Show Notes: linuxunplugged.com/468

The post The Read Only Scenario | LINUX Unplugged 468 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/459

The post Better than Butter | LINUX Unplugged 459 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• The Two Cultures – Wikipedia
• Amazon.com: The Two Cultures (Canto Classics) (9781107606142): C. P. Snow, Stefan Collini: Books
• 2017 Linux Laptop Survey Results – Phoronix

The post Desktop As A Service | User Error 16 first appeared on Jupiter Broadcasting.

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

How Low can You go? Cheap Linux Systems

• Dell XPS 410 Intel Core 2 Quad Q6600 2 40GHz 8GB 320GB HDD No OS

• Computer Model Dimension 9200

• Shipping Date 6/9/2007

Inexpensive Video Card

• EVGA GeForce GTX 1050 Ti GAMING, 04G-P4-6251-KR, 4GB GDDR5, DX12 OSD Support (PXOC)-Newegg.com

• GTX 750ti

Low Cost Laptop

• Intel® Core(TM) i5-6200U Processor 2.3GHz with turbo boost up to 2.8GHz
• 8GB DDR3L-SDRAM Memory
• More productive. Windows 10 is the best for bringing ideas forward and getting things done.
• 1TB 5400RPM Hard Drive, DVD Writer
• 15.6″ diagonal Full HD SVA antiglare WLED-backlit (1920 x 1080)

SanDisk SSD

— PICKS —

Runs Linux

TERES-A64-BLACK, DIY Laptop, Runs Linux

• DIY Linux laptop: Build your own for $240 with fully open source Olimex Teres I

If you’re curious about building a cheap, entirely open-source laptop from scratch using step-by-step instructions, the Teres I could be just the ticket.

If buyers follow the instructions correctly, they should end up with a 980gm (2.16lb) laptop featuring a quad-core Allwinner A64 64-bit Ciortex-A53 processor, an 11.6-inch LCD screen, 4GB flash storage, Wi-Fi and Bluetooth connectivity, a camera, and 7,000mAh battery.

Desktop App Pick

jam: Google Play Music console player for Linux and Windows

The features it has are:

• Last.fm scrobbling
• populating a local database with the artists and albums you saved through the web interface (or by any other means)
• searching within artists in the database
• playing, pausing (buggy, I need help with it) , stopping, previous track, next track
• the interface is Cmus rip off, I’ve only added a progress bar
• this player no longer lists artists in random order – if you want to randomize them press R

Distro of the Week

Whonix

Whonix is a desktop operating system designed for advanced security and privacy. It realistically addresses attacks while maintaining usability. It makes online anonymity possible via fail-safe, automatic, and desktop-wide use of the Tor network.

A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP leaks. Pre-installed, pre-configured applications are ready for use, and installing additional applications or personalizing the desktop will in no way jeopardize the user. Whonix is the only actively developed OS designed to be run inside a VM and paired with Tor.

— NEWS —

KDE – Plasma 5.9 Kicks off 2017 in Style.

KDE Plasma 5.9

Tuesday, 31 January 2017. Today KDE releases this year’s first Plasma feature update, Plasma 5.9. While this release brings many exciting new features to your desktop, we’ll continue to provide bugfixes to Plasma 5.8 LTS.

KDE and Slimbook Release a Laptop for KDE Fans

KDE Slimbook, together with KDE neon, offers us a unique opportunity to isolate and fix issues that users have with our software. When something in Plasma, a KDE Application or some software using a KDE Framework does not work as intended for a user, there are at least three layers that can cause the problem:

• The KDE software itself
• The operating system

• The hardware or its drivers

• Hardware

• Slimbook KDE

• i5 $786.26 US Dollar

• i7 $915.69 US Dollar

The Document Foundation announces feature-rich LibreOffice 5.3

LibreOffice 5.3 represents a significant step forward in the evolution of the software: it offers an introduction to new features such as online with collaborative editing, which increase the competitive positioning of the application, and at the same time provides incremental improvements, to make the program more reliable, interoperable and user-friendly.

Feedback:

Noah Needs Help!

• Fixing a Trackpad

We recently purchased an Asus Republic of Gamer Laptop. Model G752V

The issue is when you press on the trackpad buttons they do not register a click right or left. If you place your finger even lightly on the trackpad the left button then registered but not the right. If you place TWO fingers on the trackpad and click with the left button it registers as a right click.

If you execute the command synclient ClickPad=0 the left button then works but still no right click.

We have researched the problem at length and basically what we’ve concluded is that it requires a Kernel patch.

• A description of the problem can be found here

• Another post

• and another

• More from the Gentoo guys

I have a meeting on Monday evening at which point I either need this problem fixed or I am going to have to find another solution, and I don’t have any more time to spend on it.

If there is someone out there that knows how to / is willing to help me fix this, I am willing to pay you! Get ahold of me via telegram, twitter, or email @Kernellinux or noah [at] jupiterbroadcasting [dot] com with a quote. BY MONDAY NIGHT I WILL HAVE ANOTHER SOLUTION!

Mail Bag

• Name: Paul D

• Subject: Bulletproof Linux

• Message:

Here’s my suggestion for your bulletproof Linux setup.

Stick with Arch that you know and love, but build it on a filesystem that supports snapshots (I’d recommend ZFS). Then setup auto snapshotting e.g. every day.

I rebuilt my main system just before Christmas on ZFS, then some weeks later as an after thought, enabled daily snapshots. The very next day I did something silly whilst browsing, clicked on a dodgy link, and started having windows opening by themselves. The solution – logout, drop to a terminal, issue a single “zfs rollback” command, and my home partition was restored to how it was when I’d booted that day!

Arch is pretty stable, despite being rolling. Providing you reboot when you update and follow the Arch Announcements list you won’t have any issues. I also only update monthly as I can’t see the point in doing so more frequently for a system that you want to keep stable.

• Name: Mark

• Subject: Help with Antergos

• Message:

Hello LAS! I catch the LAAS podcast every week. But right now I could use your assisatance. I just got a Oryx Pro 17.3 inch with 32 gb of ram, 512 SSD, and 1tb 7200rpm hard drive with a 8gb GTX1070 Nvidia gpu. The problem I am having is trying to get Antergos installed. even in the live boot, the cursor always is stuck in the upper left corner and even after installing it to the hard drive it is the same or will not boot at all. I have tried debian and other distros with the same issues, even tried Manjarro and it was no better.
Can you help me?

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux
• Altispeed Technologies
• System76 – system76

The post Low Cost Linux Challenge | LAS 455 first appeared on Jupiter Broadcasting.

The bloatware shipping on those new computers is way, way worse than you probably thought, Internet exposed printers & the thrilling story of reverse engineering an ATM skimmer. Yes that’s really a thing.

Plus great questions, our answers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Nice brand new computer you have there, would be a shame if something happened to it

• “According to a report published by two-factor authentication service Duo Security, third-party updating tools installed by Dell, HP, Lenovo, Acer, and Asus (the top five Windows PC OEMs) are exposing their devices to man-in-the-middle attacks.”
• “OEM PC vendors understandably need a way to maintain and install more of the aforementioned bloatware. The Duo Labs team investigated OEM software update tools spanning five vendors: Acer, Asus, Dell, HP, and Lenovo.”
• “Implementing a robust, secure system for delivering software updates to users requires a thorough threat model, and a fundamental understanding of how to correctly make use of the various cryptosystems available to do so. Many OEM vendors don’t seem to understand or care about the need for building basic security measures into their software, resulting in software rife with vulnerabilities.”
• “Whether it’s a creep on the coffee shop WiFi or a nation state sitting on all the right trunks, any software that downloads and executes arbitrary binaries is an enticing target to attackers. This is a well-established fact — in 2006, some dude broke Mozilla’s Auto-Update; in 2010, there was Evilgrade; in 2012, Flame malware authors discovered how to man-in-the-middle (MITM) Windows Update; and in January 2016, there was the Sparkle debacle. This shows that targeting the transmission of executable files on the wire is a no-brainer for attackers.”
• “The scope of this research paper is limited to OEM updaters, although this wasn’t the only attack surface found on these systems. Basic reverse engineering uncovered flaws that affected every single vendor reviewed, often with a very low barrier to both discovery and exploitation.”
• The results:
  • Dell — One high-risk vulnerability involving lack of certificate best practices, known as eDellroot
  • Hewlett Packard — Two high-risk vulnerabilities that could have resulted in arbitrary code execution on affected systems. In addition, five medium-to-low risk vulnerabilities were also identified.
• Asus — One high-risk vulnerability that allows for arbitrary code execution, as well as one medium-severity local privilege escalation
• Acer — Two high-risk vulnerabilities that allow for arbitrary code execution.
• Lenovo — One high-risk vulnerability that allows for arbitrary code execution.
• Other Findings:
• “Every vendor shipped with a preinstalled updater, that had at least one vulnerability resulting in arbitrary remote code execution as SYSTEM, allowing for a complete compromise of the affected machine”
• Every new machine came with crapware, and an auto-updated for the crapware. The auto-updated made the machine less secure, not more secure as it expected. Not to mention they that this report doesn’t actually look at the crapware itself
• “There was a very low level of technical sophistication required – that is, it was trivial to exploit most of the vulnerabilities”
• They didn’t have to try very hard, some of these updaters run a local http server that anything can connect to
• “Vendors often failed to make even basic use of TLS, properly validate update integrity, or verify the authenticity of update manifest contents”
• This means that a random person at the coffee shop, or the government, can pretend to be your OEMs update server, and feed you malware instead of security fixes
• “Vendors sometimes had multiple software updaters for different purposes and different implementations, some more secure than others”
• Multiple auto-updaters, that is what everyone wants
• “The large attack surface presented by ancillary OEM software components makes updater-specific bugs easier to exploit in practice by providing the missing pieces of the puzzle through other tools bundled with their systems”
• If the auto-updater isn’t buggy enough, the crapware provides everything else you need to compromise the system
• “Microsoft offers ‘Signature Edition’ systems which are intended to be free of the third-party software that plagues so many OEM systems. However, OEM-supplied software updaters and support packages are often still present on these machines.”
• So even if you pay extra for a brand new system free of crapware, it still has the auto-updater that makes the system insecure
• Additional Coverage
• Additional Coverage: Lenovo tells users to uninstall vulnerable updater

Clinton email server — may have had an internet based printer…

• “The Associated Press today points to a remarkable footnote in a recent State Department inspector general report on the Hillary Clinton email scandal: The mail was managed from the vanity domain “clintonemail.com.” But here’s a potentially more explosive finding: A review of the historic domain registration records for that domain indicates that whoever built the private email server for the Clintons also had the not-so-bright idea of connecting it to an Internet-based printer.”
• According to historic Internet address maps stored by San Mateo, Calif. based Farsight Security, among the handful of Internet addresses historically assigned to the domain “clintonemail.com” was the numeric address 24.187.234.188. The subdomain attached to that Internet address was….wait for it…. “printer.clintonemail.com”.
• “Interestingly, that domain was first noticed by Farsight in March 2015, the same month the scandal broke that during her tenure as United States Secretary of State Mrs. Clinton exclusively used her family’s private email server for official communications.”
• “I should emphasize here that it’s unclear whether an Internet-capable printer was ever connected to printer.clintonemail.com. Nevertheless, it appears someone set it up to work that way.”
• “More importantly, any emails or other documents that the Clintons decided to print would be sent out over the Internet — however briefly — before going back to the printer. And that data may have been sniffable by other customers of the same ISP”
• Not necessarily, it can depend on the setup. The reason you might expose a printer to the internet like that on purpose, is to allow printing while you are away from home, but it isn’t a good idea
• “Not just because any idiot on the Internet can just waste all your toner. Some of these printers have simple vulnerabilities that leave them easy to be hacked into.”
• That printer can then serve as an ‘island hopping’ beachhead, allowing the attacker to do this from an internal IP address that is likely to be trusted, and allowed through firewalls (you do want to be able to talk to the printer right?)
• It does appear the Clintons had an SSL VPN, which is a good sign, although I would expect the printer to have been behind that

Reverse engineering an ATM skimmer

• “Brian Krebs has produced numerous articles on ATM skimmers. He has essentially become the “go to” journalist on ATM fraud. From reading his stuff, I have learned how the “bad guys” think when it comes to ATM fraud. In a nutshell, they are after two things:”
• They want your card number
• They want your PIN number
• “To get your card number, the thieves have a few options. Traditionally, they affix a device to the ATM card reader that “skims” your card as it passes into the actual machine”
• “The devices must look as close to the actual reader as possible so they don’t arouse suspicion. The blackhats go to great lengths to achieve this. Sometimes they will replace entire panels of the atm. They may even go as far as inserting a tiny card reader INSIDE the card slot. Alternatively, a thief may try to record the number “on the wire”. This is called “network skimming””
• The post includes a video of a skimmer being installed in just a few seconds
• Then it gets interesting, after having read all of Krebs advice, while visiting Indonesia, the author of the post encountered a skimmer
• “A quick glance, and I suspected it was a skimmer immediately. It had a tiny switch, a port for a cable of some sort and I could see a faint blue light in the dark.”
• “I was not sure what to do. I was tempted to leave it alone since it wasn’t mine and it could possibly be a legitimate piece of the ATM. But if it were a skimmer, I would be knowingly allowing people to get ripped off. I couldn’t allow that to happen, plus I wanted to take it home and see how it works!”
• “We decided to take it. On our way out to dinner, Elizabeth and I discussed excitedly about how cool this is to be in the middle of a criminal conspiracy. “It feels like we are in a movie”, she said. We talked about how we think the crooks were getting the data. We talked about how we would report it to the authorities and take it apart. The movie kept getting more and more exciting in our imaginations. Then we got to the part of the movie where a group of men on motorcycles track us to our home and shoot us with automatic weapons.”
• “By the time we got to the restaurant, we were pretty scared, A GSM-enabled device could feasibly phone home with its GPS coordinates. Just in case, we asked for some aluminum foil and made a makeshift Faraday cage. When it comes to Indonesian criminal gangs, you can never be too careful.”
• “The next day we were still alive and not shot by a gang of criminals. We called the bank to report the device we found on their ATM. The CSR was pretty confused, but he took my name and number and dispatched a technician to look at the machine.”
• This reaction is very common, and is starting to be troubling
• After some deduction, he determined the ports on the side were for a USB cable
• “Threading the braided wires into those tiny holes one at a time was an exercise in patience. After 40 minutes or so, I got them all aligned. I had to hold the wires in with my hand while I plugged the USB cable into my computer. I crossed my fingers and…. Skimmer device mounts as an external hard drive!”
• “It mounts! I freak-out a little and begin copying the files from the device. There are two folders. One is named “Google Drive” and one is named “VIDEO”. The “Google Drive” folder was empty, but there is over 11GB of video files in the “VIDEO” folder. 45 minutes later, the files are still copying to my machine. The whole time I have to hold the cable and not move lest I break the transfer.”
• “After it’s done, I shake out the cramps in my hand and go over the footage. The camera records 30 minute chunks of video whenever it detects movement. Most of the videos are of people typing in their pin numbers [upside down]”
• “The device records sound. At first I thought it was a waste of storage to record this, but after looking at the footage, I realized how helpful the sound is. The beeps correspond to actual keypresses, so you can’t fool the skimmer by pretending to touch multiple keys. Also, the sound of money dispensing means that PIN is valid.”
• When they tore the device apart, they found a cell phone battery, a control board, and a pinhole camera
• “Googling the number from the controller board revealed that it is a commercially available board used in spy camera gear. The board was modified to include an external on/off switch, the stronger Samsung battery, and the aforementioned USB connection.”
• “The overall design choices of the skimmer were actually pretty decent. As mentioned, at first I thought sound recording was a waste, but then found it to be useful for decoding PIN numbers as they are typed. I also initially thought that the cell phone battery was a lazy choice, like they just had one laying around. I have come to believe, however, that this is the best choice for a long-lasting and small-profile power source.”
• The researcher did not find the actual card skimmer, but suspected that the data was being “network skimmed”
• Going back a few days later, they found a fresh pin number camera installed

Feedback:

• Adam asks about running pfSense on top of FreeNAS
• Mark asks about Direct Access to home while on the road
• RAM Disk
• Ceph on FreeBSD

Round Up:

• Armed FBI agents raid home of researcher who found unsecured patient data
• Core windows utility can be used to bypass application whitelisting
• Internet Explorer use in freefall as people flock to Google Chrome
• The guy who swatted Krebs is going to prison
• Police are filing warrants for Android’s vast store of location data
• 50 people arrested in Russia in connection with $45m bank hack
• SELinux is beyond saving at this point
• CoreOS launches Torus, a new open source distributed storage system
• Off-The-Record (OTR) protocol patched against remote code execution flaw
• 2016 Internet Trends Report: Global Smartphone User Growth Slowing as Android Outpaces iOS
• Slack plugs token security hole that was leaking private code and chat transcripts to anyone on the internet
• New tool out of MIT/Berkeley called “Space”, is a static analyzer for web applications

The post Signature Bloatware Updates | TechSNAP 270 first appeared on Jupiter Broadcasting.

A Windows 10 upgrade is automatically installing on some Windows 7, 8 systems & ads in the Start Menu started showing up this week. We discuss.

Plus the most disruptive technology in the last 100 years is probably not what you’re thinking, Intel, Microsoft, HP, Dell & Lenovo form supergroup to save the PC & it’s terrible.

Then it’s our Kickstarter of the week, a new breed of computing!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Windows 10 upgrade installing automatically on some Windows 7, 8 systems | Ars Technica
• Microsoft is now showing suggested apps in the Start Menu
• The Most Disruptive Technology of the Last 100 Years Isn’t What You Think – Slashdot
• Intel, Microsoft, HP, Dell and Lenovo form supergroup to save the PC- The Inquirer
• Getting LEAN with Digital Ad UX | IAB
• iOS App Store Revenue Now 80 Percent Higher Than Google Play, Thanks To China | TechCrunch

• Solu – A new breed of computing by Solu Machines — Kickstarter

• End of show clip: Your most personal trainer – Elvie

The post Suffering in the Start Menu | TTT 219 first appeared on Jupiter Broadcasting.

Lenovo & HP are caught injecting malware even after you format the drive, Ubiquiti Networks is socially engineered out of 46 million & are we entering the era of Security Research Prohibition? We debate.

Plus a great batch of your questions, our answers, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Lenovo and HP caught injecting Malware even after your wipe the machine

• A user on the Ars Technica forums discovered the malware being installed on his freshly re-formatted computer
• How is that possible, the entire disk was erased…
• Well, it turns out Microsoft has a solution for that, the “Windows Platform Binary Table
• Details on Microsoft’s “Windows Platform Binary Table”
• An area in the bios where you can stick some files, and they will be run with ‘SYSTEM’ privileges, after Windows (8+) starts
• They have access to the file system, even if the disk is encrypted with bitlocker, because the code is run after the file system is mounted
• “Microsoft’s Windows Platform Binary Table WPBT feature allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware. The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.”
• “During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary,” Microsoft’s documentation states. “The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process.”
• “The LSE (Lenovo Service Engine) makes sure C:\Windows\system32\autochk.exe is Lenovo’s variant of the autochk.exe file; if Microsoft’s official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer’s file system to make sure it’s free of any corruption.”
• “Lenovo’s variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system’s system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.”
• In the Microsoft documentation, they try to make it clear:
• “The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration … Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.”
• Which is funny, because the entire WPBT feature, “exposes Windows users to exploitable conditions”
• “Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.”
• “After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft’s security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.”
• Luckily, if you are not running Windows 8 or higher, your computer is not affected
• Note: This has been observed on desktop computers too, not just laptops
• Note Well: This is a “feature” of Windows, so every computer with Windows 8 or higher is actually vulnerable to having malicious code injected, there just might not be any code in your firmware, currently.
• Microsoft say: “If partners intentionally or unintentionally introduce malware or unwanted software though the WPBT, Microsoft may remove such software through the use of anti-malware software. Software that is determined to be malicious may be subject to immediate removal without notice.”
• However, since the file that gets executed only ever exists in memory, Microsoft’s malware scanner won’t find the WPBT binary, only the malware it drops into your system
• Lenovo used Windows anti-theft feature to install persistent crapware
• Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs

Ubiquiti Networks loses 46 million in cyber bank heist

• “Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers”
• So, pretend to be the boss, and get a secretary, or the finance department to approve expenses or transfers
• The attack was disclosed as part of the company’s quarterly filings with the SEC
• “This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred.”
• “The swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments”
• “Ubiquiti didn’t disclose precisely how it was scammed, but CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.”
• “The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.”
• “Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.”
• These won’t be your typical phishing emails for of broken english and bad punctuation
• These will be highly researched scams designed to make you think you are communicating with the real person
• “On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.”
• Even two factor auth can be defeated here, because you are tricking someone into doing the transfer for you

We may be entering the era of Security Research Prohibition

• As if the Oracle nonsense last week was not bad enough, the Wassenaar Arrangement threatens to send us into the dark ages
• “The U.S. implementation of the rules, which govern the export of so-called intrusion software among other things, has been criticized sharply by lawyers, security researchers, and software vendors, who say that the proposed rules are too vague and threaten to chill legitimate security research and other activities.”
• “The rules that we got on May 20 are confusing to say the least. The Commerce Department didn’t have any experience with these kind of rules,” Nate Cardozo, a staff attorney at the EFF, said during a panel on Wassenaar at the Black Hat conference here Thursday. “They are really horrendously vague.”
• “The Bureau of Industry and Security at the Commerce Department proposed the rules in May and opened up a 60-day comment period. Many security researchers and attorneys submitted comments, and the BIS has said it will revise the rules and open them up for public comment again, a somewhat unusual move.“
• “The Wassenaar rules have been compared in many circles to the export controls on encryption software that came into effect in the 1990s in the U.S. There is an important lesson to be drawn from the way the crypto controls were handled.“ “We should learn how much those controls did the opposite of what was intended, which is weakening the security of the Internet as a whole”
• “Because the BIS rules as currently written are so vague about what constitutes intrusion software, things such as Metasploit and other common offensive tools could be regulated. And even sharing information about your own security research with a co-worker in another country could cause issues. Researchers are quite wary of these vagaries and worry that their day-to-day work may be restricted.“

Feedback:

• ICMP Traffic

• LVM -> ZFS follow-up

• Loading FreeBSD on a TP-Link Router with Serial Port
  • FreeBSD Wifi Build

• ZFS checksum errors don’t add up

Round Up:

• Snapdragon 820 is official: A look at its GPU
• Ad publishing networks purposely making sites slower to let ad slot auctions run longer, so they make more money
• Design flaw in Intel processors opens door to rootkits, researcher says
• RowHammer.js – most ingenious hack ever?
• MIT Researchers claim Gallium Nitride chips could cut energy consumption by 20%
• Samsung v-NAND claims 5,500 MB/s read, 1,800 MB/s write, 1,000,000 read IOPS, and 120,000 write IOPS, a 6.4 TB capacity rated for 32 TB/day of writes for 5 years
• US Decides how to retaliate against China’s hacking
• Comparing Expert and non-Expert security practices
• European Central Bank announces it was the victim of an attack
• Microsoft releases patch for actively exploited USB bug. Includes a tool to log when the exploit is attempted against you
• Defcon: How to fake death records – Kill anyone, online
• Defcon: 115 stupid things that have been put online
• Battery Status API could be used to track you online
• Multipath TCP used in Mobile networks in Korea allows devices to reach up to 1 gigabit/sec
• A final word

The post Export Grade Vulnerabilities | TechSNAP 228 first appeared on Jupiter Broadcasting.

Live from the floor of LinuxCon 2015 we capture Bruce Schneier’s take on hacking attribution, how HP enthusiastically supports Linux internally & our impressions of the big convention.

Plus how Docker is going big this year & which type of Linux event is right for you.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

• Not much to link this week, LinuxCon is the content for this week!

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Connecting the Docks | LINUX Unplugged 106 first appeared on Jupiter Broadcasting.

We round off the week’s tech news & follow up on the big Lenovo story & discuss HP’s push into Linux powered Networking.

Then Chris share’s the start of his lifestyle reboot & then a in depth discussion on getting into the IT job market.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Lenovo To Wipe Superfish Off PCs t

An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. “As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.” When asked whether his company vets the software they pre-install on their machines, he said, “Yes, we do. Obviously in this case we didn’t do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation.”

HP Targets Cisco and Facebook With New Line of Open-Source Networking Gear

Hewlett-Packard said on Thursday that it would sell a new line of networking switches that are manufactured by a Taiwanese company and depend on Linux-based, open-source software from another company.

Epic Games offers up $5 million in Unreal Dev Grants

Today Epic Games has announced a new initiative — one that could see your game netting between $5,000 and $50,000 in no-strings-attached funding from the engine provider.

HEALTH WATCH: sweatthesweetstuff — Eating healthy doesn’t have to be boring and that working out can be fun!

I want people to understand their bodies. To know that there is a connection between what we put in it and on it, and how that makes us feel. That eating right isn’t just about losing weight, it’s about how good we can feel! On the inside and out. It doesn’t stop at our dress size and energy levels (which are great) but it can help improve other things like your skin, hair & nails, achy joints, headaches, allergies, asthma, your menstrual cycle, IBS, indigestion, several diseases, even cancer. Your body is smart. It knows what to do. You just have to give it the right stuff.

The post Chris' Lifestyle Reboot | Tech Talk Today 137 first appeared on Jupiter Broadcasting.

One of the core developers of Arch Linux ARM joins us to chat about this rapidly developing platform, how Arch is used in ARM deployments & their relationship with the main Arch project.

Plus an update on Ubuntu Phone & the first fully sandboxed portable Linux desktop app is demoed this week. How is it different than what we’ve seen before? And how far away might it be? We debate.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Linux-Sale – Get Games – official online digital download retailer

• Matrix.org | A new basis for open, distributed, real-time communication

FU:

• What features do you miss most when you’re away from Linux? : linux

Linux Academy

• Linux Academy | Linux and AWS Online Training

• SCALE 13x | 13x

• Noah J. Chelliah (@Kernellinux) | Twitter

• Retro LAS next Sunday w/light crew at JB1, but live recording SCALE coverage.

LinuxFest Northwest 2015

Bellingham, WA • April 25th & 26th

• guake or guake alternatives?

lanoxx/tilda · GitHub

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Arch Linux ARM

• Team | Arch Linux ARM

Jason Plum (WarheadsSE) – OxNAS specialist, Perlmonger, and once again, another one of the smartest guys we know. Available as a hired gun for ARM projects.

ODROID-C1 | Arch Linux ARM

TING

• Ting – mobile that makes sense

First fully sandboxed Linux desktop app | Alexander Larsson

This is going to require a lot of changes to the Linux stack. For instance, we have to use Wayland instead of X11, because X11 is impossible to secure. We also need to use kdbus to allow desktop integration that is properly filtered at the kernel level.

Recently Wayland has made some pretty big strides though, and we now have working Wayland sessions in Fedora 21. This means we can start testing real sandboxing for simple applications. To get something running I chose to focus on a game, because they require very little interaction with the system. Here is a video I made of Neverball, running in a minimal sandbox.

• Is independent of the host distribution
• Has no access to any system or user files other than the ones from the runtime and application itself
• Has no access to any hardware devices, other than DRI (for GL rendering)
• Has no network access
• Can’t see any other processes in the system
• Can only get input via Wayland
• Can only show graphics via Wayland
• Can only output audio via PulseAudio
• … plus more sandboxing details

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last | Ars Technica

In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.

It wasn’t the first time the operators—dubbed the “Equation Group” by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group’s extensive library. (Kaspersky settled on the name Equation Group because of members’ strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)

Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.

Next week: Retro edition of LUP. Your favorite moments, now available with the self gratifying feature known has hindsight.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

The post ARMed with Arch | LINUX Unplugged 80 first appeared on Jupiter Broadcasting.

A new attack against SSL called POODLE hits the web, and there’s no easy fix. We’ve got all the details.

Plus the Zero day bug that exposes other zero-day bugs, HP signs malware, and then it’s a big batch of your questions, our answers!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Zero day Bug in the Bugzilla bug tracker exposes zero day exploits for other software

• When new flaws are found in important software such as Mozilla’s Firefox, or operating systems from Redhat, and others, the details are put into a private bug in the Bugzilla bug tracker
• Only those with a ‘need to know’, like the Security Officer, have access to the details of the flaw while a patch is prepared, tested, and shipped
• Once a patch is shipped, some of the details may be made public
• It is important that the details remain secret until users have had a chance to install the patches, to prevent a mal-actor from exploiting the flaw using the details and proof-of-concept provided by the people reporting the bug in the first place
• The security and privacy of the bug tracker are therefore imperative
• researchers at security firm “Check Point Software Technologies” discovered that it was possible to create Bugzilla user accounts that bypass that validation process.
• “Our exploit allows us to bypass that and register using any email we want, even if we don’t have access to it, because there is no validation that you actually control that domain,” said Shahar Tal, vulnerability research team leader for Check Point. “Because of the way permissions work on Bugzilla, we can get administrative privileges by simply registering using an address from one of the domains of the Bugzilla installation owner. For example, we registered as admin@mozilla.org, and suddenly we could see every private bug under Firefox and everything else under Mozilla.”
• Bugzilla Security Advisory
• “An attacker creating a new Bugzilla account can override certain parameters when finalizing the account creation that can lead to the user being created with a different email address than originally requested. The overridden login name could be automatically added to groups based on the group’s regular expression setting.“
• This flaw is obviously very serious, as it might expose previously private zero-day exploits for many different open source products
• “The fact is that this was there for 10 years and no one saw it until now,” said Tal. “If nation state adversaries [had] access to private bug data, they would have a ball with this. There is no way to find out if anyone did exploit this other than going through user list and seeing if you have a suspicious user there.”
• “The perception that many eyes have looked at open source code and it’s secure because so many people have looked at it, I think this is false,” Tal said. “Because no one really audits code unless they’re committed to it or they’re paid to do it. This is why we can see such foolish bugs in very popular code.”
• In response to the Krebs story, Mozilla made this statement:
• “Regarding the comment in the first paragraph: While it’s a theoretical possibility that other Bugzilla installations expose security bugs to “all employees,” Mozilla does not do this and as a result our security bugs were not available to potential exploiters of this flaw.
  At no time did Check Point get “administrative privileges” on bugzilla.mozilla.org. They did create an account called admin@mozilla.org that would inherit “netscapeconfidential” privileges, but we stopped using this privilege level long before the reported vulnerability was introduced. They also created “admin@mozilla.com” which inherited “mozilla-employee” access. We do actively use that classification, but not for security bugs. In addition, on bugzilla.mozilla.org Mozilla regularly checks @mozilla.com addresses against the employee database and would have caught any fraudulently created @mozilla.com accounts quickly.”

POODLE Attacks

• A new attack against the SSL protocol (the protocol itself, not the implementations like OpenSSL this time) was found by Bodo Möller, Thai Duong, and Krzysztof Kotowicz of the Google Security team
• POODLE – Padding Oracle On Downgraded Legacy Encryption
• For reasons of backwards compatibility, (because the Internet is a mess of legacy crap), many SSL/TLS clients implement a ‘downgrade dance’ in the protocol handshake, rather than properly negotiate the version of the protocol to be used
• Instead, it tries the highest version that the client supports, and if this fails to make a successful connection, it drops the connection and tries again with the next highest version until it successfully makes a connection, or runs out of options to try
• The problem with this approach is that an attack in a position to perform a MiTM attack, could interfere with the connection and cause the downgrade dance to happen
• The downgrade could also be caused coincidently, be dropped or malformed packets, such as a weak WiFi or Mobile signal, unnecessarily downgrading the security of the connection
• If both the client and the server support TLS 1.2, but the attacker causes the connection to be dropped when the handshake proposes TLS 1.2, 1.1, and 1.0, then the client fails over to using SSL 3.0
• SSL 3.0 is obsolete (it was released in 1996), and only supports the vulnerable RC4 cipher, and some block ciphers in CBC mode, which has some issues of its own, described in detail in the paper
• In order to combat this attack, since completely disabled SSL 3.0 is not always an option (detailed later), they propose introducing TLS_FALLBACK_SCSV
• This new extension to the TLS protocol requires that, if a client does do a downgrade dance, in the subsequent handshakes, they indicate to the server that they are doing said dance. If the server supports a higher protocol version than what the client is trying to negotiate, and this flag is set, something funny is probably going on, and the server should reject the connection, instead of allowing the downgrade to the weaker version of TLS or SSL
• The issue with just disabling SSL 3.0 to stop this attack is older clients and servers that only support SSL 3.0
• These include Windows XP with Internet Explorer 6 (even if another browser is installed an issued, many applications that embed a browser will still be vulnerable, including applications like Steam). IE6 includes support for TLS 1.0, but it is disabled by default
• Many older appliances, including some load balancers that sit in front of major websites, only support the older protocols
• 0.12% of the Alexa top 1 million websites only support SSL 3.0 and no version of TLS
• The list includes citibank.com (SSL 3.0 only, a weak 1024 bit certificate), but that is just a redirector to online.citibank.com which is secure, a 2048 bit certificate, does not allow SSL 3.0 and supports TLS 1.2
• Google Security blog post
• Adam Langley’s blog
• Poodle Paper: This POODLE Bites: Exploiting The SSL 3.0 Fallback
• Report on sites vulnerable to Poodle attack, instructions on disabling SSL 3.0 on servers and browsers

Signed Malware = Expensive “Oops” for HP

• “Earlier this week, HP quietly produced several client advisories stating that on Oct. 21, 2014 it plans to revoke a digital certificate the company previously used to cryptographically sign software components that ship with many of its older products. HP said it was taking this step out of an abundance of caution because it discovered that the certificate had mistakenly been used to sign malicious software way back in May 2010.”
• Code signing is a way to ensure the software you are running on your system is actually from the author it claims to be from
• On some highly secure systems, it is only permissible to run software that is signed, thus preventing most instances of malware
• Except, in the case where the malware authors manage to get their malware signed, either by gaining access to a trusted code signing certificate, or by tricking someone into signing the code for them
• One of the most popular previous instances of signed malware was Stuxnet, where a number of the components of that suite of malware had been signed by various, apparently stolen, code signing certificates
• In Feb. 2013, whitelisting software provider Bit9 discovered that its system had been compromised and 32 bits of malware had been whitelisted. Covered on TechSNAP episode 100
• “according to HP’s Global Chief Information Security Officer Brett Wahlin, nothing quite so sexy or dramatic was involved in HP’s decision to revoke this particular certificate. Wahlin said HP was recently alerted by Symantec about a curious, four-year-old trojan horse program that appeared to have been signed with one of HP’s private certificates and found on a server outside of HP’s network. Further investigation traced the problem back to a malware infection on an HP developer’s computer.”
• “HP investigators believe the trojan on the developer’s PC renamed itself to mimic one of the file names the company typically uses in its software testing, and that the malicious file was inadvertently included in a software package that was later signed with the company’s digital certificate. The company believes the malware got off of HP’s internal network because it contained a mechanism designed to transfer a copy of the file back to its point of origin.”
• In this instance, HP believes that this is a case of ‘tricked into signing the malware’, not of their signing infrastructure being compromised
• “When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case,” he said. “We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact.”
• Even if the security concerns from this incident are minimal, the revocation of this certificate is likely to create support issues for some customers. The certificate in question expired several years ago, and so it cannot be used to digitally sign new files. But according to HP, it was used to sign a huge swath of HP software — including crucial hardware and software drivers, and other components that interact in fundamental ways with the Microsoft Windows operating system.
• “The interesting thing that pops up here — and even Microsoft doesn’t know the answer to this — is what happens to systems with the restore partition, if they need to be restored,” Wahlin said. “Our PC group is working through trying to create solutions to help customers if that actually becomes a real-world scenario, but in the end that’s something we can’t test in a lab environment until that certificate is officially revoked by Verisign on October 21.”
• How practical is it to revoke single signatures on a specific file, rather than having to revoke the certificate that signed all of the files?
• How will machines find out about the revocation of the HP certificate? Unlike a browser, the systems may not have an internet connection to be able to check the status of the certificate online, or download a CRL (Certificate Revocation List)
• Will the revocation come via a Windows Update?
• It’ll be interesting to see how this plays out

Feedback:

• DuckDuckHack

• Show 182 Correction – Windows XP SNI Support

• ZFS Ghost sectors

Round Up:

• Dairy Queen data breach hits 395 stores
• Intel subsidiary Wind River to pay $750,000 fine for exporting encryption software to governments and organizations on the US “Entity List”, in violation of the Wassenaar agreement
  
• FBI Warns Industry of Chinese Cyber Campaign
• Dropbox not actually hacked, just people reusing passwords
• Drupal Fixes Highly Critical SQL Injection Flaw t
• Intel x86 embedded processors finally catch up to ARM for Android Tablets
• Microsoft Partners With Docker
• Adobe says Click-to-Play would have avoided Java Zeroday Massacre, maybe Adobe should look at themselves
• Worcester, Mass. City Council votes to block Comcast from entering the area
• Many companies apparently do not bother to password protect their private WebEx meetings
• Canalys estimates Amazon Web Services lost $2bn in the last four quarters, and forecasting losses of between $410m and $810m this quarter — What happens if your cloud provider goes away?

The post HP Screws the POODLE | TechSNAP 184 first appeared on Jupiter Broadcasting.

HP is breaking up, Facebook wants to be your wallet & Bill Gates thinks Bitcoin is better than cash.

Plus what is going on with Bitcoin? And are you ready for autonomous Linux powered drone boats?

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Hewlett-Packard Plans to Break in Two – WSJ

Hewlett-Packard plans to separate its personal-computer and printer businesses from its corporate hardware and services operations, the latest attempt by the technology company to improve its fortunes by breaking itself in two.

The company intends to announce the move on Monday, people familiar with the plan said. It is expected to make the split through a tax-free distribution of shares to stockholders next year, said one of the people.

If the division goes off as planned, it would give rise to two publicly traded companies, each with more than $50 billion in annual revenue.

The impending move, first reported Sunday by The Wall Street Journal, set off a round of speculation in the industry about whether the separation could lead to more deal making.

In 2012, under current H-P Chief Executive Meg Whitman, the company reorganized itself to combine the PC business with its more profitable printer operation, helping pave the way for the current plan.

Ms. Whitman is slated to be chairman of the PC and printer business, to be known as HP Inc., and CEO of the other company, to be called Hewlett-Packard Enterprise, said one of the people familiar with the plan. Current lead independent director
Patricia Russo will be chairman of the enterprise company, while Dion Weisler,
an executive in the PC and printer operation, is to be CEO of that business, this person said.

Hacked Screenshots Show Friend-To-Friend Payments Feature Hidden In Facebook Messenger | TechCrunch

Facebook Messenger is all set up to allow friends to send each other money. All Facebook has to do is turn on the feature, according to screenshots and video taken using iOS app exploration developer tool Cycript by Stanford computer science student Andrew Aude.

Facebook CEO Mark Zuckerberg said on the company’s Q2 earnings call that “over time there will be some overlap between [Messenger] and payments. […] The payments piece will be a part of what will help drive the overall success and help people share with each other and interact with businesses.” However, he urged Wall Street not to get too foamy at the mouth because it may be awhile since “there’s so much groundwork for us to do.”

He urged analysts and investors to revise their estimates of Facebook’s revenue if they expected this to come quickly. “To the extent that your models or anything reflect that we might be doing that, I strongly encourage you to adjust that, because we’re not going to. We’re going to take the time to do this in the way that is going to be right over multiple years” Zuckerberg concluded.

Bill Gates: Bitcoin Is ‘Better Than Currency’

After long remaining mostly mum on Bitcoin, Microsoft’s co-founder Bill Gates has spoken. At a financial-services industry conference in Boston, he threw his weight behind the controversial crypto currency. Well, at least as a low-cost payments solution. … “Bitcoin is exciting because it shows how cheap it can be,” he told Erik Schatzker during a Bloomberg TV’s Smart Street show interview yesterday (video). “Bitcoin is better than currency in that you don’t have to be physically in the same place and, of course, for large transactions, currency can get pretty inconvenient.” … While he seems relatively bullish on how inexpensive transacting in Bitcoin can be, Gates isn’t singing the praises of its anonymity. The billionaire alluded in an oblique, somewhat rambling fashion to some of the more nefarious anonymous uses associated with Bitcoin.

• Gates talks Nadella and how Office needs to be dramatically better

The conversation then switched to new Microsoft CEO Satya Nadella and whether this is something the Windows maker should be focusing on, and how Gates feels the new man in charge is doing in his job. Although Gates stated that he’s “very happy with what he’s doing,” curiously he went on to say that he believes the company needs to make Microsoft Office dramatically better. We’re not sure exactly what that means, but Gates was very animated about it, and he’s apparently making sure the company heeds this advice.

BG: Certainly, Microsoft should do as well or better, but of all the things Microsoft needs to do in terms of making people more productive in their work, helping them communicate in new ways. It’s a long list of opportunities Microsoft has to innovate, and taking Office and making it dramatically better would be really high on the list, that’s the kind of thing that I’m trying to make sure they move fast on. I’m very happy with what he’s doing. I see a new sense of energy. There’s a lot of opportunity there. Some things the company isn’t the leader on, and he sees he needs to change that.

• Live USD/BTC

US Navy Develops Robot Boat Swarm To Overwhelm Enemies

“Jeremy Hsu reports that the US Navy has been testing a large-scale swarm of autonomous boats designed to overwhelm enemies. In the test, large ship that the Navy sometimes calls a high-value unit, HVU, is making its way down the river’s thalweg, escorted by 13 small guard boats. Between them, they carry a variety of payloads, loud speakers and flashing lights, a .50-caliber machine gun and a microwave direct energy weapon or heat ray. Detecting the enemy vessel with radar and infrared sensors, they perform a series of maneuvers to encircle the craft, coming close enough to the boat to engage it and near enough to one another to seal off any potential escape or access to the ship they are guarding. They blast warnings via loudspeaker and flash their lights. The HVU is now free to safely move away.

Rear Adm. Matthew Klunder, chief of the Office of Naval Research (ONR), points out that a maneuver that required 40 people had just dropped down to just one. “Think about it as replicating the functions that a human boat pilot would do. We’ve taken that capability and extended it to multiple [unmanned surface vehicles] operating together within that, we’ve designed team behaviors,” says Robert Brizzolara. The timing of the briefing happens to coincide with the 14-year anniversary of the bombing of the USS Cole off the coast of Yemen that killed 17 sailors. It’s an anniversary that Klunder observes with a unique sense of responsibility. “If we had this capability there on that day. We could have saved that ship. I never want to see the USS Cole happen again.”

The post Facebank | Tech Talk Today 70 first appeared on Jupiter Broadcasting.

Google readies their platform for kids under 13 with a new initiative, US details plans for car-to-car communications, the Windows laptop built for Linux users & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

U.S. details plans for car-to-car safety communications

After more than a decade of research into car-to-car communications, U.S. auto safety regulators took a step forward today by unveiling their plan for requiring cars to have wireless gear that will enable them to warn drivers of danger.

These vehicle-to-vehicle (V2V) transmitters and software won’t be cheap, costing an estimated $341 to $350 per vehicle in 2020, the National Highway Traffic Safety Administration said in a report.

Just two of the possible features that rely on V2V technology — one that warns drivers if they don’t have enough time to make a left turn and another that urges them to stop if another car is about to run a red light — could prevent 25,000 to 592,000 crashes and save 49 to 1,083 lives annually when the entire U.S. vehicle fleet has the technology, according to today’s report.

The current V2V system is set up in such a way that that cars swap messages 10 times per second about their position in space, which direction they are headed and how quickly they are moving in that direction. If two cars are on a collision course, the driver can be presented a warning.

Google Is Planning to Offer Accounts to Kids Under 13

Google GOOGL +1.52% plans to offer accounts to children under 13 years old for the first time, a move that will take the world’s largest Internet search provider into a controversial and operationally complex new market.

Google and most other Internet companies tread carefully because of the Children’s Online Privacy Protection Act, or COPPA. The law imposes strict limits on how information about children under 13 is collected; it requires parents’ consent and tightly controls how that data can be used for advertising. (Companies are not liable if customers lie to them about user ages).

The company’s new effort is partly driven by the fact that some parents are already trying to sign their kids up to the company’s services. Google wants to make the process easier and compliant with the rules, the person said.

Hello, HP Stream 14: A $199 Windows laptop aimed squarely at the Chromebook market

The HP Stream 14 itself shares many other features with Chromebooks: It has a 1366 x 768 display, for example, which is nearly ubiquitous on Chrome OS laptops. An energy-efficient AMD chip powers the Stream 14, combined with 2 GB of memory and either 32 or 64 GB of flash storage as well as an SDXC card slot. Bluetooth, Wi-Fi, a trio of USB ports, HDMI out and a webcam make up the rest of the package. Like the Android SlateBook 14 that HP also sells, the HP Stream 14 will have four speakers and support Beats Audio.

The 3.9-pound laptop runs Windows 8.1

• HP Stream: 199 dollar notebook comes with 14-inch display, AMD platform & 100 GB OneDrive – all details | Mobilegeeks.de | Network / Ultrabooks

LG flaunts curved 21:9 monitor, plus a display for gamers – CNET

The 34-inch 34UC97 curved monitor has a cinematic 21:9 aspect ratio and in-plane switching. It boasts a massive resolution of 3,440×1,440 pixels. The display packs two Thunderbolt 2 connections for connecting to Macs and for daisy-chaining other monitors.

Adam Carolla Settles With Podcasting Patent Troll – Slashdot

Personal Audio has been trying to assert patents they claim cover podcasting for some time now; in March Adam Carolla was sued and decided to fight back. Via the EFF comes news that he has settled with Personal Audio, and the outcome is likely beneficial to those still fighting the trolls. From the article: Although the settlement is confidential, we can guess the terms. This is because Personal Audio sent out a press release last month saying it was willing to walk away from its suit with Carolla. So we can assume that Carolla did not pay Personal Audio a penny. We can also assume that, in exchange, Carolla has given up the opportunity to challenge the patent and the chance to get his attorney’s fees. … EFF’s own challenge to Personal Audio’s patent is on a separate track and will continue … with a ruling likely by April 2015. … We hope that Personal Audio’s public statements on this issue mean that it has truly abandoned threatening and suing podcasters. Though a press release might not be legally binding, the company will have a hard time justifying any further litigation (or threats of litigation) against podcasters. Any future targets can point to this statement. Carolla deserves recognition for getting this result.

The post Google Wants Your Kids | Tech Talk Today 45 first appeared on Jupiter Broadcasting.

Snowden warns of the NSA’s MonsterMind, a system built to automatically respond to cyber attacks. Google wants to put Now in business and the big improvements coming to LTE.

Plus Microsoft’s CEO gets dunked and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Google Now for businesses reportedly on the table as HP chases a Google partnership

Google and HP have been discussing an enterprise partnership for the past year with little progress made, according to a new report. Topics have included a “Nexus tablet” with hardware encryption, as well as a version of Google Now for business data.

In fact, the report says that HP had also talked to Apple about a “Siri for enterprise,” which was nixed when the IBM deal was announced.

So Google needs to respond soon or businesses could find themselves locked into the iOS ecosystem before Android has its enterprise act together. HP is a potential partner with connections in the business IT market, and a Google Now for business data would be a feature that Apple couldn’t match. Details of its implementation are unclear at this point, as it’s not an official product, but would center around voice searches for information like financial data or product inventory. This raises several questions about whether Google would need access to data from businesses’ proprietary, private databases.

Meanwhile, HP is working on its own mobile voice search, which it is internally calling “Enterprise Siri.” It’s perhaps not the best sign for a product in development when its codename refers to the rival service it is copying.

HP Wanted To Make A Nexus Phone For Enterprise | Digital Trends

HP reportedly wanted to partner with Google to make a Nexus smartphone specifically aimed at business users. It would have incorporated several business-centric features, such as the ability to add high-end encryption. However, HP encountered internal resistance from Google, in particular from Andy Rubin, who was in charge of Android. Rubin was replaced by Sundar Pichai in March 2013

AT&T will send LTE media broadcasts to your phone in 2015

Verizon may be the first out of the gate with LTE-based media broadcasting in the US, but it won’t be the only game in town. AT&T’s John Stankey has revealed that his carrier will have its own Multicast service sometime in 2015. It’ll first launch in areas where AT&T can start immediately, but it should expand as the provider gets comfortable with both the technology and content partners.

Meet MonsterMind, the NSA Bot That Could Wage Cyberwar Autonomously | Threat Level | WIRED

The NSA whistleblower says the agency is developing a cyber defense system that would instantly and autonomously neutralize foreign cyberattacks against the US, and could be used to launch retaliatory strikes as well. The program, called MonsterMind, raises fresh concerns about privacy and the government’s policies around offensive digital attacks.

Snowden tells WIRED in an extensive interview with James Bamford that algorithms would scour massive repositories of metadata and analyze it to differentiate normal network traffic from anomalous or malicious traffic. Armed with this knowledge, the NSA could instantly and autonomously identify, and block, a foreign threat.

Think of it as a digital version of the Star Wars initiative President Reagan proposed in the 1980s.

Snowden suggests MonsterMind could one day be designed to return fire—automatically, without human intervention—against the attacker.

Spotting malicious attacks in the manner Snowden describes would, he says, require the NSA to collect and analyze all network traffic flows in order to design an algorithm that distinguishes normal traffic flow from anomalous, malicious traffic.

“[T]hat means we have to be intercepting all traffic flows,” Snowden told WIRED’s James Bamford. “That means violating the Fourth Amendment, seizing private communications without a warrant, without probable cause or even a suspicion of wrongdoing. For everyone, all the time.”

MonsterMind sounds much like the Plan X cyberwarfare program run by Darpa. The five-year, $110 million research program has several goals, not the least of which is mapping the entire internet and identifying every node to help the Pentagon spot, and disable, targets if needed. Another goal is building a system that allows the Pentagon to conduct speed-of-light attacks using predetermined and pre-programmed scenarios. Such a system would be able to spot threats and autonomously launch a response, the Washington Post reported two years ago.

It’s not clear if Plan X is MonsterMind or if MonsterMind even exists. The Post noted at the time that Darpa would begin accepting proposals for Plan X that summer. Snowden said MonsterMind was in the works when he left his work as an NSA contractor last year.

Bonus Friday Tech Talk Today w/Special Guest Angela

Microsoft’s CEO Dares Google, Amazon Execs In Ice Bucket Challenge

Today, Microsoft’s CEO Satya Nadella allowed the winning team from his company’s internal hackathon to pour a large amount of chilly dihydrogen monoxide onto his expecting pate.

Then, Nadella challenged Google and Amazon CEOs Larry Page andJeff Bezos to do the same. Bezos, like Nadella, doesn’t keep much on top. Page, on the other hand, has a more natural defense.

The post NSA Monster Mash | Tech Talk Today 42 first appeared on Jupiter Broadcasting.

China goes on a hacking spree, compromising a Point of Sale system is as simple as an ebay purchase.

Plus what’s bad about about GoodGoogle, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

What can you find on a used POS terminal off ebay?

• Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for US$200.
• The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.
• Oh found default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
• Oh’s research illustrates the security issues facing the hospitality industry, outdated POS systems which it sometimes cannot afford to update.
• Companies don’t appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure.
• The Problem is also impacting the food industry, where there is little budget to upgrade POS systems.
• P.F. Chang’s was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant’s acquisition by NCR.
• P.F. Chang’s disclosed a credit and debit card breach last month.
• P.F. Chang’s said on July 1 the breach remains under investigation. The company temporarily shut down its POS system and switched to an old-style manual imprinting system for processing payment cards to prevent further damage.
• HP Security Research Blog

Hackers breach three Israeli Defense firms behind Iron Dome

• Brian Krebs breaks the news that the three defense contractors responsible for the design and building of the Iron Dome missile defense system have had their computer systems breached
• Iron Dome intercepts inbound rockets and mortars and has been credited with intercepting approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict
• The attackers stole huge quantities of sensitive documents pertaining to the missile shield technology
• The breach occurred between Oct. 10, 2011 and August 13, 2012, but was not disclosed
• The three victims were: Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems
• The breach was investigated by Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI)
• CyberESI managed to gain access to the secret communications infrastructure set up by the attackers, and from that learned that a very large volume of data had been exfiltrated from the victim networks
• The stolen material included a 900-page document that provides detailed schematics and specifications for the Arrow III missile, plus documents about Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other related technical documents
• “Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.”
• Iron Dome is partially funded by the US Government, and was designed in cooperation with some US defense contractors
• “Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”
• Many of the documents that were stolen have their distribution restricted by International Traffic in Arms Regulations (ITAR), a U.S. State Department control that regulate the defense industry, raising questions about the lack of timely disclosure
• “According to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations.”
• “Once inside the IAI’s network, Comment Crew members spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network.
• “Once the actors established a foothold in the victim’s network, they are usually able to compromise local and domain privileged accounts, which then allow them to move laterally on the network and infect additional systems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using hash dumping tools. They can also use common local administrator account credentials to infect other systems with Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all of the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems, which captured passwords to other non-Windows devices on the network.”
• “While some of the world’s largest defense contractors have spent hundreds of millions of dollars and several years learning how to quickly detect and respond to such sophisticated cyber attacks, it’s debatable whether this approach can or should scale for smaller firms.”

Chinese hackers breach National Research Council of Canada computers while they are working on new security system to prevent attacks

• The Canadian federal government revealed on Tuesday that the NRC’s computer networks were the target of a cyber attack, and had been shut down to contain the compromise
• The NRC is working with both the private sector and university research teams to create a physics-based computer encryption system
• “NRC is developing photonics-based, quantum-enhanced cyber security solutions … collaborating to develop technologies that address increased demands for high-performance security for communications, data storage and data processing.” says the NRC’s website.
• “NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure”. “This could take approximately one year however; every step is being taken to minimize disruption.”
• The intrusion came from “a highly sophisticated Chinese state-sponsored actor,” said the Treasury Board. “We have no evidence that data compromises have occurred on the broader Government of Canada network.”
• The article states “… comes as the agency is working on an advanced computer encryption system that is supposed to prevent such attacks.”
• Encryption does not prevent your computer systems from being breached by attackers, especially if the attackers get a foothold via Phishing and other social engineering type attacks
• The encryption system is a defense against eavesdropping, and possibly can defend sensitive documents in cold storage, but it does not prevent systems from being compromised

Service offers to defeat your competitors online advertising

• Krebs brings us more news, this time about an online service that exhausts the daily advertising budget of your competitors, making your own advertisements less expensive and more visible
• A common scam involving Google’s AdSense service is “click fraud”. A fraudster sets up a website to display ads, then drives fake traffic to the site, and fake clicks on the ads
• The fraudster then gets paid by Google a portion of what the advertiser paid to show the ad
• However, Krebs found someone doing the opposite, defrauding the AdWords side of the business
• “GoodGoogle” is the name of one of these fraudster services. It promises to click the ads of your competitors, driving up their costs and exhausting their advertising budget early in the way (or early in each hour, depending on the Google settings)
• This means your own ads will be less expensive (your lower bid normally wouldn’t win, but if all of the higher bidders have expended their budget for the day, you are now the high bidder), and you cost your competitors more money
• “The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies and the seller offers support and a warranty for his work for the first three weeks.”
• “Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, speculated that GoodGoogle’s service consists of two main components: A private botnet of hacked computers that do the clicking on ads, and advanced software that controls the clicking activity of the botted computers so that it appears to be done organically from search results”
• This could also be an interesting case of double-dipping, If the fraudster ran fake sites with content specific to the keywords his customers wanted to attack, he could make money via the click fraud from the AdSense side, while charging for his services from the AdWords side
• “Amazingly, the individual responsible for this service not only invokes Google’s trademark in his nickname and advertises his wares via instructional videos on Google’s YouTube service, but he also lists several Gmail accounts as points of contact. My guess is it will not be difficult for Google to shutter this operation, and possibly to identity this individual in real life.”

Feedback:

• RPMfusion.org Not Secure

• William asks on mumble asks if anyone knows of an alternative to the ZeusRAM , a SAS SSD used in many ZFS boxes, but that uses a PCI-E interface, rather than being limited by a SAS interface. Or a modern version of the DDR-Drive, a PCI-E “ram disk”, but using DDR3 or 4 and with a supercapacitor to survive a reboot. I found the ‘SATADIMM’, an SSD that fits in a RAM slot
  • There is also the ULLtraDIMM which actually interfaces with the CPU via the memory controller, but it is not clear how it works or how it interfaces with the operating system. Additional Video – Technical Explaination

Round-Up:

• Symantec Endpoint Protection 0day
• Turning your USB devices against you
• Tor attackers tried to peek into the Deep Web, anonymity network reveals
• New SSL rules go into effect November 1st, no more internal SSL certificates
• Apple’s multi-terabit, $100M CDN is live—with paid connection to Comcast
• Comcast now carries 1Tbit/s of IPv6 traffic
• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
• Software that runs US bar exams fails
• Contries do not own their ccTLDs
• Social Engineering attack lets con artist defraud Apple out of over $300,000 in hardware over 42 occasions in 12 states
• How to invent a compression algorithm for a TV show
• Explaining the importance of Software Security

The post GoodGoogle BadUSB | TechSNAP 173 first appeared on Jupiter Broadcasting.

Qubes OS, you could call it Linux for the truly paranoid. This system offers a unique isolated approach to keep you and your data safe, we dive in to show you how this system works!

Plus: The big Red Hat news, Docker goes 1.0, a Linux port done right…

And so much more!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Qubes OS:

Brought to you by: System76

• Qubes Release 1 was released in September 2012. Qubes Release 2 is almost complete, with rc1 having been released in April 201

• On February 16, 2014, Qubes was selected as a finalist of Access Innovation Prize 2014 for Endpoint Security Solution.

Built on top of Xen:

Qubes is based on Xen, the X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers.

• Qubes implements a Security by Isolation approach.

• Qubes utilizes virtualization technology in order to isolate various programs from each other and even to sandbox many system-level components, such as networking and storage subsystems, so that the compromise of any of these programs or components does not affect the integrity of the rest of the system.

• Qubes lets the user define many security domains, which are implemented as lightweight Virtual Machines (VMs), or “AppVMs.”

For example, the user can have “personal,” “work,” “shopping,” “bank,” and “random” AppVMs and can use the applications within those VMs just as if they were executing on the local machine. At the same time, however, these applications are well isolated from each other.

• Qubes also supports secure copy-and-paste and file sharing between the AppVMs, of course.

Key Architectural features¶

• The network mechanism is the most exposed to security attacks. This is why it is isolated in a separate, unprivileged virtual machine, called the Network Domain.

• Disk space is saved thanks to the fact that various virtual machines (VM) share the same root file system in a read-only mode.

• Separate disk storage is only used for userʼs directory and per-VM settings. This allows to centralize software installation and updates. Of course, some software can be installed only on a specific VM.

• Some documents or application can be run in disposable VMs through an action available in the file manager. The mechanism follows the idea of sandboxes: after viewing the document or application, then the whole Disposable VM will be destroyed.

• Based on a secure bare-metal hypervisor (Xen)
• USB stacks and drivers sand-boxed in an unprivileged VM (currently experimental feature)
• No networking code in the privileged domain (dom0)
• All user applications run in “AppVMs,” lightweight VMs based on Linux
• Centralized updates of all AppVMs based on the same template
• Qubes GUI virtualization presents applications as if they were running locally
• Qubes GUI provides isolation between apps sharing the same desktop
• Secure system boot based (optional)

Not just for Linux, Qubes can run Windows app seamless too:

• WindowsAppVms – Qubes

— Picks —

Runs Linux

Mini-drones jump, flip, fly, climb, and and run Linux

Desktop App Pick

SnapRAID

SnapRAID is an application able to make a partial backup of your disk array. If some of the disks of your array fail, even if they are completely broken, you will be able to recover their content. It’s only a partial backup, because it doesn’t allow to recover from a failure of the whole array, but only if the number of failed disks are under a predefined limit.

Weekly Spotlight

magpie —

Basically, magpie is just a web tool for managing text files in a git repo. In it, you can create notebooks (which are just folders); create, edit, and delete notes (which are just files). That’s pretty much it. However, when you make any of these changes, they are automatically committed to git.

Thanks to haliphax for submitting this link

— NEWS —

A big step forward in business Linux: Red Hat Enterprise Linux 7 arrives

As for the features, RHEL 7 boasts many stability and performance upgrades. Red Hat claims that, depending upon the load, RHEL 7 is 11 to 25 percent faster than the previous iteration of the software, RHEL 6.

• Red Hat Unveils Red Hat Enterprise Linux 7

• You know you’re a nerd when the most interesting news of the week is about a filesystem…

It’s Here: Docker 1.0

On March 20, 2013, we released the first version of Docker. After 15 months, 8,741 commits from more than 460 contributors, 2.75 million downloads, over 14,000 “Dockerized” apps, and feedback from 10s of 1000s of users about their experience with Docker, from a single container on a laptop to 1000s in production in the cloud … we’re excited to announce that it’s here: Docker 1.0.

HP bets it all on The Machine, a new computer architecture based on memristors and silicon photonics

In the words of HP Labs, The Machine will be a complete replacement for current computer system architectures. There will be a new operating system, a new type of memory (memristors), and super-fast buses/peripheral interconnects (photonics). Speaking to Bloomberg, HP says it will commercialize The Machine within a few years, “or fall on its face trying.”

• Day 2 Keynote – HP Discover Las Vegas 2014 – tStarts at 15:50

Some of our favorite bullshit headlines:

• HP Stabs Microsoft in the Back: Dumps Windows, Prepares Linux-Based Operating System – Softpedia News for Mobile

• HP’s The Machine kicks Microsoft to the curb in favor of Linux – TechRepublic

• HP Announces Plans To Destroy Windows – Business Insider

On top of that, HP is working on a brand new operating system for The Machine based on Linux. And another one based on Android, Fink continued:

“We are, as part of The Machine, announcing our intent to build a new operating system all open source from the ground up, optimized for non-volatile memory systems.

…

We also have a team that’s starting from a Linux environment and stripping out all the bits we don’t need. So that way you maintain … compatibility for apps.

What if we build a version of Android? … We have a team that’s doing that, too.”

Aspyr Media Comments On Linux, More AAA Games In Future

Aspyr Media have quite clearly proven themselves at porting to Linux with a port that works this well, but the bigger news is that they may have more to come.

— Chris’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged
• 14 Apps To Boost Ubuntu
• Fez – Part 3 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Qubes OS: Security By Isolation | LAS 317 first appeared on Jupiter Broadcasting.

Has Ubuntu become all about the Dash? Or is there more going on in this saucy release? We’ll dig into our pain points and moments of joy in our Ubuntu 13.10 Saucy Salamander review.

Plus: The HP vs Microsoft cold war heats up, Steam Dev Days leave us dreaming, a quick look at Cinnamon 2.0…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Ubuntu 13.10 Review

Brought to you by: System76

Check out System76 on G+

• Linux only needs one ‘killer’ game to explode, says Battlefield director – Is Ubuntu ready?

• Mark Shuttleworth on how the Ubuntu Edge dream lives on in the iPhone

• Canonical readies Ubuntu 13.10 for cloud duty with OpenStack Havana

Ubuntu’s Juju tool can also now manage LXC Linux containers, an OS-level virtualisation technology that enables more workloads to run on a single machine than full virtualisation, potentially reducing cost for service providers, the firm said.

Juju also now supports bundles, which enables a user to automate deployment of an entire stack without the need for scripting, and export that bundle to share with other admins, according to Baker.

• Ubuntu 13.10 review coming up. For the love, talk about Juju. : LinuxActionShow

• Ubuntu Dash Search Is Not Anonymous

Search results are sent to Canonical, and then to the third parties. Rather that data is “anonymized” when its received by Canonical is irrelevant. Canonical knows where the search originated as it has to send the results back to that same device.

• Share your thoughts on Ubuntu 13.10: My views on Ubuntu 13.10

---

– Picks –

Runs Linux:

• Mercedes Driverless Research Car, Runs Linux

• Thanks to giowck in the subreddit.

Desktop App Pick:

• Some screensavers for your terminal

Weekly Spotlight Pick:

• Debian 7: 7.2 released

• Neptune 3.3 is ready

• PCLinuxOS-KDE/MiniMe 2013.10

• PCLinuxOS-LXDE 2013.10

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

---

— NEWS —

Cinnamon 2.0 released! ← Segfault

• Cinnamon 2.0 Released, Becomes An Entire Desktop Environment

• Introducing ownCloud 6

• HP Admits What We Already Knew: Microsoft Is At War With Its OEM Partners

• Pitivi 0.91 introduces new non-linear video editing back-end | Libre Graphics World

• Steam Developer Days

– Feedback: –

• To your SoapBox!

• Leadwerks
  • The Leadwerks Engine is a 3D game engine powered by OpenGL 2.1
  • The engine makes use of the Newton Game Dynamics SDK 2.0 (Newton Archimedes) for physics, and OpenAL and EAX for sound and 3D sound effects.
  • The engine is based on a deferred renderer as of Leadwerks 2.1 and a unified lighting system that allows for dynamic lighting and soft shadowing without the use of lightmaps or any pre-compilation.
  • Modules have been made by members of the community to allow the use of the engine in languages such as Java, C#, VB.NET, and Python, but C/C++, BlitzMax and Lua are its originally targeted and officially supported languages.
  • A license costs $200 per user. A full source code license can also be purchased for an undisclosed amount.

• Desktop Environments

Bitmessage:

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

• New updates to the Chrome and Firefox extensions!

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Matt Hartley

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —Hang

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Ubuntu 13.10 Review | LAS s29e02 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/39602/hps-backdoor-techsnap-116/ Thu, 27 Jun 2013 19:36:49 +0000 https://original.jupiterbroadcasting.net/?p=39602 Opera’s code signing certificate gets compromised,and the backdoor that ships in some high-end HP products.

The post HP’s Backdoor | TechSNAP 116 first appeared on Jupiter Broadcasting.

]]>

Opera’s code signing certificate gets compromised, resulting in malware getting push out via their automatic update system.

Plus the backdoor that ships in some high-end HP products, your questions, and much much more.

On this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Opera code signing certificate compromised

• On June 19th Opera uncovered, halted and contained a targeted attack on their internal network infrastructure.
• There is no evidence of any user data being compromised.
• The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware.
• This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.
• It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.

---

How much is your gmail account worth?

• University of Illinois at Chicago has developed ‘CloudSweeper’
• Connects to your gmail account via oauth and scans all of your email
• Finds which accounts you have connected to your gmail
• If an attacker were to compromise your gmail account, they could reset the passwords for and gain control over all of these accounts
• The service uses an index of the value of these accounts from various underground forums
• Tells you how much your gmail account would be worth to an attacker
• Finds services such as: Amazon, Apple, Groupon, Hulu, Newegg, Paypal, Skype, UPlay and Yahoo
• Optionally, it can also scan your email for plain text passwords in emails
• If found, CloudSweeper can connect to gmail via imap and edit these emails, either removing the password entirely (redacting), or encrypting it (replacing it with an encrypted string), Then provides you with a decryption key (a long string of text, or a QRcode for simplicity)
• If you ever need to decrypt the password, you return to CloudSweeper and scan the QRCode
• Krebs on Naming and Shaming Plain Text Passwords
• PlainTextOffenders.com
• PasswordFail.com – Browser extension to warn you before you sign up

---

$80,000 HP Backup device contains undocumented support user with fixed password

• HP announced that their D2D/StoreOnce deduplication backup products contained a flaw
• It seems there is an undocumented support user, named ‘HPSupport’, with a fixed 7 character password
• That means that if a person were to brute force that password, they would have SSH access to every StoreOnce device deployed around the world
• It just so happens, that is what someone has done, and they have even been helpful enough to provide the SHA1 hash of the password, so with a little effort, everyone else can brute force the password too
• HP will release a patch to disable this account on July 7th
• “In the interim, customers who wish to disable the backdoor can contact HP support for assistance on this,” the advisory noted. “HP support personnel will provide the assistance to manually disable the HPSupport user account.”
• Full Disclosure researcher

• HP Said: “HP identified a potential security issue with older HP StoreOnce models. This does not impact StoreOnce systems with the current version 3.0 software, including the HP StoreOnce B6200 and HP StoreOnce VSA product offerings. HP takes security issues very seriously and is working actively on a fix.”

• In December 2010, a similar problem was exposed with some HP NAS devices

---

Feedback

• Project Morris from the chat room (a frequent contributor) writes in: I was just wondering if you could make this evenings show extra BIG as today is my birthday.

• How long will data last on a hard drive that is rarely powered up

• Captive Portal Solution?

• Web browser security in WIndows. Question about my set-up.

• TOR in a VM

• Allan, why not run a home email server? : techsnap

• New NAS Best Practices?

• I was wondering if there was any sort of SSL that provided verification in a way that can be cached by any proxy (example squid)

• FreeNAS 9.1-BETA released, based on FreeBSD 9-STABLE. Latest and greatest ZFS features including LZ4 compression (better compression with less cpu time), ZFS TRIM Support, Improvements to disk encryption and overhaulted plugin jails (with a fancy GUI editor for PCBSD)

• Co-Founder of FreeBSD, Jordan Hubbard, leaves Apple after 12 years to return to working with FreeBSD full time at iXsystems – Focus on FreeNAS/TrueNAS and new products – Happy 20th Anniversary FreeBSD

---

Round Up:

• Use of Tor and e-mail crypto could increase chances that NSA keeps your data
• Political groups not the only ones targetted for IRS attention, Open Source Foundations were targetted as well
• Design student tries to push ‘NSA Proof’ Crypto-font, that isn’t crypto
• EU creates new rules for ISPs and Telcos, must report to national data protection authorities within 24 hours the full nature and size of the breach, where this is not possible an initial report must be made with full details to follow within 72 hours
• Facebook accidently exposes over 6 million users’ phone numbers and email addresses over the last year (details of friends were added to your address book, even if the privacy settings were not supposed to allow you access to that information)
• Java 6 EOL (no more updates unless you pay for support from Oracle)
• Fixing your NAS by using Open Source

---

The post HP’s Backdoor | TechSNAP 116 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/18887/ubuntu-12-04-review-las-s21e06/ Sun, 22 Apr 2012 14:40:18 +0000 https://original.jupiterbroadcasting.net/?p=18887 It’s our review of Ubuntu 12.04. Does Conical have a winner on its hands? Or is this new release, a STINKY-McSTINKER?! Tune in to find out!

The post Ubuntu 12.04 Review | LAS | s21e06 first appeared on Jupiter Broadcasting.

]]>

It’s our review of Ubuntu 12.04. Does Conical have a winner on its hands? Or is this new release, a STINKY-McSTINKER?! Tune in to find out!

PLUS: How to remotely control any desktop, new of a heavyweight video editor might be headed to Linux in a matter of weeks, we’ve got the details!

And so much more!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com8

Want to save money on your entire order? Use our code spring8 and save 15%!

Direct Download:

HD Video| Ogg Video | MP3 Audio | Ogg Audio | YouTube

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Runs Linux:

• Pebble. The smartwatch with Linux at its heart! – Thanks to okinawalinuxfan on the Linux Action Show Reddit

Android Pick:

• BeyondPod Podcast Manager
• Android Picks so far thanks to Madjo in the IRC Chat room!

Universal Pick:

• ReText? ReText / Home / ReText
• Picks so far. Thanks to Madjo!

Random Distro Of The Day

• DescentOS

Linux Action Show Subreddit

• Linux Action Show Subreddit

NEWS:

• SOS: Save Our Slackware?
• Linus Torvalds now a Millenium Technology Prize laureate
• HP to certify Ubuntu 12.04 LTS for its Proliant servers
• Google Stops Supporting Picasa For Linux
• Gentoo Linux releases 12.1 LiveDVD
• Lightworks Video Editor coming to Linux on May 28th?

Ubuntu 12.04 Review:

• Please Fix the Menus
• HUD: Probably the best feature in Ubuntu 12.04
• More Transparent Development for 12.04
• New Privacy Features are a nice touch..
• Ubuntu 12.04 is for App Developers
• Bryan’s thoughts on Ubuntu 12.04.

Matt’s Howto:

1) To install the remote desktop app for Chrome, visit this link

2) Select Add to Chrome.

3) New dialog appears, choose Add.

4) The app will begin downloading and automatically, add itself to your Chrome apps.

5) Access the Chrome apps by opening a new tab in a current version of Google Chrome.

What’s Bryan Doin?

• Linux Tycoon
• Linux Fest Northwest
• Illumination Software Creator now permanently “Pay What You Want”

Chris’ Stash:

• New Show: Unfilter

Find us on Google+

• Chris
• Bryan
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Bryan – BryanLunduke

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Jupiter Broadcasting Forum:

• Jupiter Colony

Catch the show LIVE Sunday 10am Pacific / 5pm UTC:

• https://jblive.tv
• Network Calendar

The post Ubuntu 12.04 Review | LAS | s21e06 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/18747/geeks-natural-habitat-techsnap-53/ Thu, 12 Apr 2012 16:35:35 +0000 https://original.jupiterbroadcasting.net/?p=18747 Why the server admins for the Olympics have moved into their data center, and we get on our CISPA sopa box!

The post Geek’s Natural Habitat | TechSNAP 53 first appeared on Jupiter Broadcasting.

]]>

Software powering many of the devices we use has a critical flaw that can give an attacker root access, we’ll give you the details.

Plus why the server admins for the Olympics have moved into their data center, and we get on our CISPA sopa box!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com7

Want to save money on your entire order? Use our code spring7 and save 15%!

 

Direct Download Links: HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Data Center staff for the London Olympics will sleep amongst the servers

• Data Center technicians at London’s Interxion data center will sleep on site in specially designed pods
• The concern is that the transit systems in London will be overwhelmed by the number of visitors and staff will not be able to make it to the data center in a reasonable amount of time. To avoid this issue, staff will sleep at the Data Center
• The sleeping chambers were designed by UK company Podtime, and are designed for workplaces to provide staff an area for “power naps” but can be customized for overnight stays

---

Students in an Ethical Hacking class find flaw in Backtrack Linux

• Backtrack Linux is a distro designed for security analysis, forensics and penetration testing
• Backtrack is a very common tool among security professionals
• The vulnerability has to do with improper input validation in WICD via DBUS, and could allow an attacker to cause scripts or executables to be run as root whenever specific events occur, such as when the user connects to a wifi network
• The ethical hacking class then created a proof of concept exploit and a patch to resolve the issue
• Backtrack Linux includes common tools such as metasploit, Aircrack-NG, RFMON and a Cisco scanner

Samba flaw has wide spread implications

• A critical flaw in SAMBA, the open source windows file sharing server can allow an unauthenticated attacker to gain root access
• All versions of Samba from 3.0 to 3.6 are vulnerable, save for 3.6.4 the newly released stable version
• The Samba project has gone so far as to release patches for older out of support versions of Samba
• A remote pre-authentication vulnerability is one of the the worst possible flaws for a public facing service
• Samba is extremely popular in embedded appliances including routers, set top boxes, print servers, NASs and media centers
• The fact that Samba is one of the most commonly embedded bits of open source software means that this vulnerability will likely exist in the wild for years to come, most users may not even know that they are running samba, let alone a vulnerable version
• Many of the devices are no longer supported, or do not even offer the possibility of a firmware upgrade. Even many devices that do offer upgrades, require manual user intervention, and there is always a risk of bricking a device when applying a firmware update

Over 750,000 people compromised by Utah Medicaid breach

• As many as 280,000 people had their Social Security Numbers stolen and approximately 500,000 more victims had less-sensitive personal information (Name, Address, Birth Date) leaked
• The Utah health department warns people that they will receive an official letter, and will not be contacted by phone, and that to avoid scammers, they should not give out personal information via phone calls they did not initiate
• “A configuration error occurred at the password authentication level, allowing the hacker to circumvent DTS’s security system. DTS has processes in place to ensure the state’s data is secure, but this particular server was not configured according to normal procedure. DTS has identified where the breakdown occurred and has implemented new processes to ensure this type of breach will not happen again.”
• While details on the specific configuration error that resulted in the breach are missing, it is interesting to see the blame falling squarely on those responsible rather than blaming cyber criminals or vague references to advanced persistent threat attacks
• Threatpost Update
• Official Statement

---

HP Warns customers that switches may come with malware infected SD cards

• HP Switches in the 54xx ZL series have been shipped with compact flash cards that contain malware
• The malware does not harm the switch, but if the flash card is inserted in to a PC it can result in that PC being compromised by the malware
• HP offers two fixes, a ‘software purge option’, that uses commands in the switches management interface to delete the malware from the flash card (no downtime required), or HP will ship you a new management module, once you power down your switch and swap it out, you return the malware infected one
• This incident highlights concerns about the security of the technology supply chain, and the recent efforts by the Open Trusted Technology Provider Standard
• Official HP Advisory

---

Round Up:

• A sample of the document Facebook generates when your account is subpoenaed
• Project Basecamp: metasploit modules for PLCs and SCADA systems
• Ninth circuit court rules that TOS and use restriction violations are not covered by the Computer Fraud and Abuse Act
• More reasons why the CISPA is a bad bill
• CISPA Is A Really Bad Bill, And Here’s Why
• CISPA Infographic by Lumin Consulting
• Early TechSNAP Coverage
• Followup: US Navy pays six figures to hack gaming consoles
• Etsy, the online cottege industry site, is offering living-expense grants for women to take programming classes in New york
• The Royal Canadian Mint has announced a competition to design an anonymous digital currency system for small cash transactions
• Windows XP and Office 2003 will officially reach End of Live in April 2014
• Smithsonian Interview with Rickard Clarke on Stuxnet and Cyber Security

The post Geek’s Natural Habitat | TechSNAP 53 first appeared on Jupiter Broadcasting.

]]>