the match decrease our goal by one. So, during the match, you’ll be counted both as a Supporter and to reduce the overall target from the other direction!

Help us take advantage of this opportunity and reach our goal of 2500 Supporters to save enforcement! Sign up as a Supporter now!.

Conservancy Announces Funding for GPL Compliance Lawsuit

Software Freedom Conservancy announces today Christoph Hellwig’s lawsuit
against VMware in the district court of Hamburg in Hamburg, Germany.
This is the regretful but necessary next step in both
Hellwig and Conservancy’s ongoing effort to convince VMware to comply
properly with the terms of the GNU General Public License version 2 (GPLv2), the license of Linux and many other
Open Source and Free Software included in VMware’s ESXi products.

Hellwig, a key Linux kernel developer and one of the earliest members of
Conservancy’s GPL Compliance Project for Linux Developers, has
publicly denounced VMware’s misuse of GPL-licensed code since 2007. In 2011, Conservancy discovered that VMware had failed to provide nor offer any source
code for the version of BusyBox included in VMware’s ESXi products (as
required by BusyBox’s license, GPLv2). Conservancy began in early 2012
negotiations with VMware to seek compliance on all GPL’d components in the
ESXi project. Progress was slow through 2012 and 2013.

• ​VMware sued for failure to comply with Linux license | ZDNet

Why Chris’ Thankful:

Hellwig’s lawsuit against VMware to enforce the GPL license of BusyBox, and the Conservancy’s support of it could be have long term ramfications for future ablity to encofce the GPL.

Red Hat Enterprise Linux 7.2 – A major desktop milestone

So many of you have probably seen that RHEL 7.2 is out today. There are many important updates in this release, some of them detailed in the official RHEL 7.2 press release.

One thing however which you would only discover if you start digging into the 7.2 update is that its the first time in RHEL history that we are doing a full scale desktop update in a point release. We shipped RHEL 7.0 with GNOME 3.8 and in RHEL 7.2 we are updating it to GNOME 3.14. This brings in a lot of new major features into RHEL, like the work we did on improved HiDPI support, improved touch and gesture support, it brings GNOME Software to RHEL, the improved system status area and so on. We plan on updating the desktop further in later RHEL 7.x point releases.

RedHat / Fedora

About RedHat

Red Hat, the world’s leading provider of open source solutions, today announced that it has signed a definitive agreement to acquire Ansible, Inc., a provider of powerful IT automation solutions designed to help enterprises move toward frictionless IT. Ansible’s automation capabilities, together with Red Hat’s existing management portfolio, will help users drive down the cost and complexity of deploying and managing both cloud-native and traditional applications across hybrid cloud environments. With today’s announcement, Red Hat expands its leadership in hybrid cloud management, OpenStack and containers.

Why Noah is Thankful:

• One of the largest open source companies that has not let it’s profits get in the way of it’s commitment to free and open source software
• Saved me from Windows, and made me believe there was hope for Linux as a desktop
• A core group of people that are doing every day what many companies fractions of their size say isn’t possible for “big companies”
• Maker of Fedora

Feedback:

• https://slexy.org/view/s21BuQOWGM

• https://slexy.org/view/s2UViBINOo

Thank you to our sponsors, and our audience support!

Trine 3 Stream Giveaway next Friday’s live show

Rover Log Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Thankfully It's Open Source | LAS 393 first appeared on Jupiter Broadcasting.

Have we gone too far with Docker? We channel our inner curmudgeon & discuss the Heartbleed sized elephant hanging out in Docker’s room. Plus why all the bad press around SteamOS might be missing the mark & our virtual LUG shares their hands on experiences with openSUSE LEAP!

Plus some important follow up, a few surprises & a dead UPS!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• pusto.org: The alpha is here

Mailur aims to become the future open source replacement for Gmail.

It is already usable as an alternative Gmail interface with a set of unique features.

• Google And ASUS Launch The $85 Chromebit, A Chrome OS Desktop On An HDMI Stick

The $85 Chromebit is a 75 gram (or 2.6 ounces) stick that you can plug into any HDMI port — whether that’s a regular computer screen or that large TV in your living room. It comes with 16GB of onboard storage (in the form of relatively cheap and slow eMMC storage) and 2GB of RAM.

• UUMATE Is a Respin of Ubuntu MATE 15.10 That Aims to Be Better

Highlights of UUMATE include the Google Chrome web browser, Kdenlive video editor, PeerGuardian privacy-oriented firewall application, Steam for Linux, Syncthing file sync utility, TeamViewer remote control software, Wine 1.7, Compiz for beautiful desktop effects, as well as numerous sound events enabled by default.

Follow Up / Catch Up

• Noah VS Dr Emma: Switching people to Linux competition rules

Linux Academy

• Linux Academy | Linux and AWS Online Training

Have we gone too far with containers?

Engineers are now coming up with crazy solutions to a typical problem. Vulnerable software that’s spreading around the web in containers.

CoreOS says over 80 percent of Docker images stored in its Quay service are still vulnerable to the infamous Heartbleed bug, for example.

Clair can scan containers for known vulnerabilities and then alert developers of potential issues. CoreOS is getting this data from the vulnerability databases of Red Hat, Ubuntu and Debian.

• Docker Doubles Down on Security With Nautilus, Hardware Encryption

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

SteamOS Getting off to a rocky start…

SteamOS gaming performs significantly worse than Windows, Ars analysis shows

Cross-platform 3D games face 21- to 58-percent frame rate dip on same hardware.

Why one PC maker decided not to ship a Steam Machine this year

Watch out for the old school shill: Dean Takahashi has authored very Microsoft focused books, and writes a lot about MS, such as – Opening the Xbox: Inside Microsoft’s Plan to Unleash an Entertainment Revolution

“We met with Valve about our reservations concerning the limitations of SteamOS with high-end PC builds, and they agreed they were not issues that could be overcome in time for us to launch a Steam Machine this year,” said Kelt Reeves, president of Falcon Northwest in Medford, Oregon. “But they were genuinely interested in working to address them in future SteamOS builds. So the option for us to produce a Steam Machine is still open, and our Tiki PCs have been in production for years as Windows systems and are always ready. But for now, we’ve put our plans to offer a Steam Machine on hold.”

Fedora/gstreamer dev comments on the importance of gaming on Linux and SteamOS

Time to get a Steam Machine – https://t.co/O7owod66BT

— Christian Schaller (@Uraeus2) November 11, 2015

TING

• Ting – mobile that makes sense

Leap / Tumbleweed Users — Check in!

Just checked out the latest episode of Linux Unplugged and was stoked to see it had a segment on my distro of choice.

Support Jupiter Broadcasting on Patreon

The post What’s Up Docker? | LINUX Unplugged 119 first appeared on Jupiter Broadcasting.

We’ll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He’s been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EuroBSDCon 2015 call for papers

• The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
• According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
• If giving a full talk isn’t your thing, there’s also a call for tutorials – if you’re comfortable teaching other people about something BSD-related, this could be a great thing too
• You’re not limited to one proposal – several speakers gave multiple in 2014 – so don’t hesitate if you’ve got more than one thing you’d like to talk about
• We’d like to see a more balanced conference schedule than BSDCan’s having this year, but that requires effort on both sides – if you’re doing anything cool with any BSD, we’d encourage you submit a proposal (or two)
• Check the announcement for all the specific details and requirements
• If your talk gets accepted, the conference even pays for your travel expenses

Making security sausage

• Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
• “Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!”
• The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
• It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
• Following that, it leads to the topic of FreeType – and a much more complicated problem with backporting patches between versions
• The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
• Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release – it had to be redone at the last minute
• It was because of this that FreeBSD actually had to release a security update to their security update
• He concludes with “My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note ‘oh, and some security too’ creates downstream mayhem.”

Running FreeBSD on the server, a sysadmin speaks

• More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
• ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
• They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
• It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
• If you’ve been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you

NetBSD ported to Hardkernel ODROID-C1

• In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
• This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet… all for just $35
• There’s a special kernel config file for this board’s hardware, available in both -current and the upcoming 7.0
• More info can be found on their wiki page
• After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device

Interview – Bernard Spil – spil.oss@gmail.com / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

• If you’re using pf on any of the BSDs, maybe you’ve gotten bored of grepping logs and want to do something more fancy
• This article will show you how to get set up with Gource for a cinematic-like experience
• If you’ve never heard of Gource, it’s “an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories”
• When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
• One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend’s phone had been compromised – graphical representations of traffic could be useful for detecting suspicious network activity

pkgng 1.5.0 alpha1 released

• The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
• This update introduces support for provides/requires, something that we’ve been wanting for a long time
• It will also now print which package is the reason for direct dependency change
• Another interesting addition is the “pkg -r” switch, allowing cross installation of packages
• Remember this isn’t the stable version, so maybe don’t upgrade to it just yet on any production systems
• DragonFly will also likely pick up this update once it’s marked stable

Welcome to OpenBSD

• We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
• The slides from that talk are now online, and they’ve been generating quite a bit of discussion online
• It’s simply titled “Welcome to OpenBSD” and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
• Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
• As you may know, NetBSD has almost 60 supported platforms and their slogan is “of course it runs NetBSD” – Brian says, with 17 platforms over 13 CPU architectures, “it probably runs OpenBSD”
• No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
• Try to guess which font he used…

BSDTalk episode 252

• And somehow Brian has snuck himself into another news item this week
• He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
• If that sounds familiar, it’s probably because we did the same thing, albeit with a different member of their team
• In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
• They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself

Feedback/Questions

• Christian writes in
• Stefan writes in
• Possnfiffer writes in
• Ruudsch writes in
• Shane writes in

Mailing List Gold

• Accidental support
• Larry’s tears
• The boy who sailed with BSD

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – don’t be afraid to write about your experiences and send them to us, we’d love to read about what you guys are doing with BSD
• If you’re interested in OpenZFS discussion, they’re looking to start up the office hours series again on April 2nd (with Justin Gibbs)
• There’s a new BSD users group starting up in the Vancouver, British Columbia area – VanBUG will be holding an event on April 8th

The post SSL in the Wild | BSD Now 82 first appeared on Jupiter Broadcasting.

We look back at this year in TechSNAP. Allan shares his war stories, TrueCrypt shuts down, Heartbleed happens & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Episode List

• Episode 5 – Allan Goes to War
• Episode 176 – Heartbleed Hospital
• Episode 164 – Tales from the TrueCrypt
• Episode 191 – Celebrity Bugs
• Episode 166 – Demilitarized Tone
• Episode 149 – Island Hopping Explained
• Episode 100 – 100% Uptime

The post Best Of TechSNAP 2014 | TechSNAP 194 first appeared on Jupiter Broadcasting.

2014 has been the year of the celebrity bugs, we take a look at the new trend of giving security vulnerabilities names & logos & ask who it truly benefits.

Plus practical way to protect yourself from ATM Skimmers, how they work & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

• Are you a BSD User? The first question we ask in every interview is “How did you get started with BSD?” Send your video clip or writeup before December 17th for our Christmas Episode

• Spam Nation: The Inside Story of Organized Cybercrim

• Brian Krebs’s “Spam Nation”

• Best of JB Submission Form

Wiretapping ATMs

• “Banks in Europe are warning about the emergence of a rare, virtually invisible form of ATM skimmer involving a so-called “wiretapping” device that is inserted through a tiny hole cut in the cash machine’s front. The hole is covered up by a fake decal, and the thieves then use custom-made equipment to attach the device to ATM’s internal card reader.”
• “The criminals cut a hole in the fascia around the card reader where the decal is situated,” EAST described in a recent, non-public report. “A device is then inserted and connected internally onto the card reader, and the hole covered with a fake decal”
• “It’s where a tap is attached to the pre-read head or read head of the card reader,” Lachlan said. “The card data is then read through the tap. We still classify it as skimming, but technically the magnetic stripe [on the customer/victim’s card] is not directly skimmed as the data is intercepted.”
• So, they attach to the REAL card reader, and siphon off a copy of the data as the card is read
• That makes this form of skimming pretty much undetectable (except possibly by the fake decal used to cover the hole cut in the front of the ATM)
• The Krebs article also talks about new “insert transmitter skimmers”, that use a small battery and transmit the skimmed data a short distance, meaning the attacker does not have to return to the scene of the crime to collect the stolen data, decreasing their risk of getting caught
• “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another ATM. Use only machines in public, well-lit areas, and avoid ATMs in secluded spots”
• “Last, but certainly not least, cover the PIN pad with your hand when entering your PIN: That way, if even if the thieves somehow skim your card, there is less chance that they will be able to snag your PIN as well. You’d be amazed at how many people fail to take this basic precaution. Yes, there is still a chance that thieves could use a PIN-pad overlay device to capture your PIN, but in my experience these are far less common than hidden cameras (and quite a bit more costly for thieves who aren’t making their own skimmers).”

Bug naming and shaming

• This article discusses the advantages and disadvantages to having named and branded bugs like Heartbleed, as well as some behind the scenes info on that exploit, and the people behind the naming of various other vulnerabilities since then
• “If the bug is dangerous enough, it gets a name. Heartbleed’s branding changed the way we talk about security, but did giving a bug a logo make it frivolous… or is this the evolution of infosec?”
• Heartbleed was discovered some time before Friday, March 21, 2014 by a Google security researcher. It was later shared with Open SSL, Red Hat, CloudFlare, Facebook, and Akamia
• Finnish security company Codenomicon separately discovered Heartbleed on April 3, and informing the National Cyber Security Centre Finland the next day”
• They then immediately went to work on a marketing plan. This discovery was going to launch their small firm into super stardom. They had a logo and website designed, and prepared for the public disclosure of the bug
• The original public disclosure was supposed to be made on April 9th. However, after details started to leak, and the OpenSSL team decided that if more than 1 group had already discovered the bug, more would quickly follow, they released the details early, on April 7th
• “Half an hour after OpenSSL published a security advisory the morning of April 7, CloudFlare bragged in a blog post and a tweet that it was first to protect its customers, and how CloudFlare was enacting an example for “responsible disclosure.”
• “An hour after CloudFlare’s little surprise, Codenomicon tweeted to announce the bug, now named Heartbleed, linking to a fully prepared website, with a logo, and an alternate SVG file of the logo made available for download.”
• “Heartbleed — birth name CVE-2014-0160 — became a household term overnight, even though average households still don’t actually understand what it is.”
• “The media mostly didn’t understand what Heartbleed was either, but its logo was featured on every major news site in the world, and the news spread quickly. Which was good, because for the organizations who needed to remediate Heartbleed, it was critical to move fast.”
• In the end, it seems Heartbleed was a success, most systems were patched quite quickly, although many systems did not follow the full procedure, and that has had some fallout that we have covered
• In justifying the name given to a Russian hacking group, iSight Partners said: “Without naming these teams, it would be impossible for a network defender to keep track of them all. We think that’s essential, because intimately understanding these teams is the first step to mounting an effective defense. Giving a name to a team — as we have done with Sandworm — helps practitioners and researchers track and attribute tactics, techniques, procedures and ongoing campaigns back to the team. By assigning identities, It helps to bring these actors out of the shadows and into the light.“
• Other vulnerabilities, like POODLE, had alarmingly bad reporting that may have done more harm than good
• ShellShock was the anti-case. It didn’t have a logo, or an official website. ShellShock timeline
• It was actually originally dubbed BashDoor by its creator, but when it was leaked to the press by someone else, they provided the name ShellShock
• Further, because the initial fix for the ShellShock vulnerability did not entirely solve the problem, there was much confusion, where people thought they had already patched, but didn’t have the “latest” patch
• Then, there were a number of follow-on vulnerabilities in bash, that didn’t have names, but were lumped in with ShellShock, which lead to even more confusion
• Closing Quote: “The researchers didn’t tell their closest biz-buddies in a game of telephone, one in which Heartbleed became an arms race of egos, insider information trading, and opportunism”
• Who gets to decide what bugs are bad enough to get a name instead of just a CVE number? Should MITRE start tracking names along with the CVE numbers?
• Who gains more for naming bugs, the end users who might become more aware of the issue and be able to protect themselves, or the PR powered firms that exploit it for their own good?

Feedback:

• Why is md5 not secure?

• Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed

• VMware’s page-sharing woes

• Brute Force, How Do They Know They Got It?

• Thank you – seriously

• BSDCan 2015 Call for Papers — Due by Jan 19th

Round Up:

• NSA spies on carriers to break call encryption, report suggests
• Government sites remain hacked 2 weeks later — The problem with not disclosing security breaches
• U.S. Intelligence Agency Aims to Develop Superconducting Computer
• The Cost of HTTPS everywhere
• Google Can Now Tell You’re Not a Robot With Just One Click
• Samsung announces 3.2TB PCI-E SSD, Intel/Micron announce 3D NAND, hard drives stuck at 7200rpm (or lower)
• “Its signed, must be legit” — Lessons in Interface Design
• ExplainShell.com — Explain what that code is actually doing, a quick way to learn to read shell scripts
• Prosecutors charge “hacker” with 44 felonies in typical scare tactics (10 year max on each, resulting in a total sentence that would be multiple lifetimes), final charges: a single misdemeanor with a $10,000 fine
• Crash CentOS6 init by touching a bunch of files
• Judge rules that IP addresses should not be exempt from a public records request because of “security”
• Nuclear weapons use fluctuating radiation fields to generate their own one-time passwords to restrict their use
• Your new 500GB external hard drive, guaranteed to be quieter than any other external hard drive

The post Celebrity Bugs | TechSNAP 191 first appeared on Jupiter Broadcasting.

A major flaw in the Bash shell has been discovered, and the Internet is losing its collective mind over it. We discuss the possible far reaching ramifications of the flaw, and the comparisons to Heartbleed.

Plus some solid rumors on the next Nexus device, major iOS 8 update issues, and India’s historical tech event from this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: This is ‘Shamu,’ Motorola’s upcoming Nexus 6/X

Google’s upcoming “Nexus 6″ (some claim it will be called “Nexus X”) has long been rumored, and there have been many leaked specifications and details rolling out for quite some time now.

Notably, a report from last month based on specifications leaked via GFXBench seemingly all but confirmed a variety of facts about the device: a 2.6GHz quad-core Snapdragon 805 processor, 3GB of RAM, 32GB of internal storage, a 13-megapixel rear-facing camera, a 2-megapixel front-facing shooter and Android L (surprise, surprise).

The biggest unknown is the screen, but 9to5Google reports 5.92-inch screen, with QHD resolution of 2560 x 1440. This dense screen according to our calculations comes out to be 498 PPI—a fairly impressive number for any smartphone. As such, it’s going to have a battery that is equally impressive, packing 3,200 mAh to power all of those pixels.

Previous reports suggested a 5.2-inch screen instead of the currently rumored 5.92-inch

As for the overall appearance of the device, it’s basically going to be a scaled up 2nd generation Moto X with some minor tweaks to make the larger size easier to use.

Bug in Bash shell creates big security hole on anything with *nix in it | Ars Technica

The bug, discovered by Stephane Schazelas, is related to how Bash processes environmental variables passed by the operating system or by a program calling a Bash-based script. If Bash has been configured as the default system shell, it can be used by network–based attackers against servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

While Bash is often thought of just as a local shell, it is also frequently used by Apache servers to execute CGI scripts for dynamic content (through mod_cgi and mod_cgid). A crafted web request targeting a vulnerable CGI application could launch code on the server. Similar attacks are possible via OpenSSH, which could allow even restricted secure shell sessions to bypass controls and execute code on the server.

Errata Security: Bash bug as big as Heartbleed

Today’s bash bug is as big a deal as Heartbleed. That’s for many reasons.

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things

For the record, cygwin is vulnerable, as well as bash-3.1 from 2005 pic.twitter.com/yYtVnPlTAJ

— Robert Graham (@ErrataRob) September 25, 2014

First attacks using ‘shellshock’ Bash bug discovered

AusCERT earlier yesterday also claimed to have received reports the bug was being exploited in the wild.

Meanwhile, security researcher Robert Graham claims to have found at least 3,000 systems vulnerable to the bug. However Graham’s scan only looked at systems on port 80; the researcher noted embedded webservers on odd ports are the real danger and a scan for these “would give a couple times more results”.

Check our self:

There is an easy test to determine if a Linux or Unix system is vulnerable. To check your system, from a command line, type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the system is vulnerable, the output will be:

vulnerable
 this is a test

An unaffected (or patched) system will output:

 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

Jupiter Broadcasting at Ohio LinuxFest

Going to Ohio LinuxFest? Join our Google+ event for future meetup plans!

iOS 8.0.1 Causing No Service, Touch ID Issues on iPhone 6/6 Plus, Apple Support Recommends iTunes Restore – Mac Rumors

Following the release of iOS 8.0.1 this morning, numerous of users found that their cellular service was disabled, reporting “No Service” messages after updating. Affected users also appear to be experiencing problems with Touch ID, which seems to be completely non-functional.

It appears that the issue is limited to users who have an iPhone 6 or an iPhone 6 Plus, but affected devices span several carriers.

Apple support has also recommended restoring iOS 8.0.1 via iTunes to fix the problem.

OS 8.0.1 is no longer available via an over-the-air download.

Apple says that it is actively investigating reports of problems and has pulled iOS 8.0.1 in the meantime. The company also says that it will provide information as quickly as it can.

Upcoming price increase for NEW Plex Pass subscriptions – Plex Blog : Plex Blog

So on September 29, 2014 we’ll be making some changes to our Plex Pass subscription rates for new subscribers:

• Monthly Plex Pass subscriptions will increase from $3.99 to $4.99 per month.
• Annual Plex Pass subscriptions will increase from $29.99 to $39.99 per year.
• Lifetime Plex Passes will increase from $74.99 to $149.99.

India’s Mars mission could be a giant leap | Priyamvada Gopal | Comment is free | The Guardian

After a journey of 300 days and 420 million miles, an Indian satellite has arrived in orbit around Mars. To have done so on an economy ticket — at $74m “the cheapest interplanetary mission ever to be undertaken by the world”, according to the mission’s leader

The post The Bourne Shellshock | Tech Talk Today 65 first appeared on Jupiter Broadcasting.

You won’t believe how terrifying simple it is to control traffic lights and cameras, Cisco gets the boot and the hospital hack enabled by Heartbleed, plus a great batch of your emails, our answers and much, more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Researchers find startling lack of security in traffic management systems

• Researchers started investigating the traffic management system (that controls the traffic lights at intersections) in an unnamed city in Michigan
• They found that the system uses IP traffic transmitted over two different wireless protocols, a 5.8ghz line-of-sight protocol (turns out to be very similar to 802.11n) and an over-the-horizon 900mhz protocol
• Traffic over the wireless links is unencrypted, and has no authentication
• While it would have been possible to reverse engineer the custom wireless protocols, to save time the researchers managed to get ahold of one of the radios used by the system instead
• They found that the management system uses VxWorks 5.5, a proprietary RTOS for embedded devices from the 90s
• VxWorks is usually built from source so it can be customized. The vendor, as many do, left the debugging options enabled, this includes an open TCP port that can be used to read and write memory locations, kill running tasks, restart the OS and more
• By using this debugging feature, and capturing network traffic, the researchers were able to reverse engineer the protocol that the controller used to communicate with the traffic signals
• Each command is essentially the same with only the last bit or two being different
• There is no encryption, so anyone can see the commands being sent
• There is no authentication, so the devices will accept commands from anyone, not just the controller
• There are no firewalls, so a malactor on the network can completely take over
• An attacker can trip the failsafe mode, where the traffic lights revert to flashing red in every direction and have to be physically reset by a technician
• An attacker could before a type of denial of service attack, by tripping the traffic lights into this mode at random, and faster than crews could repair the lights
• The biggest problem is the 5.8ghz network, since most all laptops and mobile devices have a radio capable of communicating on that band built in. Someone will undoubtedly take the time to reverse engineer the radio protocol and gain access to the network
• Both the 5.8ghz network (WPA2) and the 900mhz network (WEP or WPA) support encryption, but it is not used
• The traffic management system supports username and password authentication, but the default credentials are used
• The paper was presented at USENIX: WOOT (Workshop on Offensive Technologies)
• PDF: Green Lights Forever: Analyzing the Security of Traffic Infrastructure
• The researchers point out an alarming quote they got from the vendor that sells the traffic management system: The vendor “has followed the accepted industry standard and it is that standard which does not include security.”

Secret Language, or Unlikely Bug?

• “Imagine discovering a secret language spoken only online by a knowledgeable and learned few”
• A researcher who wishes to be identified only as “Kraeh3n” was proofreading a document for a colleague
• The opening part of the document had standard lorem ipsum filler text
• Then the document was pasted into Google Translate, it was auto-detected as latin, and the translation to english was startling, key words included China, NATO, Internet, Business and “the Company” (a euphemism for the CIA)
• Kraeh3n immediately shared the revelation with Michael Shoukry, a researcher as FireEye
• This was later shared with Lance James, head of Cyber Intelligence at Deloitte, who then shared it with Brian Krebs
• Brian’s blog contains a number of screenshots showing different translations
• While Google Translate uses machine learning, and could be tricked by brute force into creating false translations like this, the fact that capitalization affects the translation suggests something more may be at work here
• Brian Krebs then started adding other latin words, specifically from a work by Cicero that spawned Lorem Ipsum in the first place
• Now he had “Russia may be suffering” and “The main focus of China”
• “Translate [is] designed to be able to evolve and to learn from crowd-sourced input to reflect adaptations in language use over time,” Kraeh3n said. “Someone out there learned to game that ability and use an obscure piece of text no one in their right mind would ever type in to create totally random alternate meanings that could, potentially, be used to transmit messages covertly.”
• However, not all of it makes that much sense, none of the translations constructed full sentences
• Sadly, around midnight on August 16th, Google Translate abruptly stopped translating the word “lorem” into anything.
• Google Translate still produces amusing and peculiar results when translating Latin to English in general.
• “A spokesman for Google said the change was made to fix a bug with the Translate algorithm (aligning ‘lorem ipsum’ Latin boilerplate with unrelated English text) rather than a security vulnerability”
• Inside Google Translate
• It is also possible that all of these keywords just came from recent news articles Google had been translating, as much of the current news is about China and the Internet, and Russia and NATO

Computers of Nuclear Regulatory Commission hacked 3 times in 3 years

• According to an inspector general report, two different foreign nationals, and one unidentified individual, have compromised the computer systems of the NRC over the course of last 3 years
• One of the attacks was a phishing attempt, sent from a compromised computer inside the NRC to 215 NRC employees asking them to verify their username and password
• A dozen NRC employees fell for the scam, and delivered their login credentials to a google spreadsheet
• The IG’s office was able to track the google account and found out it belonged to a foreigner
• In another spear phishing attack, emails were sent from outside to specific employees linking them to malware hosted on Microsoft skydrive, that would take over their machine
• “In another case, intruders broke into the personal email account of an NRC employee and sent malware to 16 other personnel in the employee’s contact list. A PDF attachment in the email contained a JavaScript security vulnerability. One of the employees who received the message became infected by opening the attachment”
• Despite the sensationalism of the headline, it does not appear that any type of APT (Advanced Persistent Threat) was detected, but these techniques are how an attacker gets a foothold in the network to set up such an attack
• Infographic: 70% of the worlds critical utilities have been breached

Feedback:

• How do you know for sure the country of origin of hackers?

• Websites that email your password to you in plaintext

• co-lo with lots of IPs.

• Question

• Server Watchdog?

Round-Up:

• Community Health hospitals hacked; 4.5M patient records stolen – because of heartbleed – Health records usually worth between $50 and $250 each, more than credit cards
• Krebs: How secure is your security badge?
• UPS says 51 stores infected with credit card stealing malware
• Hardened, tuned, reliable operating system still important in the world of containerization
• Microsoft Supports Scam Artists By Not Pulling Bogus Apps For Two Years
• Krebs: Why are there so many credit card breaches?
• New Research Blames iMessage for 30% of Mobile Spam Messages
• Inventor appologizes for creating popup ads
• Why does my Cisco switch keep resetting? Because you plugged a cable into it
• The “Chinese Menu” of what the GCHQ can do to your computer

The post Heartbleed Hospital | TechSNAP 176 first appeared on Jupiter Broadcasting.

The rumors of the death of the Nexus line may be exaggerated, we look at some leaked specs of a new 9 inch Nexus tablet. Plus Heartbleed goes on, Linux app updates, Bitcoin’s weekend boost and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

This Is Volantis, HTC’s Nine-Inch Nexus Tablet

According to our information, the tablet is internally referred to as the Nexus 9, though this name could change before it comes to market. Here’s what we’ve heard so far in the specs department:

• 8.9″ Display at 2048×1440 (281ppi)
• NVIDIA Logan 64-bit processor (Tegra K1)
• 2GB RAM
• 16/32GB internal storage
• 8MP OIS main camera, 3MP front facing camera
• Aluminum zero-gap construction
• Stereo front-facing speakers
• 8.91″x5.98″x0.31″ body (that’s 22.63×15.19×0.79cm)
• 418g (or 427g with LTE) (that’s 14.74/15.1 ounces)

Errata Security: 300k vulnerable to Heartbleed two months later

When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven’t check other ports.

This indicates people have stopped even trying to patch.

Linux Note-taking App ‘Springseed’ 2.0 Refreshes

The open-source app is currently only available on Linux, offering users a minimalistic UI for writing, storing and categorising notes, thoughts, code snippets, and more. Notes can be synced between computers using the built-in Dropbox sync, though this isn’t required to use the app.

Version 2.0, the first stable update since February, refreshed the application’s UI with a darker, angular new look. The light colour scheme and custom window frames of version 1.1 have been replaced by a dark sidebar with large typography, native window borders and a boxier, flatter design with colourful accents in the edit window and high contrast icons.

Opera is back on Linux

As the Opera team said in a Monday blog post:

Many of us at Opera use Linux as our primary platform. It’s great to be able to try out the newest developments of Opera on Linux once again. Adding Linux to our browser line fulfils an important part of Opera’s vision to shape an open, connected world. We want everyone to have fast and safe access to the web. Adding Linux opens up that possibility to more machines running the open-source operating system.

Bitcoin is moving from its Deceptive phase to a very Disruptive phase.

A Greek-American engineer, physician, and entrepreneur best known for being the founder and chairman of the X PRIZE Foundation, the co-founder and chairman of Singularity University and the co-author of the New York Times bestseller Abundance: The Future Is Better Than You Think. He is also the former CEO and co-founder of the Zero-Gravity Corporation, the co-founder and vice chairman of Space Adventures Ltd., the founder and chairman of the Rocket Racing League, the co-founder of the International Space University, the co-founder of Planetary Resources, founder of Students for the Exploration and Development of Space, and vice-chairman & co-founder of Human Longevity, Inc.

Bitcoin is moving from its Deceptive phase to a very Disruptive phase. This Blog is going to explain why, and what you may want to do.

I’ve been tracking Bitcoin since its inception, and my confidence has grown to the point where I’m now trading in a portion of my gold holdings for bitcoin, buying it and accepting bitcoin for the Abundance 360 CEO Summit.

If you’ve followed my work, or participated in my Abundance 360 Summit, you understand that I teach and track exponential technologies using my “6 D’s” approach, looking for “user interface moments.”

Bitcoin is following the 6Ds and is on a path to go from deceptive to disruptive over the next 1 – 3 years.

Why Bitcoin is following the 6 D’s

1. DIGITIZED: Bitcoin is digitized money — it is a global, purely digital currency. Every bitcoin is traded, earned, sold, exchanged and bought in cyberspace. For this reason, it is living on Moore’s law and hopping on the exponential curve.

2. DECEPTIVE: Bitcoin software was released to the public in 2009 and for the first few years has been growing in its deceptive phase. Few heard about it, few used it and accepted it. In addition, the currency has been hard to use; therefore, it hasn’t had its “User Interface Moment” (the key transition from deceptive to disruptive). More soon.

3. DISRUPTIVE: As described below by my friend Barry Silbert (founder of Second Market), Bitcoin is about to enter its disruptive phase where its rate of acceptance and use will explode, as will its value. See below.

4. DEMATERIALIZING: Bitcoin is eliminating or dematerializing the use of physical money (bills and coins), even credit cards. But more than that, it is also dematerializing (read: eliminating) the need for central banks, lawyers and currency exchanges.

5. DEMONETIZING: Bitcoin eliminates middlemen (banks, lawyers, exchanges) and demonetizes the cost of transactions. No fees. It makes it cheaper to use, spread and share money.

6. DEMOCRATIZING: Bitcoin makes access to capital available to everyone, where there are no banks, no ATMs and no credit card suppliers. Ultimately, as we move (over the next 6 years) to a world of 7 billion digitally connected humans, Bitcoin makes currency available to anyone with a connection to the internet.

Bitcoin’s Evolution – Why it will be Disruptive Soon

My friend Barry Silbert (founder of Second Market) recently spoke as my guest at Singularity University’s Exponential Finance conference about Bitcoin. He provided an excellent overview of its near-term trajectory, summarized below. His input has also put me on the lookout for the “User Interface Moment” – that moment in time when an entrepreneur designs a piece of interface software (think Marc Andreessen and Mosaic) that makes it so easy to use bitcoin.

I’ll be reporting on those user interfaces, investing in those startups and helping to promote them.

Okay, now back to Barry Silbert’s insights. Barry outlined five phases for this digital currency that help explain where it’s been and where it’s going.

Phase 1: The period 2009 to 2011 was the early ‘experimentation phase’ for bitcoin (i.e. deceptive). Here the software is released to public and most technologists and hackers started playing with the code. During this phase, there was no apparent value to currency yet; mining bitcoin was easy and could be done by a single person on a MacBook or PC.

Phase 2: 2011 marked the beginning of the ‘early adopter’ phase (still deceptive). There was a lot of early hype and press around Silk Road (where you could buy drugs). The value went from less than $1 to over $30, then crashed. This spurs the first generation of bitcoin companies to build basic infrastructure: wallets, merchant processors, mining operations, exchanges, etc. – i.e. the early user interfaces.

Phase 3: 2012 thru mid-2014 marked the beginning of the ‘Venture Capital Phase.’ Folks like Marc Andreessen, Google Ventures, Benchmark and others have begun investing in Generation 2 Bitcoin companies. We are right in the middle of Phase 3 right now. Thousands of bitcoin companies are getting funding. Many of these are trying to create the “User-Interface Moment.”

Phase 4: Fall 2014 thru 2015 will like see the start of the Wall Street Phase. Here we will begin to see institutional money acknowledging digital currencies as an asset class, and they will begin trading it, investing it and creating products around it. This marks the start of the disruptive phase.

Phase 5: Finally will come the ‘Mass Global Consumer Adoption’ phase — this is where bitcoin becomes a major player in the global economy. When consumers feel it is easy, safe and secure to use bitcoin. It won’t be possible until after the “User Interface Moment” materializes, but I believe, as does Barry, that this is only 1-2 years out.

• XPRIZE Foundation Founder Peter Diamandis: Bitcoin Moving to a Very Disruptive Phase

Support Tech Talk Today creating DAILY PODCASTS

Chris:

• Twitter ChrisLAS
• Google+ +ChrisFisher

The post Return of the Nexus? | Tech Talk Today 13 first appeared on Jupiter Broadcasting.

With Bedrock Linux you are longer restricted to any single Linux distro’s userland. Mix CentOS, Arch, Debian, Ubuntu and more all on the same installation! You can have your cake and eat it too! Want X11 from Debian and Chromium from Arch? No problem! We’ll show you how Bedrock Linux makes it all possible.

Plus: A new round of SSL vulnerabilities strike Linux, the FSF helps you encrypt your emails and a quick steam roundup…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Bedrock Linux:

Brought to you by: System76

Bedrock Linux

• Bedrock Linux 1.0alpha4 Flopsie

Bedrock Linux is a Linux distribution created with the aim of making most of the (often seemingly mutually-exclusive) benefits of various other Linux distributions available simultaneously and transparently.

If one would like a rock-solid stable base (for example, from Debian or a RHEL clone) yet still have easy access to cutting-edge packages (from, say, Arch Linux), automate compiling packages with Gentoo\’s portage, and ensure that software aimed only for the ever popular Ubuntu will run smoothly – all at the same time, in the same distribution – Bedrock Linux will provide a means to achieve this.

Bedrock Linux: Introduction

brc (\”BedRock Chroot\”)

_brc__provides the ability to run commands in clients, properly chrooting to
avoid conflicts. Once Bedrock Linux is properly set up, it will allow the user
to transparently run commands other__wise not available in a given client. For
example, if _firefox__is installed in a Arch client but not in a Debian client,
and a program from the Debian client tries to execute __firefox_, the Arch
_firefox__will be executed as though it were installed locally in Debian.

If __firefox__is installed in multiple clients (such as Arch and Fedora), and
the user would like to specify which is to run (rather than allowing Bedrock
Linux to chose the default), one can explicitly call __brc_, like so: _brc
fedora firefox_._

If no command is given, brc will attempt to use the user\’s current $SHELL.
If the value of $SHELL is not available in the client it will fail.

Bedrock Linux presentation at Ohio Linuxfest 2012 – YouTube

The audio from the Bedrock Linux presentation at the Ohio Linuxfest 2012 was recorded; however, the video was not. For convenience this is played over the slides here. Sadly, no demos are visible here.

— Picks —

Runs Linux

OPI – Reclaim Your Digital Life

OPI is your private cloud with no third party eyes on your information. Still OPI will also allow you to share information with others, on your conditions.

• Private file and mail server gizmo runs Ubuntu

Desktop App Pick

Otter Browser

Otter Browser, project aiming to recreate classic Opera (12.x) UI using Qt5.

Weekly Spotlight

Tech Talk Today

HowTo Linux

Minimum Workspaces – GNOME Shell Extensions

— NEWS —

A New Round Of OpenSSL Vulnerabilities Discovered

• Heartbleed 2: OpenSSL Shows More Security Flaws

The latest flaw is less of a risk than Heartbleed, because it would require hackers to locate themselves between computers communicating, such as over a public Wi-Fi network.

• Heartbleed Redux: Another Gaping Wound in Web Encryption Uncovered | Threat Level | WIRED

The new attack does have other limitations: It can only be used when both ends of a connection are running OpenSSL. Most browsers use other SSL implementations and so aren’t affected, says Ivan Ristic, director of engineering at the security firm Qualys, though he adds that Android web clients likely do use the vulnerable code. Among servers, only those using more recent versions of SSL are affected–about 24 percent of the 150,000 servers that Qualys has scanned. He also warns that many VPNs may use OpenSSL and thus be vulnerable. “VPNs are a very juicy target,” Ristic says. “People who really care about security use them, and there’s likely to be sensitive data there.”

GnuTLS Flaw Leaves Many Linux Users Open To Attacks

A new flaw has been discovered in the GnuTLS cryptographic library that ships with several popular Linux distributions and hundreds of software implementations. According to the bug report, \”A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code.\” A patch is currently available, but it will take time for all of the software maintainers to implement it.
A lengthy technical analysis is available. \”There don\’t appear to be any obvious signs that an attack is under way, making it possible to exploit the vulnerability in surreptitious \”drive-by\” attacks. There are no reports that the vulnerability is actively being exploited in the wild.\”

Reset the Net with our email self-defense guide

Google Online Security Blog: Making end-to-end encryption easier to use

Today, we’re adding to that list the alpha version of a new tool. It’s called End-to-End and it’s a Chrome extension intended for users who need additional security

• end-to-end – End-To-End – Google Project Hosting

ChromeBrew: 3rd party package manager for Chrome OS.

Chromebooks with Chrome OS run a linux kernel – the only missing piece to use them as full-featured linux distro was gcc and make with their dependencies. Well, the piece isn\’t missing anymore. Say hello to chromebrew!

Steam Hits The Big 500 For Linux Games

• Steam Reached 500 Linux Games

That is one heck of a milestone isn\’t it? 500 Linux compatible games are now on Steam which is a pretty great number to point anyone at. No longer will people keep stating \”but Linux has no games\”

— Feedback —

• Texas Linux Fest 2014 JB Check-In

• South East Linux Fest 2014 JB Check-in

• June 13-14th
• q5sys will be giving away two RPi.
• Check in on the LAS sub thread, and say hi to q5sys at SELF.
• One on Friday, and one on Saturday.

• Also catch his talk 5:15-6:15: Puppy Linux Deconstructed: About all the technical wizardry behind puppy which makes it work like it does.

• Tech Talk Today launched!

• Support Tech Talk Today and JB on Patreon

• The Jolla – Imgur

— Chris\’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged
  +Are Ubuntu Derivatives a Bad Idea?
  +BattleBlock Theater – Part 3 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Introducing Bedrock Linux | LAS 316 first appeared on Jupiter Broadcasting.

Microsoft and Adobe have a boatload of emergency fixes, the Replicant project finds a nasty backdoor in popular Android devices & the exploit that weaponize your webcam that’s one attachment away.

Plus a great big batch of your questions, and our answers. All that and much, much more!

Thanks to:

— Show Notes: —

• GroffTheBSDGoat
• Twitter
• Google+
  • GoatBoF

Microsoft and Adobe release flood of critical patches

• “Microsoft: eight bulletins, two critical – addressing 13 issues in Internet Explorer and Sharepoint Server, along with Windows, Office and its .NET Framework”
• The first critical issue that involves IE MS14-029 we’re learning about for the first time today. Researchers with Google’s Security Team have already spotted limited instances of one of the vulnerabilities (CVE-2014-1815) being targeted, which means this should probably be No. 1 on users’ patching agendas.
• The batch of patches also includes a second critical security update for IE MS14-021 that addresses a previously disclosed vulnerability in versions 6 through 11 of the browser.
• “Missing from the updates are patches for vulnerabilities dug up at March’s Pwn2Own hacking competition, including three IE vulnerabilities that bypassed sandboxes and compromised the underlying system”
• “In a blog entry yesterday the company pointed out that it has extended its requirement for consumer customers to update to 8.1 from today until June 10 but that after that date, like it promised, those who haven’t updated will not receive security updates.”
• “Adobe: released two updates today, fixing critical issues in Reader and Acrobat XI (11.0.06), Strung together the wrong way, they could cause a crash and potentially let an attacker take control of an affected system.”
• “Along with a surprise Flash issue. The Flash Player update involves version 13.0.0.206 of the software and earlier versions for Windows, Macintosh and Linux. The issues were not previously made clear in a security bulletin but address vulnerabilities discovered by Keen Team and other researchers that could result in arbitrary code execution and ultimately let an attacker take control of the affected system.”
• Adobe also released a minor security hotfix for Adobe Illustrator CS6 today, fixing a stack overflow vulnerability – something also marked critical by the company – that could lead to remote code execution.

Open Source Android fork Replicant finds and closes backdoor

• While working on Replicant, a fully free/libre version of Android, they discovered that the proprietary program running on the applications processor in charge of handling the communication protocol with the modem actually implements a backdoor that lets the modem perform remote file I/O operations on the file system.
• This program is shipped with the Samsung Galaxy devices and makes it possible for the modem to read, write, and delete files on the phone\’s storage. On several phone models, this program runs with sufficient rights to access and modify the user\’s personal data.
• Today\’s phones come with two separate processors: one is a general-purpose applications processor that runs the main operating system, e.g. Android; the other, known as the modem, baseband, or radio, is in charge of communications with the mobile telephony network.
• These systems are known to have backdoors that make it possible to remotely convert the modem into a remote spying device. The spying can involve activating the device\’s microphone, but it could also use the precise GPS location of the device and access the camera, as well as the user data stored on the phone. Moreover, modems are connected most of the time to the operator\’s network, making the backdoors nearly always accessible.
• A technical description of the issue, as well as the list of known affected devices is available at the Replicant wiki.

Heartbleed certificate regeneration done wrong in large number of cases

• Netcraft did a survey of SSL certificates to see how Heartbleed affected SSL certificates
• There are 3 required steps to properly replace the SSL certificate
  • Generate a new private key
  • Get issued a new certificate with the new key
  • Revoke the old certificate so it can no longer be used
• They found that 43% of certificates had been reissued
• However they found that only 20% of certificates had been revoked (meaning 23% replaced their certificate but did not revoke the old one, so the old one can still be used by an attacker to perform a man-in-the-middle attack)
• Worse, they found that 7% of certificates had been reissued with the SAME private key, meaning if the private key was stolen, the new certificate is compromised as well
• So in total, only 14% of sites had taken all three steps required to replace their possibly compromised certificates

Feedback:

• Stumble into an exploit, get a job offer. Thanks Jupiter Broadcasting.

• ssh root login for zfs send

  • Allan’s WIP FreeBSD Handbook article to resolve said problem
  • Allan’s fork to zxfer tool to make zfs replication easier

• Disk setup in FreeNAS

  • 6.3.12 Replacing a failed drive

• DevOps

• Second Opinion on security concerns

• Test Google Fiber – use my iperf server!

• Net neutrality

Round Up:

• ‘Blackshades’ Trojan Users Had It Coming — Krebs on Security 97 arrested linked to malware used to capture nude pictures of Miss Teen USA
• Malware Hunting with Mark Russinovich Troubleshooting with Mark Russinovich
• Another Internet Explorer Zero Day Surfaces
• How to properly use traceroute to troubleshoot the internet
• CVE-2014-1761 – Flaw in MS Office RTF parser allows attckers to execute arbitrary code, exploited in the wild since March 2014
• EXE2DOC tool turns any executable into a MS Work Doc exploit
• Emory Accidentally Sends Reformat Request to All Windows PCs
• Sailor hacked 30 public and private organizations, including the US Navy, the Department of Homeland Security, AT&T, and Harvard University while aboard aircraft carrier USS Harry S. Truman
• Why You Should Ditch Adobe Shockwave — Krebs on Security
• James Mickens at Monitorama 2014
• Who owns the media?
• Facebook and CMU design system to detect fake SSL certificates. Of 3.5 million SSL connections made to Facebook during a four-month period starting last December, the team determined that 6,845, or 0.2 percent, used a phony certificate.
• eBay compromised, forcing password reset on all accounts
• Do they mean “hashed” when they say “encrypted”?
• BSDCan: LibreSSL – the first 30 days – slides
• BSDCan: LibreSSL – the first 30 days – video

The post Attachments of Mass Destruction | TechSNAP 163 first appeared on Jupiter Broadcasting.

Adobe’s latest flaw has being exploited by an advanced persistent threat, we’ve got the details, Heartbleed follow ups, and getting started with Virtualization.

Plus our thoughts on the fate of net neutrality, your questions, our answers, and much much more!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

Adobe releases patch for critical Flash flaw affecting all OSs

• A new exploit has been discovered that works against all versions of Adobe Flash Player
• This is a zero-day exploit, meaning that even a fully patched computer can be exploited
• Adobe has since released the fix, and users are encouraged to apply the patch as soon as possible
• The attack used two different exploits, one general exploit against Flash and the other exploiting a flaw in Internet Explorer
• One of the malware files was detected by Kaspersky using a heuristic signature, but the other was new
• The exploits slightly alter the attack methodology if Windows 8 or newer is detected, to work around mitigations provided by the OS
• The first bit of malware (movie.swf) was generic, downloading more malware from a URL and running it
• The second bit of malware (include.swf) was very specific, targeting “Cisco MeetingPlace Express Add-In version 5”
• “This add-in is used by web-conference participants to view documents and images from presenter\’s screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system”
• This suggests that the malware was written with a very specific target in mind, rather than designed to target the general Internet
• The malware was hosted on an official Syrian government website, although it appears that the site may have been compromised to store the files there
• Kaspersky was not able to examine the payload of the second exploit because the files had already been taken down from the website, and there is evidence to suggest there was a 3rd payload (stream.swf)
• “We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”
• “It\’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.”
• CVE-2015-0515
• Adobe Security Bulletin
• Additional Coverage – ARS Technica
• Additional Coverage – Krebs on Security
• Since IE uses a separate version of Flash from other browsers (Firefox, Chrome, Opera, etc), Windows users will need to apply the patch twice, one to their browser and once to IE, which is used as a component in many other applications including Skype and Steam

Exploit used in the wild against all versions of Internet Explorer 6 through 11

• As part of the same attack from the previous story, an exploit for all versions of Internet Explorer was found
• The exploit was used as part of a watering hole attack
• CVE-2014-1776
• This was to be the first of many 0day exploits that will not be fixed on Windows XP, however Microsoft issued a statement and released the update for Windows XP , inspite of the fact that it is no longer supported

[Heartbleed Followups]

• The heartbleed bug was used to attack and compromise a number of blackhat and underground forums – Many sites were compromised, upgraded OpenSSL but did not revoke SSL certificates or reset passwords
• US-CERT issues advisory warning business and users to update their Apple AirPort devices that are vulnerable to Heartbleed
• CERT has issued an advisory about the NetSSL library failing to properly validate wildcard certificates
• Whitehouse comments, says they did not know about Heartbleed before hand
• Even heartbleed can’t convince people to change their passwords and stop reusing passwords
• Android 4.1.1 has not received OpenSSL patches yet

Feedback:

• Kids WiFi

• Looking for virtualization advice

• XP in a VM

• What advice do you have to help tech geeks find their dream job?

• Suggestion for Brett for backup

• Mondo Rescue – Disaster recovery solution

Round-Up:

• Sony\’s 185TB data tape puts your hard drive to shame
• CERT issues advisory about Toshiba Point-of-Sales systems using weak hashing algorithm for passwords
• SanDisk Announces 4TB SSDs, 8TB & 16TB SSDs to Follow
• Phishers hack email accounts and divert home loan funds
• AOL Finally Admits They Were Hacked
• MIT students raise half million dollars to give every undergraduate student $100 in bitcoins next semester in an effort to build the first true cryptocurrency economy
• FCC chairman \’won\’t hesitate\’ to regulate broadband like a utility if proposed rules fail
• What the internet might look like without Net Neutrality
• Netflix researching “large-scale peer-to-peer technology” for streaming
• This trend shows with Net Neutrality is important — Sonic.net comments on net neutrality
• CISPA 3.0 introduced to the senate
• AT&T’s possible acquisition of DirecTV increases net neutrality concerns

The post Not Neutrality | TechSNAP 161 first appeared on Jupiter Broadcasting.

OpenBSD launches LibreSSL, but what challenges do they face? And how much progress have they made? We’ll report!

Apple is struck with its own woes, Heartbleed is used to bypass two-factor authentication, and then its a great batch of your questions and our answers!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

OpenBSD launches LibreSSL

• The team behind OpenBSD has formalized their fork of OpenSSL and called it LibreSSL
• The goal is to update the coding standards, to use more modern and safer C programming practises
• The impetus for this was infact not Heartbleed, but the mitigation countermeasures discovered by OpenBSD developers before Heartbleed was found
• The way much of OpenSSL is constructed makes it harder to audit with tools like Coverient and Valgrind, and the lack of consistent style, naming etc, makes it exceptionally hard to audit by hand
• There were many bugs in the OpenSSL bug tracker that had been open for as much as 4 years and never addressed
• Bob Beck of the OpenBSD project says that most of the actual crypto code in OpenSSL is very good, as it was written by cryptographers, but a lot of the plumbing is very old and needs serious updating
• Part of the 90,000 lines of code removed in LibreSSL was the FIPS compliance module, which has not been maintained for nearly 20 years
• So far, all of the changes have been API compatible, so any application that can use OpenSSL can still use LibreSSL
• The OpenBSD Foundation is soliciting donations to continue the work on LibreSSL and develop a portable version for other operating systems
• LibreSSL site, complete with working tag

Apple fixes major SSL flaw that could have allowed an attacker to intercept data over an encrypted connection, or inject their own data into the connection

• Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday
• In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple
• The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
• OSX also contains two separate vulnerabilities that could enable an attacker to bypass ASLR, one of the key exploit mitigations built into the operating system. One of the flaws is in the IOKit kernel while the other is in the OSX kernel. The IOKit kernel ASLR bypass also affects iOS 7.1 users.
• Among the other flaws Apple patched in its new releases are a number other severe vulnerabilities. For OSX Mavericks users, the two most concerning issues are a pair of buffer overflows that could lead to remote code execution. One of the bugs is in the font parser and the second is in the imageIO component. The upshot of the vulnerabilities is that opening a malicious PDF or JPEG could lead to arbitrary code execution.

Heartbleed used to defeat 2 factor authentication

• Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye
• An attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
• The attack bypassed both the organization\’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
• \”Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,\” Mandiant\’s Christopher Glyer explained.
• With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
• After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
• Additional Coverage

Feedback:

• 2 Questions for Allan and Chris

• SSL Certificate rating questions

• How does Tarsnap\’s dedupe work?

• How to protect apache httpd against ddos?

• How to protect apache httpd from (D)DoS attacks?

• Using Varnish to block DDoS or DoS

Round Up:

• North America is down to its last IPv4 address block
• Heartbleed used to steal SSL private key from Swedish VPN provider mullvad
• ICS-CERT issues advisory about heartbleed vulnerabilities in siemens SCADA/ICS gear
• Healthcare.gov preventatively resets all passwords
• F.B.I. Informant Is Tied to Cyberattacks Abroad
• Heartbleed highlights contradicition of the web
• Intel\’s next-gen Thunderbolt rumored to hit 40Gbps transfer speeds with new connector
• The value of, and problems with, CRLs and OCSP
• Google is working on end-to-end encryption for Gmail
• Java fixes critical SSL flaws

The post Heartbleed Fallout | TechSNAP 160 first appeared on Jupiter Broadcasting.

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

• This year\’s BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone\’s looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
• Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
• Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
• Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal\’s second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
• \”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
• Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
• Sounds like someone else was having fun with the bug for a while too
• There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
• Now there\’s a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There\’s also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• \”Update Center\” is getting a lot of development and improvements
• Lots of misc. bug fixes and updates

Feedback/Questions

• There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
• Brad writes in
• Sha\’ul writes in
• iGibbs writes in
• Matt writes in

• All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
• If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.

Is it time to replace openSSL? We’ll follow up on the Heartbleed story, discuss how attackers got read access to Google’s production servers and then it’s a great batch of your questions and our answers.

All that and much much more…

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Heartbleed followup

• The developer who introduced the heartbeat feature, that lead to the heartbleed flaw, claims it was an honest mistake and denies the involvement of any intelligence agencies or other mischief
• An investigation and some insider info has allowed the construction of a more much accurate timeline of the events leading up to heartbleed and the breakdown of responsible disclosure
• 2014-03-21 (or earlier): Neel Mehta of Google Security discovers Heartbleed vulnerability
• 2014-03-21: Bodo Moeller and Adam Langley of Google commit a patch for the flaw (based on timestamp of the patch sent to OpenSSL and Redhat)
• 2014-03-31 (or earlier): CloudFlare is notified about the flaw under a non-disclosure agreement
• 2014-04-01: Google notifies OpenSSL of the flaw. OpenSSL was going to release a patch that week, but changed the planned release to April 9th to allow more coordination
• 2014-04-02: Researchers at Codenomicon find the same bug
• 2014-04-03: Codenomicon notifies NCSC-FI
• 2014-04-04: Akamai finds out about the bug from an undisclosed source and patches their servers
• 2014-04-04: Rumors begin about a flaw in OpenSSL, but no details are available
• 2014-04-05: Codenomicon purchases the heartbleed.com domain, OpenSSL team commits the Google patch to their private git repo
• 2014-04-06: NCSC-FI (CERT-FI) requests that CERT/CC (Computer Emergency Response Team Coordination Center) allocate a CVE for the bug, no details given. Mark Cox of OpenSSL notifies Redhat about the issue and asks them to coordinate with the other operating systems since Mark is on holiday. RedHat security engineer sends the email to the private distributions list with no details, distros that agree to the embargo (no notification until April 9th) are given the details. These distros include SuSE (Monday, April 7 at 01:15), Debian (01:16), FreeBSD (01:49) and AltLinux (03:00). Other operating systems, Ubuntu (asked at 04:30), Gentoo (07:14) and Chromium (09:15), request details during the night, but by time the RedHat engineer gets up in the morning, the flaw has become public
• 2014-04-07 (or earlier): Facebook is notified and patches their servers
• 2014-04-07: NCSC-FI notifies OpenSSL that Codenomicon has discovered a flaw. OpenSSL team decides that \”the coincidence of the two finds of the same issue at the same time increases the risk while this issue remained unpatched. OpenSSL therefore released updated packages [later] that day.\”
• 2014-04-09: Facebook and Microsoft donate $US15,000 to Neel Mehta via the Internet Bug Bounty program for finding the OpenSSL bug. Mehta gives the funds to the Freedom of the Press Foundation
• In summary, those who knew about the issue before it was public: Google (March 21 or prior), CloudFlare (March 31 or prior), OpenSSL (April 1), Codenomicon (April 2), National Cyber Security Centre Finland (April 3), Akamai (April 4 or earlier) and Facebook (no date given)
• Those who had a few hours of advanced warning: SuSE, Debian, FreeBSD and AltLinux
• There is also a timeline from the perspective of the OpenSSL team
• Researchers at Lawrence Berkeley National Laboratory find No evidence that heartbleed was exploited before it became public
• Meanwhile, researchers at the University of Michigan setup a honeypot and monitored who tried to heartbleed it. Of the 41 groups that attacked the honeypot, the majority of those groups — 59 percent — were in China.
• What is worse than heartbleed? Bugs in heartbleed detection scripts
• Akamai claimed to be protected from heartbleed by their own patches
• They were proven wrong
• Akamai updated their blog post explaining the fault
• Akamai was forced to rekey all of their customers’ SSL certificates

• The Akamai post raises an interesting questions about EV-SSL certificates, and how much longer they might take to re-key

• Is the IETF to blame for allowing the heartbeat feature to be added to the standard in the first place?

• See BSD Now episode 033 for news on the OpenBSD fork of OpenSSL
• Why I quit writing Internet standards
• Statement by the CRA about 900 SIN numbers leaking due to heartbleed
• RCMP arrests 19 year old from London, Ontario for using heartbleed against the CRA
• CloudFlare launched a challenge to see if anyone could capture their private key
• two or more people were successful, and the certificate has since been revoked
• ACM Queue – PHK: Putting OpenSSL out of its misery
• PHK shares his experience making a living while working on open source in “Raking in the dough on Free and Open Source Software”
• Open source is a thankless job, we do it anyway
• Does the OpenSSL flaw alter the “open source is safer” equation?
• Coverity report finds open source software to be higher quality Coverity\’s analysis found an average defect density of .59 for open source C/C++ projects that leverage the Scan service, compared to an average defect density of .72 for proprietary C/C++ code
• 863 CIOs surveyed, 18% said their orgs are unaffected by Heartbleed because they use anti-virus

How we got read access to Google’s production servers

• A group of researchers decided to target Google
• Looking at the trends in the industry, flaws are most often found in:
• Old and deprecated software
• Unknown and hardly accessible software
• Proprietary software that only a few people have access to
• Alpha/Beta releases and otherwise new technologies
• So they did their homework
• They used the Google search engine, to search for software and companies that Google had acquired, antique systems, and products with very few users
• They found the Google Toolbar button gallery
• The product allows users to customize the toolbar by uploading XML that controls the style etc
• They quickly managed to perform an XXE attack
• They were then able to read files on Google’s production servers, including /etc/passwd, and some custom init scripts that Google uses to manage their cluster of servers
• They likely could have escalated the attack, and possibly accessed Google’s internal servers
• The team reporting the issue to Google, and was awarded a $10,000 bug bounty

Feedback:

• LastPass

• Automated bare-metal backups for a physical server?

• SLAs and Daylight Savings

• pfsense and logs

• Heartbleed

• Memory allocation in OpenSSL

Round Up:

• PSA: Fraudulent Crypto Kickstarter Campaign
• weev (AT&T iPad data incident) conviction vacated, the information was not protected by a password or other security mechanism, so accessing it was not “misuse”
• HAM Radio operators accidently tripping arc fault circuit interrupters, American Radio Relay League labs working with manufacturer on fix
• When Azure breaks: Lessons for every cloud programmer
• Obama: NSA Must Reveal Bugs Like Heartbleed, Unless They Help the NSA
• Canadian Government publishes guidelines for staying safe online
• Comcast PAC gave money to every senator examining Time Warner Cable merger | Ars Technica
• 7 Habits of highly successful UNIX admins
• Over $100K in Bitcoin Was Stolen in a Ridiculously Low-Tech Heist

The post Time to Kill openSSL | TechSNAP 158 first appeared on Jupiter Broadcasting.

The NSA admits they’ve been intercepting US communications, the situation in Ukraine is getting very tense, and we’ll update you on many other topics on this unplugged edition of Unfilter!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is Crazy

• A government admission of wrongdoing

Last week, National Intelligence Director Gen. James R. Clapper sent a brief letter to Sen. Ron Wyden, D-Ore., a member of the Senate Intelligence Committee, in which he admitted that agents of the National Security Agency (NSA) have been reading innocent Americans’ emails and text messages and listening to digital recordings of their telephone conversations that have been stored in NSA computers, without warrants obtained pursuant to the Constitution. That the NSA is doing this is not newsworthy – Edward Snowden has told the world of this during the past 10 months. What is newsworthy is that the NSA has admitted this, and those admissions have far-reaching consequences.

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said.

Obama creates exception for NSA to exploit internet security flaws

The decision, reported by The New York Times, was made this past January as part of a review of recommendations for reforming the NSA. Officials in the administration tell the Times that Obama decided that the NSA should disclose flaws to the public, but the key is that he provided an all-important exception in the case of a “clear” need for national security and law enforcement purposes. Such exceptions are broad, and could allow the NSA to exploit a flaw such as Hearbleed while the public remained at risk of attacks from hackers and others.

– Thanks for Supporting Unfilter –

:-] Norleif
:-] Robert J
:-] JT A

• Thanks to our 378 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

Ukraine

CIA Director John Brennan Makes Emergency Visit to Ukraine Amid Crisis

“We don’t normally comment on the CIA director’s travel but given the extraordinary circumstances in this case and the false claims being leveled by the Russians at the CIA we can confirm that the director was in Kiev as part of a trip to Europe,” White House spokesman Jay Carney told reporters.

• CIA’s Brennan Did not use Real Name during Trip

The person who said this to Interfax in a phone talk added that John Brennan came to Ukraine not under his real name.

Wiretapping Advocate Condoleezza Rice Joins Dropbox Board

The former secretary of state’s consulting firm, RiceHadleyGates, has been advising the startup on management issues for the last year. Now she’ll help the company think about such matters as international expansion and privacy, an issue that dogs every cloud company in the age of Edward Snowden and the NSA. “As a country, we are having a great national conversation and debate about exactly how to manage privacy concerns,” Rice says about her new position. “I look forward to helping Dropbox navigate it.”

Check out + SomaFM: Listener Supported, Commercial Free Internet Radio

We need your donations to keep SomaFM on the air.
We still need to raise $27,641 this month (or $1,320 a day for the next 21 days) to meet our monthly budget. Thank you!!

• SomaFM: Secret Agent: The soundtrack for your stylish, mysterious, dangerous life. For Spies and PIs too! Commercial-free, Listener-supported Radio

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post The Clapper Flipflop | Unfilter 93 first appeared on Jupiter Broadcasting.

Are boutique distributions a bag of hurt for new users?

We love a good underdog, but sometimes our excitement gets the best of us and we recommend something that’s not appropriate for a switcher to land on.

Plus some quick thoughts on the beating open source is taking as fallout from the Heartbleed bug.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

F.U.

• KDE Visual Design Group: Monday Report #11 – Go time!

• Is anyone else having problems with Gnome Terminal 3.12?

• On The Subject of Linux UX

• Linux Learners – LUP35

• Terminal v/s GUI // Slexy 2.0

• The big point for technical switchers everyone missed

• Steam Controller comes out this fall

Underdog Syndrome

• Recent discussions on LUP about switching
• End of XP brings this to front of mind.

• Ubuntu 14.04 this Sunday on LAS. The big dog on the desktop.

• These smaller, boutique distros are great for experienced enthusiasts.

• Sending users from the worlds most deployed desktop operating system to a niche distribution of a niche desktop operating system is a recipe for failure.

• Support community is always smaller.
• Random poorly crafted Google searches are less likely to show distro relevant results.

• Long term viability of really small teams is always questionable. Larger distros even if corporate backers or the large community dropped it – the code would go on. Smaller distros that’s not always the case.

• Do these concerns apply to the more esoteric desktops, ie Cinnamon, MATE?

Heartbleed Butt Hurt

• OSS name getting dragged through the mud.
• Why are we not focused on the patch turn around time?

• Ability to audit future code.

• Heartbleed Exposes a Problem With Open Source, But It\’s Not What You Think

A week after the Heartbleed OpenSSL vulnerability wreaked havoc across the web, the conversation is shifting from reaction to reflection. The discussion is no longer about what to do now, but what can be done to prevent another Heartbleed from happening in the future. In other words, we\’re entering the blame game chapter in this saga.

• Heartbleed: Open source\’s worst hour | ZDNet

Everyone just assumed that OpenSSL must be perfectly safe because, well OpenSSL has a reputation for being safe, therefore it was safe. Developers, website developers, security experts, one and all, it seems no one ever thought to actually use those eyeballs that successful open source relies upon to check the code to see if it really was safe.

• Did open source matter for Heartbleed? | ZDNet

Open source does not provide a meaningful inherent security benefit for OpenSSL and it may actually discourage some important testing techniques. Also, panhandling is not a good business model for important software like OpenSSL.

• Stop laying the blame for Heartbleed on open source | Open Source Software – InfoWorld

Security experts acknowledge that open source is the best model for crypto, so how do we drive improvements to the model for creating security-critical infrastructure?

The post Beware of Underdog | LINUX Unplugged 36 first appeared on Jupiter Broadcasting.

The Heartbleed bug has ignited a new round of open source doubters, but are the renewed concerns about the open source development model unfounded? And what can be done to avoid catastrophes like this in the future? We discuss.

Plus an honest discussion about that moment of no return, your feedback, and more!

Note: Apologies for the transitional audio setup while we move between studios. Improvements next week!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• How do you know what to use?
• I quit!!! The difficult conversations and the road ahead.

Dev Hoopla

Heartbleed security bug: a software developer perspective?

Open Source software is the worst kind except for all of the others

A few people have suggested that the problem is that OpenSSL is open source, and code this important should be left to trained professionals. They\’re wrong.

So all in all, it\’s a miracle that OpenSSL works at all, and a tribute to the skill
and diligence of the handful of people who\’ve been working on it all these years.
Experience with heartbleed shows that while open source doesn\’t prevent bugs, it
makes it very fast to fix them.
It\’s been little more than a week since we learned about heartbleed, and surveys show that
the majority of vulnerable systems are already fixed.
(I fixed mine last Tuesday.)

Pick of the week

• pyvideo.org – PyCon US 2014
  > PyCon is the largest annual gathering for the community using and developing the open-source Python programming language. It is produced and underwritten by the Python Software Foundation

The post Open Source, Closed Wallets | CR 97 first appeared on Jupiter Broadcasting.

Can the Intel NUC be a no compromises Linux desktop? Or are there a few challenges you need to know? Spoiler Alert: There are, and we’ve solved them. Find out how the Intel NUC Performance a Gnome 3.12 full fledged desktop.

Plus: One of the biggest games of the year just announced Linux Support, our thoughts on Heartbleed and what it says about the open development model, the post XP era…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Intel NUC Desktop Linux Review

Brought to you by: System76

• Outside of video games, it has a completely uncompromised feeling and desktop experience. Video games do work well at lower resolutions, but struggle at 1080p.
• This NUC requires 1.35 volt memory, it also required timing 11 not timing 9 memory. The computer will not boot with 1.5 volt memory or refresh timing 9 memory. This applies to newer generation NUCs, which is fairly confusing as older generations accepted both 1.5 and 1.35v memory.

My NUC as Speced:

• Up the amount of vram allocated to the intel gpu to something reasonable (1gb+) in UEFI, vastly improves video performance.
• Enable Early KMS start, gives a high resolution terminal and allows a smoother transition to the desktop.
• Install xf86-video-intel, enable multilib, install lib32-intel-dri
• Drivers already default to the new SNA mode, so ignore the first section but do the second section that enables glamour mode
• install libva-intel-driver, you can also use VDPAU as well
• If using gnome, add to /etc/enviroment CLUTTER_PAINT=disable-clipped-redraws:disable-culling to get tear-free video

– Picks –

Runs Linux: This Morse Code Flashing, Enigma Style Encryption Box, Runs Linux.

• The light cryptalk (Versione finale) – YouTube

Desktop App Pick

Bookie – bookmark your web

Bookie Features¶

• Open source!
• Imports from Delicious.com, Google Bookmarks, Google Chrome, and Firefox.
• Google Chrome extension
• Firefox extension
• Bookmarklet for other browsers (mobile devices)
• Store page content and fulltext searches it
• Support for Sqlite, MySQL, and Postgresql
• Mobile friendly responsive layout
• Android app

Weekly Spotlight

CoreOS is Linux for Massive Server Deployments

• CoreOS: A different kind of Linux distribution [LWN.net]

CoreOS is one of the few. While CoreOS is originally based on Chrome OS (another of the few), it has a much different target than that mobile-focused distribution; CoreOS calls itself: “Linux for Massive Server Deployments”.

*

— NEWS —

NSA Said to Exploit Heartbleed Bug for Intelligence for Years

The Heartbleed flaw, introduced in early 2012 in a minor adjustment to the OpenSSL protocol, highlights one of the failings of open source software development.

While many Internet companies rely on the free code, its integrity depends on a small number of underfunded researchers who devote their energies to the projects.

The Many Alternative Computing Worlds of Linux

<img src=“https://i.imgur.com/7QSxMChl.jpg” title=Bohdi Linux"/>

It may not be widely known, but Linux did revolutionize computing. If you own an Android phone or a Kindle e-reader, you are a Linux user. Linux is at the core of those popular devices and is found in a variety of other places, from the world’s most powerful supercomputers down to the tiny Raspberry Pi device that is a favorite among electronics hobbyists.

Star Citizen Confirmed for Linux – Information in Comments

• – What is It? – YouTube

• Star Citizen Pax East 2014 Live – Actual Ingame Scenes 1

• PAX East – Boston, MA April 11–13, 2014

– Feedback: –

• LinuxFest Northwest After Party Plans

• Linux Academy | Linux and AWS Online Training – Special Discount.

• LFNW 2014 Sticker

• Straw Poll: Display Manager

— Chris’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged

• Tech Gurus Still Don’t “Get” Linux

• Nephew and I, playing Fez – Part 1

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Intel NUC Review | LAS s31e08 (308) first appeared on Jupiter Broadcasting.

We break down the critical flaw in OpenSSL, and explain why the Heartbleed catastrophe impacts so many systems we use. the timeline of events, and more.

Plus your great questions, our answers, and much much more.

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Critical flaw in OpenSSL discloses usernames, passwords and possibly encryption keys

• Two separate groups of researchers discovered a disastrous flaw in OpenSSL, the cryptographic library that protects almost all information on the Internet.
• The flaw is in the rarely used OpenSSL feature ‘heartbeat’ which allows the client to send a block of data to the server and have it returned to the client, keeping the connection and session alive
• The flaw stems from a missing security check, where the software assumes that the ‘length’ of the data send by the client matches the length the client included in the header. When the actual length of the data sent by the client is less than that size, the software returns a larger chunk of memory that intended, disclosing the contents of segments of memory that were recently freed
• This flaw allows an attacker to send a malformed request and in response get up to a 64kb chunk of memory from the server that may contain sensitive information
• There are a number of proof-of-concept tools out there, and when used against an HTTPS server, they often return the HTTP headers of recent requests, which can include POST data (usernames, password, private emails) as well as cookies and other data that could be used for session hijacking
• There also exists the possibility that by brute forcing this exploit an attacker may get some or all of the private key used to decrypt data sent to the server over TLS. In the common case of sessions that lack the newer PFS (Perfect Forward Secrecy) feature, if an attacker managed to compromise the private key, they would be able to decrypt all traffic that was ever encrypted to that key
• It is possible that even PFS sessions may be compromised, if the flaw also leaks the temporary tokens used to make PFS sessions unique
• People I’ve talked to have managed to compromise data from their own servers using only very basic tools, including capturing the admin username and password for a router and hijacking a web forum session
• Because of the risk that the private key for the SSL certificate was compromised, the proper course of action after patching all of the servers and applications, is to re-key the certificate (generate a new private key, and get a fresh certificate signed), and then revoke the old certificate. It is unclear how well the root CAs will handle the load caused by this, or how the CRL and/or OCSP infrastructures will handle the mass revocation of keys
• Luckily, the root CA keys are not likely to have been compromised, as they will not have been on servers exposed to the Internet
• OpenSSL provides SSL/TLS for protocols such as HTTPS (encrypted HTTP, used for online banking, logging in to services including gmail and facebook), IMAP/SMTP and POP3 (encryption for email delivery. This affects all email, and especially the usernames and passwords used to access email), chat servers (IRC and XMPP), many types of VPN (SSL VPNs like OpenVPN) and much more
• The flaw was originally discovered by Neel Mehta of Google Security, and around the same time was independently discovered by Riku, Antti and Matti at Codenomicon. The fix was written by Adam Langley agl@chromium.org and Bodo Moeller bmoeller@acm.org
• OpenSSL versions 1.0.1 through 1.0.1f (including 1.01-beta) are vulnerable. 1.0.2-beta1 is also vulnerable. Versions 1.0.0 and 0.9.8 are not affected. All users of 1.0.1 are encouraged in the strongest terms to upgrade to OpenSSL 1.0.1g (or 1.0.2-beta2).
• Questions are being raised about the fumbling of the responsible disclosure. It seems some companies like CloudFlair and CacheFly were notified as much as a week before anyone else.
• Amazon appears to have not been given any advanced warning – A later post describes steps customers should take
• Also, the security officers of major open source projects including all of the BSDs, Debian/Ubuntu, Suse etc, received absolutely no advanced warning, just the initial security advisory.
• It appears that RedHat has approximately 2 days warning because one of the OpenSSL developers is also on their security team
• The researchers at Codenomicon notified the National Cyber Security Centre Finland (NCSC-FI) and tasked them with coordinating the disclosure to OpenSSL, operating system vendors (which should have included the various BSD and Linux projects), appliance and service vendors (Amazon, Cisco, CloudFlare etc)
• The issue appears to be that while the responsible disclosure was being organized, someone leaked the information and forced OpenSSL to issue the advisory. This was followed quickly by the publishing of the heartbleed.com website (by the researchers at Codenomicon) and the CloudFlare blog post.
• It is unclear why CloudFlare was notified, but Amazon and most open source operating systems were not
• CloudFlare Blog Post features a very long comment thread
• Long thread discussing the issue on the Open Source Software Security list
• Insight on the FreeBSD security process
• Timeline:
  • 2012-01-03 – OpenSSL 1.0.1-beta1 is available
  • 2012-03-14 – OpenSSL 1.0.1 is released, first GA version with heartbeat support
  • (sometime prior to 2014-04-05): Researchers at Codenomicon and Google discover the flaw. The flaw is reported to NCSC-FI (CERT) and OpenSSL
  • 2014-04-07 05:56 – Huzaifa Sidhpurwala (RedHat) add a bug to Red Hat bugzilla
  • 2014-04-07 06:10 – Huzaifa Sidhpurwala sends a mail to linux distros list with no details but an offer to request them privately
  • 2014-04-07 11:34 – Timestamp on RedHat OpenSSL 1.0.1g build
  • 2014-04-07 ??:?? – Information about the bug leaks, forces OpenSSL to issue advisory immediately
  • 2014-04-07 16:53 – Fix is committed to OpenSSL git
  • 2014-04-07 17:27 – OpenSSL releases advisory
  • 2014-04-07 18:00 – CloudFlare posts blog entry (claiming they were notified a week ago)
  • 2014-04-07 19:00 – Heartbleed.com is published
  • 2014-04-09 – The planned disclosure of the bug was to happen here
• Vulnerable:
  • Debian Wheezy (stable) (OpenSSL 1.0.1e-2+deb7u4)
  • Ubuntu 12.04.4 LTS (OpenSSL 1.0.1-4ubuntu5.11)
  • CentOS 6.5 (OpenSSL 1.0.1e-15)
  • Fedora 18 (OpenSSL 1.0.1e-4)
  • OpenBSD 5.3 and 5.4 (OpenSSL 1.0.1c 10 May 2012)
  • FreeBSD 10.0 (OpenSSL 1.0.1e 11 Feb 2013)
  • NetBSD 5.0.2 (OpenSSL 1.0.1e)
  • OpenSUSE 12.2 (OpenSSL 1.0.1c)
• Not Vulnerable:
  • Debian Squeeze (oldstable) (OpenSSL 0.9.8o-4squeeze14)
  • SUSE Linux Enterprise Server
  • FreeBSD 8.4 (OpenSSL 0.9.8y 5 Feb 2013)
  • FreeBSD 9.2 (OpenSSL 0.9.8y 5 Feb 2013)
  • FreeBSD Ports – OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
• It is not clear how many appliances are vulnerable, but many consumer grade appliances are likely to be vulnerable and unlikely to receive a fix. If the only solution for these devices is to throw them in the trash and replace them, the issue remains that it would likely take 2-12 months for fresh embedded devices to make it to stores where users could buy new ones
• Analysis:
  • Reddit conspiracy theory – Suggest PHK was right. Did the NSA/GCHQ pay someone to insert this flaw in OpenSSL?
  • Bruce Schneier – Heartbleed is a catastrophic bug in OpenSSL
  • Theo de Raadt – OpenSSL has mitigation counter measures to break the operating systems ability to mitigate such attacks
  • Ted Unangst – Why this didn’t have to happen
  • Ted Unangst – Fixing the mitigation counter measures
  • Brian Krebs – heartbleed exposes web traffic
  • Brian Krebs – heartbleed, what can you do?
  • Elastica – Video explaing heartbleed
  • Sean Cassidy – Diagnosis of Heart Bleed
  • Matthew Green – Attack of the week: OpenSSL Heartbleed
    
  • Matthew Sullivan – Hijacking user sessions with the Heartbleed vulnerability
  • EFF – Possibile evidence that HeartBleed was used by Intelligence Agencies last year
  • [RETRACTED] Errata Security – Why heartbleed doesn’t leak private keys
  • The Hacker News OpenSSL Game
  • List of sites that were vulnerable
  • XKCD
• Canada Halts Online Tax-Filing Services
• The Heartbleed Hit List: The Passwords You Need to Change Right Now
• Additional Coverage – The Register
• Additional Coverage – Washington Post
• Additional Coverage – ThreatPost
• IDS Signature for detecting heartbleed
• What you should know about heartbleed
• Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style
• FreeBSD Security Advisory

Feedback:

• Heartbleed is manna from heaven for spooks and criminals?

• Amazing FreeNAS Motherboard

• PKI at Home

• Applying for an internship at an IT security consulting company

Round Up:

• Comcast: Without Time Warner Cable, we can’t compete against Google, Netflix
• 18 year old security researcher claims to have ability to print airline boarding passes and get free flights around Europe – Will present at “Hack in the box” next month in Amsterdam
• The #1 New Paid App In The Play Store Costs $4, Has Over 10,000 Downloads, A 4.7-Star Rating… And It\’s A Total Scam
• Seagate releases first 6TB drives using perpendicular magnetic recording, no helium required. 25% faster than the WD 6TB Helium drive (which never specified what RPM it ran at). Available in 2, 4, 5 and 6 TB sizes, with SAS 12g/s or SATA 6g/s interfaces and featuring 128mb of cache with a max sustained data transfer rate of 216 MB/s (226 MB/s with SAS interface)
• Drop Condoleezza Rice or we will #dropdropbox
• 5 year old discovered XBox security flaw, access an account without the password by pressing the sparebar a few times… Microsoft sends a gift package including four free games, US$50 and a one-year Xbox Live subscription
• Hewlett-Packard Admits To International Bribery and Money Laundering Schemes
• Before anyone called it “the cloud”, game companies depended on GameSpy to do multiplayer matchmaking “in the cloud”. Since is now shutting down, leaving many older makes unplayable
• Zeus malware found with valid digital certificate
• Scenes from the 2014 Kaspersky Security Analyst Summit
• Microsoft announces Skype TX with studio-grade audio and video for broadcasters
• Schneier: Unbreaking encryption is likely not unbreakable
• MtGox CEO faces likely US arrest as legal woes mount over failed bitcoin exchange

The post SSL Heartbreak | TechSNAP 157 first appeared on Jupiter Broadcasting.