Show Notes: extras.show/53

The post AWS 411: Christophe Limpalair | Jupiter Extras 53 first appeared on Jupiter Broadcasting.

How to get an SSL certificate for other people’s domains, how to decrypt HTTPS traffic with some javascript & the latest storage reliability report.

Plus great questions & a rocking round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Keeping Positive: Obtaining wildcard SSL certificates for arbitrary domains

I recently decided to investigate the security of various certificate authority’s online certificate issuing systems. These online issuers allow certificate authorities to verify that someone owns a specific domain, such as thehackerblog.com and get a signed certificate so they can enable SSL/TLS on their domain.

When I started out hunting for possible vulnerabilities, my initial strategy was to look for the cheapest, most 90’s-looking, poorly designed certificate authority websites. Since the compromise of any certificate authority allows an attacker to bypass all the protections of SSL/TLS it doesn’t even have to be a popular provider because they all have the same power. After doing a bit of searching I realized it would be advantageous to do testing against authorities that had free SSL certificates, since doing tests against these wouldn’t cost me any money. I passed on Let’s Encrypt because I figured it had already been thoroughly audited, the second site I saw was a 30 day free trial from Positive SSL (a company owned by Comodo).

Upon entering your CSR and selecting the software you used to generate it, you then select the email address for domain validation (from the website’s WHOIS) and arrive on a “Corporate Details” page. This is the vulnerable portion of the application, where you fill out your company/personal information getting to the email validation portion

When I first went through this process I mindlessly filled out junk HTML for all of these fields. The service then sent a verification email to the email address on the website’s WHOIS info. Once I received the email, I noticed the HTML was not being properly escaped and the markup I had entered before was being evaluated. This is really bad because the email also contained a verification code which could be used to obtain an SSL/TLS certificate for my website. This means if I had a way to leak a victim’s token, I could obtain a valid certificate for their site, so that I could intercept traffic to that site seamlessly without users knowing I was doing so

• Normally, the email provides the user with a link and the code to validate the certificate. However, because an attacker can fill out the form fields with HTML, they can change the message in the email, instead requiring you to click a link within the next 24 hours to REJECT this bogus certificate
• So, in the field he wrote some HTML that included an form tag and a textarea tag that was never closed
• This resulted in everything that appears after that field in the email, being swallowed by the text area, rather than the body of the email.
• Then a later form field adds a button, “click here to reject this request”. When the user clicks the button, it submits the contents of the HTML textarea (including the verification code) to the attacker’s website, giving them the code, allowing them to approve the certificate for YOUR domain

Form submissions are a great way to leak secrets like this because they work in many different mail clients. Even the iPhone’s Mail app supports this functionality

Once I’ve leaked the code from the victim in this way, I can then log into the account I created during the certificate request process and download the SSL/TLS certificate

One other important thing to note is that resellers of Comodo’s certificates were also affected as well. This risk is amplified because resellers can have a customized HTML header and footer for the verification emails that get sent out. This means that it would be possible for a third party vendor to have a dangling tag in the header combined with a single quote in the footer which would side-channel leak the verification code in the email body (similar to the attack above, but automatic with no user interaction). This style of dangling mark-up injection wasn’t possible in the previously proof-of-concept but is possible for resellers.

• Timeline:
• June 4th, 2016 – Emailed security@comodo.com and reached out on Twitter to @Comodo_SSL.
  • June 6th, 2016 – Robin from Comodo confirms this is the correct contact to report security issues, provides PGP key.
  • June 6th, 2016 – Emailed Comodo the vulnerability PGP-encrypted and sent my PGP public key.
  • June 7th, 2016 – Robin from Comodo confirms they understand the bug and state they will work on a fix as soon as possible.
  • June 20th, 2016 – Emailed Comodo for status update.
  • July 1st, 2016 – Outline timeline for responsible disclosure date (90 days from report date per industry standards).
  • July 25th, 2016 – Robin from Comodo confirms a fix has be put in place.

Normally, the name of the game when it comes to finding a way to mint arbitrary SSL/TLS certificates is to find the smallest, cheapest, and oldest certificate provider you can. Comodo is the exact opposite of this, they have a 40.6% marketshare and are the largest minter of certificates on the internet. Basically, they are the largest provider of SSL/TLS certificates and yet they still suffer from security issues which would be (hopefully) caught on a regular penetration testing engagement. This paints a grim picture for the certificate authority system. If the top providers can’t secure their systems, how could the smaller providers possibly be expected to do so? It’s a hard game to play since the odds are heavily stacked in the attacker’s favor with tons of certificate authorities all with the power to mint arbitrary certificates. A single CA compromise and the entire system falls apart.

Luckily, we have some defences against this with newer web technologies such as Public Key Pinning which offers protection against attackers using forged certificates. This is a fairly powerful mitigation against an attacker with a forged certificate. However, the support is iffy with a lack of support in Internet Explorer, Edge, Safari, and Safari on iOS.

Many people like to speak of a certificate authority hack as if it was something only a nation state could accomplish, but just a day’s worth of searching led me to this issue and I don’t doubt that many providers suffer from much more severe vulnerabilities. What happens when your attacker doesn’t care about ethical boundaries and is willing to do much more in-depth testing? After all, this is Comodo, the largest provider. What about the smaller certificate providers? Do they really stand a chance?

HEIST: New attack allows stealing sensitive information web HTTPS encrypted pages

• HEIST: HTTP Encrypted Information can be Stolen through TCP-windows
• This new attack exploits how HTTPS responses are delivered over TCP, and how compression is used, and the new Javascript API

The exploit is notable because it doesn’t require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly.

• “HEIST makes a number of attacks much easier to execute,” Tom Van Goethem, one of the researchers who devised the technique, told Ars. “Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.”
• Rather than having to visit a malicious website, all that is required is that you end up being served a malicious advertisement, on any website

Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses—say, @gmail.com, in the case of an e-mail address—in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

To determine the size of an HTTPS-protected response, the attacker uses an oracle technique that returns what amounts to a yes-or-no response to each guess. When a request containing “value=” results in the same data size, the attacker knows that string is inside the encrypted response and then tries to modify the guess to include the next character, say “value=0”. If that guess results in a larger file size, the attacker knows it’s wrong and will try “value=1”, “value=2”, and so on until the new guess similarly results in a response that shows no increase in file size. The attacker then tries to guess the next character and repeats the process until the entire token has been recovered.

Until now, this BREACH-style exploit required the attacker to be able to actively manipulate the traffic passing between the Web server and end user. A HEIST-enabled BREACH exploit removes that limitation. It does this by using TCP characteristics as a quasi cryptographic side channel to measure the size of an HTTPS response. TCP divides large transmissions into smaller fixed-sized chunks called frames and further groups frames inside what are called TCP windows, which are sent one at a time. TCP sends a new window only after receiving confirmation that frames from the previous window were received by the end user.

HEIST is able to count the number of frames and windows sent by interacting with a set of newly approved APIs, one called Resource Timing and another called Fetch. In the process, they allow a piece of JavaScript to determine the exact size of an HTTPS response.

Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don’t work unless third-party cookies are allowed.

Wednesday’s demo will show how a malicious ad displayed on The New York Times website is able to painstakingly measure the size of an encrypted response sent by a fictitious third-party site they dubbed targetwebsite.com (see the image below). It will go on to show how that information can be used to infer the characters contained in a security token designed to prevent cross-site request forgery attacks

• And, we are not protected by the next generation HTTP protocol either

HEIST is also effective against HTTP/2, the drop-in replacement for the older HTTP standard that encrypts all Web traffic. In some cases, HEIST can abuse new features of HTTP/2 to increase the damaging effects.

• If we know that HTTP/2 is used, we can let the browser simultaneously request the targeted resource, and another resource that contains reflected content,” Vanhoef and Van Goethem wrote in a research paper.

Since HTTP/2 is used, both requests are sent in parallel to the server, and the server replies to them in parallel as well.

It’s too early to know if HEIST combined with BREACH will be exploited against real people visiting real HTTPS-protected websites. While there’s no indication that BREACH has ever been exploited in the wild, the new convenience offered by HEIST may change that.

• Blackhat Slides
• Research Paper

Backblaze: 2016 Q2 hard drive failure rates

• Backblaze has published their latest numbers on drive failures
• This is the first report to feature the newer 8TB drives
• As before, the HGST drives are doing very well, although some models seem to be doing better than others. The Seagate drives are on spec, and the Western Digital drives are not doing so well. Although there is relatively few WD drives, not because of the high failure rate, but as explained in the 2016Q1 report, just difficulty acquiring large numbers of them
• Almost half of all drives in BackBlaze are the Seagate 4TB desktop model
• I think it would help for BackBlaze’s formula to consider the age of the drive. Of course the failure rate of older drives will increase over time. It would be interesting to see a graph of the failure rate vs drive age
• The Seagate 4TB drives seem to be doing as expected. I feel confident in my decision to purchase these exact drives for my own use
• Backblaze explains their formula, and reminders readers to consider the formula when looking at the numbers. A single drive failure in a new set of Toshiba 5TB drives gives a result of a nearly 9% failure rate, but obviously the sample set is too small
• There is also an interesting discussion of their migration process, moving data from 64+ month old hard drives to new larger drives
• Further down, they also provide a breakdown of their failure statistics from 2013 through 2016, which makes for much more interesting reading
• In general, most of the drives seem to perform as expected, with a 1 – 3 % annual failure rate
• Of course, BackBlaze does not buy the fancier Enterprise drives. Hopefully someone else will produce a similar report using Enterprise drives, so we can see if they are worth the extra money.

The 4TB Seagate drives are our workhorse drives today and their 2.8% annualized failure rate is more than acceptable for us. Their low failure rate roughly translates to an average of one drive failure per Storage Pod per year. Over the next few months expect more on our migrations, a look at the day in the life of a data center tech, and an update of the “bathtub” curve, i.e. hard drive failure over time

• If you would like to do your own thing with the data, here it is

Feedback:

• Any way to guess or estimate how many drives would be needed? // Slexy 2.0

• how secure are long unique links?

• Google’s Unguessable URLs – Schneier on Security

• Redirecting domain requests, mail and linking droplets

  • DNS Made Easy for dns or backup mx

• Hosting your own email – follow up to Feedback Episode 277

Round Up:

• Networking hardware vendor TP-Link today admitted violating US radio frequency rules by selling routers that could operate at power levels higher than their approved limits. In a settlement with the Federal Communications Commission, TP-Link agreed to pay a $200,000 fine, comply with the rules going forward, and to let customers install open source firmware on routers
• FireFox 48 finally ships, with multiprocess support. For the next few days, only a fraction of a percent of Firefox 48 users will have Electrolysis turned on by default. If this mini-rollout goes well, the multiprocess feature will be rolled out to about half of all Firefox 48 users
• Malvertising Campaign Infected Thousands of Users per Day for More than a Year
• EFF Files lawsuit challenging DMCA provisions that place restrictions on security researchers
• Iranian hackers compromise Telegram’s secure messaging
• FireEye releases: Overload: Critical lessons from 15 years of ICS vulnerabilities
• QRLJacking attack can bypass any QR login system
• Something I have been saying for years, FTC says frequent forced password changes are the enemy of security Allan’s post from 2009 came to the same conclusion
• Japanese Olympic Gymnist racks up $5000 mobile data bill playing Pokemon go in Brazil
• Deanonymizing Windows users and stealing Microsoft and VPN accounts
• SwiftKey was accidently sharing your autocorrect suggestions with other people, leaking email contents, search history, and more

The post Dangerous Dangling Quotes | TechSNAP 278 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

Kronda makes wordpress sites, manages a blog & offers educational resources for learning wordpress!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Interview – Kronda – @kronda

• Life as I Know It – This is my story, and I’m sticking to it.
• Kronda (@kronda) | Twitter
• Tech Journey – Life as I Know It
• Blog – Karvel Digital
• Karvel Digital | Websites That Work
• Karvel Digital (@KarvelDigital) | Twitter
• Xander Oz (@stateofthecat) | Twitter

Are you looking for the transcription? Please let us know you use it and we may bring it back!

• WTR Transcription Poll

The post Impress with Wordpress | WTR 57 first appeared on Jupiter Broadcasting.

Since Allan is off being fancy at FOSDEM, we decided that now would be a good time to celebrate the audience & feature some of the best feedback we’ve had over the years!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Episode List

• Ideal ZFS Configurations | TechSNAP 135
• TrekSNAP | TechSNAP 134
• Best Tool for the Job | TechSNAP 80
• ZFS Can Do that | TechSNAP 130
• One Ping Only | TechSNAP 133
• Ideal ZFS Configurations | TechSNAP 135
• A Rip in NTP | TechSNAP 237
• EXTenuating Circumstances | TechSNAP 215
• Not Neutrality | TechSNAP 161
• Double ROT-13 | TechSNAP 241

The post A Look Back On Feedback | TechSNAP 251 first appeared on Jupiter Broadcasting.

Breanne is the owner & web developer for Nerd Nest Media. It provides web design, development, SEO work, brand consulting & social media marketing!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Nerd Nest Media
• (3) Nerd Nest Media
• Nerd Nest Media (@NerdNestMedia) | Twitter

Full transcription of previous episodes can be found below:

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: Angela, so this week, my friend Breanne joins us. She is a solo founder for the company Nerd Nest Media, and she talks about her journey in technology, what’s like to be a solo founder a little bit, and just kind of the many hats that she has worn in her journey.
ANGELA: Awesome. Before we get into the interview, I want to DigitalOcean. They are the sponsor for this week. They are a cloud housing provider dedicated to offering the most intuitive and easy way to spin up a cloud server. And let me just tell you, I was faced with a situation a couple months ago where my son turned six and was really into MineCraft and had been playing the pocket edition on his iPad. But it just quite wasn’t enough. And of course I — well, I think I might have been able to find a way to play with him via my iPad, but I’m not sure. But regardless, I wanted to get a dedicated server up and running so that he and I could play on the same maps. So, I used a DigitalOcean droplet to spin up a MIneCraft server that will always be up and running. They have locations for their data centers in New York, San Francisco, Singapore, Amsterdam, and London. I don’t have to worry about if our house has a power outage. Well, I wouldn’t be able to play at that point, but anyway, wherever the server is hosted, I don’t have to worry about a power outage, because the server will always be up and running in the cloud. And it’s only $5.00 a month. And if you use the code heywtr, you can get a $10.00 credit, which is a two month credit. So, think about the projects that you could use DigitalOcean for and use heywtr promo code for it.
PAIGE: And don’t forget, if you already have a DIgitalOcean set up, but you haven’t used one of our codes, go ahead and pop it in there. Sometimes it just might work.
And out question for Breanna when we got started was to kind of give us a overview of what she does in Technology.
BREANNE: Hi. I’m Breanne Smith. I am the current owner and web developer for Nerd Nest Media. My company provides web design development, SEO work, brand consulting, social media marketing. And that is my current role in technology.
PAIGE: So, you’re kind of a many hat wearer? Would you consider yourself an entrepreneur?
BREANNE: I would. The entrepreneur side of me has definitely been coming out as each day progresses. But I really love technology, so I’ve just been kind of one of those closet nerds, if you will. Just researching, doing things on my own. And then it’s kind of given me the love for wanting to provide these services for people to get them to understand what the web is and how it can help their business.
PAIGE: So, it was kind of the journey for you learning to understand that made you want to kind of help others do the same?
BREANNE: Yes and no. You know, I went back to school later in life. I’m in my 30s now and just graduated in 2012. When I first went to college back out of high school I thought I wanted to write for Rolling Stone magazine. So, I was doing journalism, music theory stuff back then. Which is great, because now I still get to use my love writing and creativity, but just in a totally more technologically advanced way. So, that’s what I started doing. And then I moved from Indiana to Austin Texas and I started working for a nationwide property maintenance company. So, I was managing like 20 people at the time and had a portfolio of like 7,000 foreclosed homes all over the country that I was maintaining. So, it taught me a lot about professionalism, completing tasks on time. really kind of prepped me for that real world situation. And then, from there, I, we moved out to Oregon and I really didn’t have a job or anything going on. So I thought, you know what, I am going to take my love for technology and see what I could do with maybe going back to school and starting a business of my own. My parents owned a couple of furniture stores in Indiana and they’re actually who really catapulted me into wanting to start my own business, because as a small company themselves, they were paying this “web company” that was really not doing much for them, $350.00 a month to maintain their website, do social media posts, things like that. And my parents were getting frustrated and not understanding why they weren’t getting results and this web company was helping them. So, I asked, you know, hey I know a little bit about a little bit. Can I talk with them and maybe see what they’re doing and use the big technical terms and kind of coxe out of them what they’re doing. I called these people and turned out, they were just a marketing company who said they can do web work and were outsourcing this web work.
ANGELA: Oh my goodness.
BREANNE: To other people who knew nothing about my parent’s business. They knew nothing about their business practices. And so, getting off that phone call, I was the most frustrated I’ve ever been in my life for my parents. You know, that they’re this small company, they’re older, they don’t understand the value of the web and what it can do for you. They know, just from me harping on them, that they needed a website. And a the time, I didn’t have my degree so I didn’t know all the ins and out of it. So I literally went back to school solely to-
ANGELA: Help your parents?
BREANNE: Kind of negate these people. Yeah. Well, no. I actually don’t like to do business with my family.
ANGELA: Right.
BREANNE: Because it can — I don’t want to mix business with pleasure there, but it really kind of made me see what type of people are out there saying that they can do the stuff for small business and build their brand and build their company, but in reality they’re not doing anything. They’re just taking money and saying that they’re going to put this post up. And the post, you know, even on their social site, has nothing to do with what their business is.
ANGELA: Yep.
BREANNE: So, once my husband I moved out here to Oregon I thought, okay I’m going back to school. I’m getting my degree in web design and development, and I’m going to start company that has morals, wouldn’t treat people the way that these so called web companies were treating my parents, and really pride myself on kind of hand holding a lot of my clients through this process of understanding how their business can actually grow with putting a little money into the web side of it.
ANGELA: Right. That sounds-
BREANNE: I know that’s a little long winded but-
ANGELA: No, no, no. It sounds exactly like what I went through with my mom. Because she’s self-employed. She’s owned a restaurant in downtown Seattle for 20 years now. I think.
BREANNE: Oh wow.
ANGELA: Anyway. Yeah, and she recently was on the, I need to, I need the social media aspect. I was the one that forced her to do a Facebook page and she’s really popular on there. She post her specials there every day. But then a social media company, just like you said, came along and was like we can build your brand and whatever. And she went for it. ANd it’s really not yielding anything.
BREANNE: Oh man.
PAIGE: It seems like a market that seems so easy to take advantage of people, because you just have to use some jargon.
ANGELA: Yep.
BREANNE: You’re exactly right. And they think, oh wow, they’re using all these great buzz words. I’ve heard that word before but I don’t really understand it. And so, it took a lot of me sitting down with my parents and getting them to understand how they were taking advantage of my parents. Because they didn’t even really understand what they were or weren’t doing, to be honest with you.
ANGELA: Uh-huh.
BREANNE: I was so frustrated. Seriously. I was just horribly frustrated for them and knowing that there’s hundreds of companies, probably thousands of companies like that out there, where there’s outsourcing everything. It really doesn’t give that personal touch. And it really just makes me feel like all these small businesses are just giving away money and not getting anything in return, and then getting a sour taste in their mouth about what the web can do for them.
ANGELA: Right.
PAIGE: I’m going to pick your brain then. What’s a good thing to watch out for? If I can’t necessarily work with you, how do I know, if i own a business or something, like what’s the difference between working with someone like you and someone who is going to take advantage of me? How can I tell the difference?
BREANNE: A big thing is reading the name of their company. If they have the word marketing in their company, nine times out of ten they are a marketing company. If they can offer web services that’s great, but I would, as a small business I would talk to them about what their services provide and who is providing those services for me. Is there a point of contact I can call and talk to that person who is building my site and have them explain to me why it looks this way or talk to them about how I want it to look differently. If they’re impersonal with you and, oh I have to get back with you, and 13 emails later they’re still not answering your questions, if they’re dodging questions, dodging answers, things like that, those are big signs really, for me at least. And knowing that they’re just solely in for marketing and that hundred to $400,000.00 whatever it is montly fee that they’re getting. And honestly, it’s a gut thing too. You know, if you’re not getting the right service from somebody and you’re not feeling like they’re really being helpful, that’s another big key point that they’re probably — they probably don’t know what they’re talking about.
PAIGE: So you started out hoping to do music journalism.
BREANNE: Uh-huh.
PAIGE: And you ended up in web design and development, essentially, right?
BREANNE: Uh-huh.
PAIGE: What does that transition look like? Why? have you always been nerdy? Were you the kid with the Commodore 64 hacking away at the keyboard? What does that look like for you?
BREANNE: Well, for me I wasn’t — you know, I was always int, you know, we always had, my dad actually has always been very much so up on the technical side of things. Like, we always had the latest, greatest TVs and radios and as soon as the computer came out we had the computer, desktop in our house at the time. So, which was huge, mind you. So, you know, I always have been interested in it, but I don’t think I really grasped the understanding and really the power of technology until I was working for that management company, the property management company. And we had such a cool system we used on the back end and I saw just really how it helped their business. That kind of pushed me forward and shifted my gears. Like I said, I’m in my 30s, so I’m, you know, it really shifted my mind into thinking, okay how can this benefit every company out there. And so, I really, you know, I’ve always dabbled. I love video games. I always played video games as a kid, but I really don’t think it was until I got older and understood how it could compute to business that made me really want to start doing this as a career.
PAIGE: All right. So, I”ve got to ask. What was your favorite video game as a kid?
BREANNE: I mean, I’m old school though. I didn’t do, like I got a little bit-
PAIGE: We’re equally old school in this room.
ANGELA: Yeah. We’re your age too.
BREANNE: Okay, cool. So I was more in, I mean I loved Mario and Duck Hunt and, you know, all of that stuff too, but I love-
ANGELA: Donkey Kong. Say Donkey Kong.
BREANNE: Yes. Yes. I was going to say Donkey Kong, but I just am aging myself here, but yeah Donkey Kong. All those little games I loved to play. Mario Bros of course was my — I mean, that’s true to my heart. I always played it.
PAIGE: You know, I still know how to get all the warp zones, right?
BREANNE: Me too.
PAIGE: Yeah. Totally. Yeah, Mario, Legend of Zelda and original Tetris on the Gameboy for me. Those were the big ones. Especially in competitive mode, because I still have yet to meet anyone who can beat me on Tetris in competitive mode. Which is not normal mode people, it’s different.
BREANNE: What about Punch Out? Did anybody play Punch Out all the time?
ANGELA: Nope.
BREANNE: No?
PAIGE: I like the, we had the Olympics. We had the power mat and so you do the olympics thing. That was definitely better than (unintelligible).
ANGELA: Yeah, i remember that now.
BREANNE: That’s way cooler.
PAIGE: I learned very quickly, as did my little sister, that running on the powermat was not nearly as fast as sitting next to the powermat and hitting it with your hands like bongos.
BREANNE: Oh my gosh. Yeah.
PAIGE: Much, much faster. You can get way farther, and then you can jump infinitely because you just lift your hands and on the long jump you just win.
ANGELA: Oh my gosh.
BREANNE: Oh my gosh, that’s amazing.
PAIGE: Right. Yeah, it’s cheating.
BREANNE: Where were you growing up?
PAIGE: Massachusetts.
ANGELA: VIdeo game hacks.
PAIGE: Yeah. Well, you know, when you can’t go outside in the sun because you’re a ginger you have to do something in the summer. So, do you still pay video games?
BREANNE: Yeah, I do. I mean, and of course I’ve stayed true to Nintendo, so I just have a Wii, because I literally, like that’s how much I love Mario Bros. Like, I will play every single one that comes out.
PAIGE: Have you played the new Mario titles where you can play like four players simultaneously?
ANGELA: What?
BREANNE: I don’t have a Wii U, so I’m not sure if that’s new with the Wii u?
PAIGE: No. No. It’s a Wii title.
BREANNE: It is? Okay.
PAIGE: Yeah. You’ve got to check it out.
BREANNE: I haven’t played it.
PAIGE: Yeah. You can play four players simultaneously, and when you have a Yoshi you can eat the other players and then spit them.
BREANNE: Oh my gosh.
PAIGE: It’s amazing.
BREANNE: I”m typing this right now so I don’t forget.
PAIGE: So if you folks at home haven’t tried it out, it’s old now, but, and i think they just put out another new one, but I don’t have a Wii U either. So what do you use as tools to get your job done? Like, you — I know, because we’ve talked before, that you use WordPress, but either what do you use in WordPress, what sort of text editor do you use? What helps you get your job done?
BREANNE: So, text editor wise, I mean I love Sublime Text and Notepad ++. Those are both my go to text editors and things like that. But I do love WordPress and I love to work on content management systems, especially for my clients, because it really helps them be able to feel like they have a grasp on their website. And even go in, if I teach — I can teach them how to go in and make their own blog posts, their own changes. And then they don’t have to utilize me or pay me money. Especially if they’re a little bit on the tech savvy side, so thats’ why i use WordPress and why I love WordPress.
PAIGE: Yeah. I totally agree. I like to tell people, I’m like, if you can post on Facebook, you can learn enough WordPress to help yourself out.
BREANNE: Exactly. That’s exactly right. And I’m actually just — I just got done before this walking through my last client with his blog and getting him up to speed with everything. And he made his first blog post and uploaded the images and everything himself. So, and knows how to change the sidebars to what it needs to be. So it’s really empowering for me to see them get it and smile and understand they’re in charge. It’s not just me, it’s them. So, that’s why I love WordPress so much. I mean, it’s got it’s faults as far as security sometimes, but other than that, I mean, as long as you have a good security plugin in place, you’re good to go. But then I love Illustrator and PhotoShop and stuff. I do all — I love those for design and doing mock ups and things like that. That’s about all I use.
PAIGE: Did you learn most of that in your school program, self-taught? Did you have online resources?
BREANNE: I’m mostly self-taught. I loved school. I am — I think that’s where my nerdiness comes from is because I always loved school as a kid. I never missed a day of school from kindergarten to my senior year. Got a special nerd award for that at the end of my senior year.
PAIGE: That is a very special nerd award.
ANGELA: Yep.
BREANNE: I still have it. But, yeah, so I think my love of school really carried me through, you know, getting through college this time and helped me be more successful. I don’t want to tell someone who is in school that they shouldn’t be in school, but honestly, the type of work that we do, a lot of it is self-taught. ANd you have to continually educate yourself aster school even, you know, to keep up with the latest trends and keep your ear to the ground with technology. So, it’s not say that I didn’t — that I’m not glad I didn’t — went to school and got my degree, but, you know, to be honest with you, most of the stuff I’ve learned as been self-taught. I used Lynda.com a lot for things that — I don’t like to tell my clents no, ever. So if i don’t know it, I don’t tell them I don’t know it, I just research and learn and try, you know, and charge them less for that since I have to do more education time on my end. So that’s kind of how I feel. I’m more successful in this industry, because I am so willing to learn — so much more willing to learn all of the new technology that’s out there.
ANGELA: So, do your clients basically use you to get up and running or — do they do that and then they’re on their own and you also have continuing customers where you actually do the stuff for the?
BREANNE: Yes. I kind of am a one stop shop. I think Paige said, you know, I’m a woman of many hats. I can do a full service as far as if someone just comes to me and they’re like , I don’t want to understand this. I don’t care to understand this. I need a new website. I can do their hosting for them. I do hosting reselling. And also set up their domain, buy their domain, set up everthing from scratch. And then I can either help them maintain that every month if they want me to, or like I said teach them how and they can do that, and I take a back seat unless there’s an emergency I”ll come back in. But then, there’s that flip side of things where someone is already up and running. My main client that I have, I’ve had her for two years and when she came to me two years ago she had had a web designer who was getting frustrated with her. I love her with all of my heart, but she’s more into the pretty side of things and not the technical side of things, which is fine, but I don’t think it translate well if a web person isn’t able to kind of speak to her in those layman’s terms and get her to understand it and why she has to pay this money.
ANGELA: RIght.
BREANNE: So that web person left her and took her entire website down. So she was stranded with no website and she runs a very high end salon and so she was completely stranded with no website. So, I came in, got it back up, because it was a WordPress site. I was able to recover it and since then has helped maintain her site and am rebuilding that one plus a new one for her for a separate salon she’s doing currently. So, I’ve been working with her for two years and it’s been great. So, I love the ongoing stuff, but am able to just do one quick fix for clients and then they can about their business if they don’t need me anymore.
ANGELA: Sure.
PAIGE: Yeah. It think it sounds, I don’t know what (unintelligible) this is, but I think that if you have a small business working with other small businesses for your other services is really beneficial for both parties usually. As a small business, you can do things that as a giant business someone might not be able to, because they’re tied up in red tape or corporate policy or whatever . Like some marketing company that has all these standards and SOP and jazz.
BREANNE: Exactly. I really like it, because you can really, you know, dive into their culture and kind of really get to understand their company. And so, I think I do better work when I understand the business, obviously, and understand what they’re mission is and what they’re goals are. It helps me to really format the site to help their end user a lot better.
PAIGE: Yeah. I agree with that. Even as a developer, people think you’re just making computer stuff work, because I don’t really do design or when I do it’s terrible, but even understanding what the user experience is supposed to be or –and necessarily, the client doesn’t always know what they want in the experience. They’re just like, this is what we do and these are the customers i have, and being able to kind of craft that. I can do so much better when I can sit down and have talk time with them and get to know their business, or stop by their business, or whatever.
BREANNE: Exactly. I really love that so much more than — because I do — I have lived in many states so a lot of my clients are out of state. And so it’s — there’s something to be said about sitting down and having a cup of coffee or tea with somebody and explaining their business, versus being on Skype or something like that. Because there can be distractions and they’re not really into it. So if I can get somebody to focus with me it goes a lot easier.
ANGELA: Have you ever been to a sewing retreat?
BREANNE: I have not, but I do love sewing.
ANGELA: I recently went to a sewing retreat and it was so much fun. It was just two full — well two and a half days of sewing and it was just amazing. But what do you like to sew?
BREANNE: I like to sew anything. I love to make clothes. That’s what i started doing as a young girl. My mom made all my baby clothes when I was kid and so — and then she made these awesome dolls that she would sell to get more fabric to make my clothes.
ANGELA: Wow.
BREANNE: So, I learned from a very young age. Yeah, she’s really awesome. But I learned from a young age how to sew and to work around a sewing machine. But in more recent years I’ve been teaching myself to knit and crochet a little bit. It’s not my strong points but the sewing machine is my strongest point. And I love to sew anything. From pillows to clothes to anything.
ANGELA: Cool.
PAIGE: I have a love/hate relationship with sewing and crocheting. I’m amazing at sewing and crocheting in straight lines.
BREANNE: Yeah.
PAIGE: But not turning. So, if you have a pattern that is straight lines, I actually sew very well. It was — part of theatre degree is that you have to do costuming. I know how to do all the seeming and all the edging, but if i have to turn, not as good. Pillowcases, awesome.
BREANNE: Yep, just a square.
PAIGE: Oh yeah. Yep. No problem there.
BREANNE: Well you’ll have to tell me more about the sewing retreat. That sounds really cool. Can you bring whatever type of sewing stuff or is it-
ANGELA: Yeah. You just — in this case you — it was about 25 women and we went to Warm Beach, which is here in Washington, and we rented out a bunch of rooms and we just set up and we were able to keep out setup in this banquet room all weekend, and the beachfront was right there. It was amazing.
BREANNE: Sounds awesome.
ANGELA: And all the meals were catered. Yeah. I ate so much, I thought that I would literally weigh five to 10 pounds more when I was done, but I actually lost a couple pounds because I would walk. I would go for a walk on the beach after eating, which speeds up your metabolism. It was awesome.
PAIGE: I just wanted to ask one more thing.
BREANNE: Yeah.
PAIGE: If there is one thing in technology that kind of is either coming down the pipe or gets your really jazzed now what is it?
BREANNE: Wearables. I’m all about wearables right now and the power that they have.
ANGELA: So how is your Apple Watch?
BREANNE: I don’t have an Apple Watch.
ANGELA: I’m just kidding.
BREANNE: I’m an Android fangirl.
ANGELA: Ah, okay.
BREANNE: I have been Android from the start. We do not even have any Apple products in our house until my husband had to get a work phone and I said, well get an iPhone so I can test my websites on it and stop using emulators.
ANGELA: Perfect. Perfect, right? That works.
PAIGE: So, do you have an Android watch?
BREANNE: I do. But I started out with like Fitbit then other things like that, but I really love the blending of the fitness side of things with the nerdy tech smartwatch side of things.
ANGELA: With the practicality. Yeah. So, do you have the Pebble? Is that Android? I don’t even –
BREANNE: Uh, yes. Yes. It’s actually what I have. Yeah, I’m waiting for the two to come out though.
PAIGE: The Pebble is (unintelligible). That’s very cool.
BREANNE: I’m waiting for the Pebble 2.
ANGELA: Uh-huh.
PAIGE: Nice. I am a little intimidated. So, Angela, in studio, has the Apple Watch and I keep watching her flip it and it looks really shiny and stuff, but I’m a little intimidated because I have found in my life right now, where I’m trying to get a lot of high volume work, high quality work done, like the less notifications I can have in my life the better off I am. Like, how do you balance that, the two of you?
ANGELA: I have certain people disabled for notifications and Telegram, it can only tell me so much on my watch and i can’t respond to it, so mainly it’s come in handy like if I”m at the bus stop and trying to get Dylan off the bus and put a stroller, I can just look at my watch real quick and see a notification or know that somebody is available.
BREANNE: Yeah, I agree with you on the integration of the watch with my phone. I think, you know, especially for me the working out more and stuff, I just my phone , or excuse me, my watch a lot more for that than i do my phone. I can keep it nearby but not have to carry my bulky phone around.
ANGELA: Uh-huh.
BREANNE: And then as far as, I use my phone more for like long winded emails. But if I just need to send something really fast I can use my watch. Or just notify my husband really quick, I”m on my way. Anything like that. It’s a lot easier on my phone to just reply with a little emoji or something than it is to pull out my phone, like you were saying, and mess with that. It’s just an (unintelligible) of use type of things for me. Anything to make my life easier I’m all for it.
ANGELA: And I was wearing a Fitbit as well up until I got the Apple Watch. And in fact, I wore both of them for two weeks on the same wrist, because I just didn’t want to let go of the social aspect of Fitbit.
PAIGE: Well, you can still use the phone for Fitbit.
ANGELA: Yeah. Oh, I don’t know, yeah, okay. Well it still had — so I still use my Fitbit at night for sleep though.
PAIGE: You can use both.
ANGELA: Really?
PAIGE: Uh-huh.
ANGELA: Okay. You’ll have to show me how to set that up.
PAIGE: I will show you that.
ANGELA: Because I have no idea.
PAIGE: Yeah. I like FItBit, but I don’t own a Fitbit device anymore, because I never got the wrist one and they’re small and I lose everything.
ANGELA: Yeah.
PAIGE: Well, so you guys have me interested. I have one other question. Were either of you watch wearers before you got your smart watches?
BREANNE: I was not at all. I literally only, I don’t even wear earrings anymore. I just wear my wedding ring. So it is like the only other thing besides my wedding ring I wear.
ANGELA: I wanted to be, but I am one allergic to nickel, I believe, and two I have very acidic skin. So any watch I’d wear it would literally corrode the metal. It’s weird. It’s not like the metal would wear away. The metal would explode from inside. It would, like a barnacle. You know, it was so weird. And it would cause rashes and stuff so I stopped wearing. but I have the sports band Apple Watch, which isn’t metal at all. And so far I”ve had no irritation from the back of the watch where it’s metal.
PAIGE: Yeah, I’ll be interested to see if your Apple Watch explodes.
ANGELA: I know, right?
PAIGE: If it does, we need pictures.
ANGELA: Well, it doesn’t literally explode. You know what I mean? So I would, I love having a watch.
PAIGE: Interesting.
BREANNE: A friend of mine has the Apple Watch and he has tattoos on his wrist, and they’re very dark as it gets down to his wrist, so he actually has to wear it on his other wrist, because it won’t read his wrist.
PAIGE: Yeah. It can’t read through the-
BREANNE: Because there’s dark. Yeah.
PAIGE: Because it’s an optical heart rate monitor, so it literally can’t read through your skin.
BREANNE: Yeah.
PAIGE: I think that they’ve adjusted so that people of darker color are okay, but tattoos are too much.
ANGELA: Wow. Yeah, I didn’t even think about that.
PAIGE: The ink is still too much in the way.
ANGELA: Huh.
PAIGE: Yeah, because it’s based on the same technology that the use in hospitals where they clip the little pulse monitor to your finger.
ANGELA: Right. Right. But I didn’t think about people of people of darker color. It’s kind of like Band-Aid coming out with skin tone, but only for Caucasian.
PAIGE: And correct me, audience, if I’m wrong, but as far as I know it works for skin but tattoo ink, especially in the very dark colors is too much, because it’s several layers of problems.
ANGELA: Oh.
BREANNE: And I’m pretty sure you’re right. That they’ve fixed the darker skin, but just not the tattoos. And his are like two big, huge black lines that come down towards his wrist. Not good. But I just — I actually read this morning that Google is actually trying to get this tiny, tiny little radar system that actually and sense your hand gestures and stuff, because I guess in their mind smartwatches and stuff aren’t taking off as well as they should be. And so, you know, it’s more like early adopters and stuff like that. Like us, that really, really want new technology and stuff that are getting it, not so much the general population. And so they’re trying to — and I guess Google’s thinking behind it is that they’re such tiny little touch screens that it makes the device difficult to control it, I guess. And so they’re developing this radar system that can sense hand gestures instead of having to just put your finger on the screen.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember that you can find the show notes with full transcription over at jupiterbroadcasting.com. Just go to the shows dropdown and select Women’s Tech Radio.
PAIGE: You can also use the contact form on the web page to select Women’s Tech Radio to get in touch with us, or shoot us an email at wtr@jupiterbroadcasting.com . You can also find out show on iTunes and you can follow us on Twitter @heywtr. Thanks for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Nerd Nest Media | WTR 32 first appeared on Jupiter Broadcasting.

Using encryption is a good thing, but its just the start, we’ll explain. Plus how one developer totally owned the Uber app.

Then it’s a great batch of your questions & our answers!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OPSEC (Operational Security) for Activists and Journalists

• Using encryption is a good thing, but if you need to hide from advanced adversaries, like foreign governments you are protecting against or reporting on, you need more than just encryption to make sure you don’t get “disappeared”
• The FBI has identified people even when they were using tor
• “The only protection against communication systems is to avoid their use.” —Cryptome [32], Communications Privacy Folly, June 13, 2012
• Anti-forensics [33] is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.
• Especially important secret government messages are still passed by courier, even the government doesn’t trust crypto 100%
• “Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment [44] during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.”
• “Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag”
• “If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. When Edward Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.”
• “In summary, expect security tools to fail, compartmentalize to contain damage and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.”

How I accessed employee settings on the Uber app

• While debugging an upcoming app, Nathan Mock an iOS Engineer, “accidentally” got a closer glimpse into Uber’s iOS app internals.
• Using Charles, a tool that allows you to monitor and analyze traffic between a client and the internet. You are able to self sign requests, effectively allowing you to view the requests in plain text. With the requests flowing in, he noticed a request made every 5 seconds.
• One particular request of interest is used by Uber to receive and communicate rider location, driver availability, application configurations settings and more to devices.
• Upon inspecting the response, he discovered the key isAdmin, which was set to false for his particular account. Charles allows you to define rewrite rules, so he rewrote the response changing, the value for isAdmin to true, curious to see the effects it would have on the app. He perused through the app with the new value applied… lo and behold, he stumbled upon the Employee Settings screen from the About screen
• Uber’s app is extremely dynamic. Their client’s architecture allows them to customize the app’s UI to certain geographical areas, riders, and even individual devices, allowing them to do things such as deliver kittens, deliver food, offer rides on helicopters, and of course, change prices…all without re-submitting the binary for approval to the app store. This is common practice for many client-server applications, a neat way to target certain features/functionality to a limited subset of users without the burden/time constraints of submitting an app for review.
• If a malicious developer wanted to get a forbidden feature or functionality past the review team, it is possible to hide the feature behind a “switch”, turning it off during the review process only to enable it after approved, all server side. If their purpose is to control the feature set of apps that get into the store, it can be bypassed through this type of client-server configuration architecture. Apple certainly has the power to take an app down once they make the discovery but before they make that discovery, it is out in the wild.
• As you can see, your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS), so it’s a good idea to always utilize defensive programming. A malicious third party could use this flaw to exploit the app in ways unforeseen. Even though Uber utilized HTTPS, there are still inherent flaws with the protocol that allows one to access certain screens meant for employees only.
• Uber recently suffered a data breach that leaked information about 50,000 drivers
• The breach apparently occurred on May 13 2014, was not discovered until September 17 2014, and was not announced until February 27 2015.
• “Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert”
• It turns out, Uber might have accidently stored sensitive database keys on a public github page, is sueing Github to get the IP address of those who accessed the information

Feedback:

• iSCSI Question

• What software is used for the video link on Techsnap (between Allan and Chris)

• Freebsd 10.1 on aging iMac G4

Round Up:

• Iran implicated in hack on US Casino
• How NGINX plans to support HTTP/2 and why it won’t be happening very soon
• This guys light bulb performed DDoS on his entire Smart House
• Intel announces new socketed i7 with Iris Pro graphics, and new i7 NUC
• MySQL 5.7 will include an HTTP server built in, to provide JSON API to access data
• Skylight – looking inside a new SMR (Shingled Magnetic Recording) drive while it is running
• The IT department is dead, Long live the IT department
• War Story: Building a ZFS Foot Cannon
• New Pharming attack targets home routers

The post An Uber Mess | TechSNAP 205 first appeared on Jupiter Broadcasting.

Fedora’s project lead joins us to discuss today’s Fedora 21 release, the possibility of the project switching to an Intel style Tick-Tock release & what Fedora 22 might look like.

Plus what the Ubuntu Snappy Core announcement means, why it’s a big deal & why it could be amazing for the desktop one day.

Then was 2014 the year Roku killed XMBC for us?

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Yes, This Trojan Infects Linux. No, It’s Not The Tuxpocalypse

“The Linux Turla module is a C/C++ executable statically linked against multiple libraries, greatly increasing its file size. It was stripped of symbol information, more likely intended to increase analysis effort than to decrease file size. Its functionality includes hidden network communications, arbitrary remote command execution, and remote management. Much of its code is based on public sources.”

FU:

• Best of Jupiter Broadcasting Submission Form

• Runs Linux

• Action Shot

• Was 2014 the year Roku killed the XMBC dream for Matt and Chris?

• Roku 3 is 5x faster and has a motion controller for games

• Docker vs Rocket – A short comment

• Endless sea of Window Managers/DE’s
• MoonLight Desktop Environment, Modular and Lightweight.

This project aims to create a desktop environment for GNU/Linux systems, mainly for those that runs in low performance devices such as old PCs, Raspberry Pi, embedded devices and others.

It is focused in modularity in order to be lightweight and adaptable, also there will not be fancy graphics. Another important aspect of this solution is the integration with the rest of the system. We aim to provide a desktop environment capable of integrate the different applications in your system.

• Audacious music player. Winamp like player.

Fedora 21 is OUT!

Guest

MatthewMiller – FedoraProject

Fedora Project Leader

• It’s here and it is awesome. Announcing Fedora 21!

It’s Here! Announcing Fedora 21! | Fedora Magazine

As part of the Fedora.next initiative, Fedora 21 comes in three flavors: Cloud, Server, and Workstation — whether you’re using Linux on your laptop, using Linux on your servers, or spinning up containers or images in the cloud, we have what you need to be successful.

First Look: Fedora 21 has something for everyone | ITworld

There is something for everyone

Even though Gnome is the default DE of Fedora there are many official spins of Fedora including KDE, Xfce, LXDE, MATE, etc.

The only difference, that I noticed, is that Gnome seems to get more love. Fedora picked popular, and more feature-rich applications over the default Gnome apps for the Workstation. For example, instead of shipping Epiphany it pre-installed Firefox.

Other spins offer a more vanilla experience of that desktop. In the case of KDE Spin you will get the entire stack of KDE software, such as Kmail, Konqueror web browser and Calligra Office instead of widely used apps like LibreOffice, Thunderbird or Firefox.

I have been using Fedora 21 RC on a test machine for over a week and I am quite impressed with it. If you are aspiring to become a software developer, Fedora would be a great distro to start with.

Need more motivation? Linus Torvalds, the creator of Linux, runs Fedora on all of his machines.

Now go ahead and download Fedora from the official page.

Announcing Snappy Ubuntu | Cloud | Ubuntu

Ubuntu Core is a new rendition of Ubuntu for the cloud with transactional updates. Ubuntu Core is a minimal server image with the same libraries as today’s Ubuntu, but applications are provided through a simpler mechanism. The snappy approach is faster, more reliable, and lets us provide stronger security guarantees for apps and users — that’s why we call them “snappy” applications.

Snappy apps and Ubuntu Core itself can be upgraded atomically and rolled back if needed — a bulletproof approach to systems management that is perfect for container deployments. It’s called “transactional” or “image-based” systems management, and we’re delighted to make it available on every Ubuntu certified cloud.

• Dustin Kirkland – Google+

Dustin Kirkland is Canonical’s Cloud Solutions Product Manager, leading the technical product strategy, road map, and life cycle of the Ubuntu Cloud commercial offerings.

• It’s a Snap!

Snappy introduces transactional updates and atomic, image based workflows — old ideas implemented in databases for decades — adapted to Ubuntu cloud and server ecosystems for the emerging cloud design patterns known as microservice architectures.

• Mark Shuttleworth » Announcing Ubuntu Core, with snappy transactional updates!

This is in a sense the biggest break with tradition in 10 years of Ubuntu, because Ubuntu Core doesn’t use debs or apt-get. We call it “snappy” because that’s the new bullet-proof mechanism for app delivery and system updates; it’s completely different to the traditional package-based Ubuntu server and desktop. The snappy system keeps each part of Ubuntu in a separate, read-only file, and does the same for each application.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

• QEMU Advent Calendar 2014

• Look What you Made Chris Do!

Documented for all, the very moment Chris jumped the shark. In a sacrifice so great, it could only be made for his art, a shocking revelation is made.

• GOgroove FlexSMART X2 Bluetooth Wireless In-Car FM Transmitter with USB Charging , Music Control and Hands-Free Calling – Works with Apple , Samsung , HTC , LG , Sony & More Smartphones , Tablets , MP3 Players: Car Electronics

The post Next Gen Fedora | LINUX Unplugged 70 first appeared on Jupiter Broadcasting.

Coming up this week, we’ll be showing you how to chain SSH connections, as well as some cool tricks you can do with it. Going along with that theme, we also have an interview with Bryce Chidester about running a BSD-based shell provider. News, emails and cowsay turkeys, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb’s ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• “FreeBSD has supported loading PIEs for a while now, but the applications in base weren’t compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support”
• If you’re running -CURRENT, just add “WITH_PIE=1” to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone’s gotta test the pfSense hardware devices before they’re sold, which involves powering them all on at least once
• To make that process faster, they’re building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only…) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• “The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice”
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels’ overhead factor

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we’re slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what’s in -CURRENT (but still isn’t using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There’s a list of changes between 9.2 and 9.3 as well, but we’ll be sure to cover it when the -RELEASE hits

Interview – Bryce Chidester – brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the “linux questions” forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to “politics” (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He’s part of the “Jenkins CI for FreeBSD” group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about… the food

FreeBSD disk partitioning

• For his latest book series on FreeBSD’s GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don’t have to read the tons of mailing list posts, he’s summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It’s now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• The minimum disk size requirement has increased to 512MB

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• A special thanks to our viewer Lars for writing most of today’s tutorial and sending it in
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Devious Methods | BSD Now 42 first appeared on Jupiter Broadcasting.

Mike and Chris chat about Firefox OS’s big boost, and how things could be starting to get very interesting for mobile and HTML5 developers. Then debate if Canonical is surrendering the desktop war.

Plus Mike reviews his new HTC One, your emails, and more!

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback:

• Dev Horror story Android not updated by the manufacturer can be a big deal

• Mid-level development

HTC ONE: The Mike Review

• HTC One review | BGR

The HTC One is the best Android smartphone in the world — period. It combines some of the best materials with the most incredible screen I\’ve seen, and is the fastest and most responsive Android phone I have used.

• HTC One Review: The Competition Is Fierce, But HTC’s New Flagship Rises To The Challenge | TechCrunch

I can boil the preceding 3,000 or so words into a few brief sentiments for you to chew on: the HTC One is easily the best device that the company has ever crafted, and it\’s perhaps the single nicest Android phone I\’ve ever used. Despite some minor faults, I haven\’t so much as picked up any of the other Android smartphones scattered around my office during my time with the One unless I absolutely had to. It\’s really that good.

• Review: HTC One Is the Current King of the Android Hill

The phone — like all phones — does have its shortcomings. There\’s no way to expand the storage, which HTC attempts to address by shipping the base model with 32 gigabytes of memory instead of the more standard 16 gigabytes. There\’s also no way to replace the battery. The power button on the top left of the phone is set at a bit of a downward angle that forces your finger to curl up and over the top edge of the phone in order to access it, which makes waking the phone up a tad cumbersome at times. And people with small hands may still find the 4.7-in.-screened handset too large to use comfortably.

Hoopla:

• Mozilla and China » Foxconn Joins the Firefox OS Eco-System

At a press conference earlier today in Taipei (2pm local time on 6/3/2013),****the Foxconn Technology Group announced their support for Firefox OS, Mozilla\’s open Web mobile operating system. The partnership includes collaboration on the use of the Firefox OS on Foxconn devices to create new, integrated offerings. For complete press release, see Mozilla\’s press center for more details.

• Mozilla inks deal with Foxconn to co-develop Firefox OS devices, shows off its first-ever tablet

• Mozilla inks deal with Foxconn to co-develop Firefox OS devices, shows off its first-ever tablet

As you may have already heard, the former company has signed on to become the 19th member of the latter\’s Firefox OS alliance, and it\’s already working on at least five devices.

• Mark Shuttleworth gives up dream of Ubuntu toppling Windows | Ars Technica

Today, Shuttleworth has declared the bug \”closed,\” but the bug wasn\’t fixed as a result of Ubuntu\’s popularity. It was fixed by the rise of iOS and Android. As for Ubuntu, Shuttleworth now says, \”it\’s better for us to focus our intent on excellence in our own right rather than our impact on someone else\’s product.\”

Tool of the Week

• Airmail

Book of the Week

• Amazon.com: Gates: How Microsoft\’s Mogul Reinvented an Industry–and Made Himself the Richest Man in America

The post 52 Commits | CR 52 first appeared on Jupiter Broadcasting.

We cover the state of media production on Linux, and share our tips to get your own podcast, powered by Linux, off the ground! And we answer a very popular audience question: how to record Skype calls under Linux.

Plus: A mini-review of KDE 4.10, Gabe claims Linux is a “get-out-of-jail free pass” for the gaming industry, Carmack says skip native the native port and focus on WINE, we share the great news for new Linux laptop users…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Use our code linux295 to get a .COM for $2.95.

47% off your ENTIRE order just use our code go47off2 until the 13th!.

Download:

HD Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: