HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

‘Devil’s Ivy’ Vulnerability

• Original work

• Bug is in gSOAP by Genivia

• gSOAP is a C and C++ software development toolkit for SOAP/XML web services and generic XML data bindings. The gSOAP tools generate efficient source code for XML serialization of any type of C/C++ data with zero-copy overhead.

• Plant is toxic to dogs & cats, and it is almost impossible to kill

Beyond public key encryption

• One of the saddest and most fascinating things about applied cryptography is how 6689264031_4c7516b3e1_zlittle cryptography we actually use. In fact, with a few minor exceptions, the vast majority of the cryptography we use was settled by the early-2000s.*

• Identity Based Cryptography – In the mid-1980s, a cryptographer named Adi Shamir proposed a radical new idea. The idea, put simply, was to get rid of public keys.

• Attribute Based Encryption – The beautiful thing about this idea is not fuzzy IBE. It’s that once you have a threshold gate and a concept of “attributes”, you can more interesting things. The main observation is that a threshold gate can be used to implement the boolean AND and OR gates

Dan’s Let’s Encrypt Tool

• use case is centralized Let’s Encrypt with dns-01 challenges

Feedback

• ARM & risc systems not readily sold. Intel and AMD have a very compelling AESNI and virt instructions, and PCIe

• Host your own mail server – see https://www.nethserver.org/

• PXE boot – see Zalman ZM-VE350

  • iPXE – open source boot firmware
  • netboot.xyz
  • PXE – ArchWiki
• HOWTO: setup a PXE Server with dnsmasq
• Cobbler – Linux install and update server

Round Up:

• Alexa is listening to what you say – and might share that with developers – see https://nakedsecurity.sophos.com/2017/07/17/alexa-is-listening-to-what-you-say-and-might-share-that-with-developers/

• Life Is About to Get a Whole Lot Harder for Websites Without HTTPS

• BCBS sent out USB cards telling people to insert into their computer. Here is the prototype for the next big wave of security breaches.

• Google Glass 2.0 is a startling second act

• Google Glass is officially back with a clearer vision

The post LetsEncrypt is a SNAP | TechSNAP 328 first appeared on Jupiter Broadcasting.

More and more data breaches are leading to blackmail but the stats don’t tell the whole story. We’ll explain.

Plus the latest in the Sony hack, and the wider reaction. Plus a great batch of emails & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Illinois Hospital being blackmailed with stolen Patient Data

• “An Illinois hospital says someone attempted to blackmail it to stop the release of data about some of its patients.”
• The hospital chain received an anonymous email asking for a substantial amount of money in order to prevent the release of patient data. A sample of the data was included in the email as proof
• “The hospital says it immediately notified law enforcement agencies.”
• “An investigation discovered the data relates to patients who visited Clay County Hospital clinics on or before February 2012. A hospital representative declined to disclose how many people are involved but said the data is limited to their names, addresses, Social Security numbers and dates of birth. No medical information was compromised in the breach”
• “The hospital believes the data has not been released so far. It didn’t disclose how the data was obtained but said an audit by an outside expert concluded the hospital hadn’t been hacked.”
• The age of the data suggests that the compromise may have involved backups and/or cold storage
• It is not clear of the Hospital stores the older data themselves, or if they rely on a 3rd party provider that may have been compromised
• “A recent report by the Identity Theft Report Center found that by early December there had been 304 breaches so far this year in the U.S. healthcare sector. That’s 42 percent of the 720 breaches reported across the country. But, in part because of the massive breaches at major retailers, the entire healthcare sector only accounted for 9.7 percent of all records compromised in reported breaches so far in 2014.”

Sony cancels the release of “The Interview” – plays the victim

• Sony has apparently cancelled the release of the film that is apparently the cause of the hack of their systems
• A number of cinemas had declined to screen the file after vague threats of physical violence were made
• “We are deeply saddened at this brazen effort to suppress the distribution of a movie, and in the process do damage to our company, our employees, and the American public,” Sony’s statement continues. “We stand by our filmmakers and their right to free expression and are extremely disappointed by this outcome.”
• If they stand for freedom of expression, they wouldn’t have cancelled the movie
• A number of people believe that the hackers may have found something especially damaging to Sony, and Sony is hoping to avoid the disclosure
• Bruce Schneier – “It’s really a phenomenally awesome hack—they completely owned this company,”
• “this is like Snowden, only with Sony.” He said that releases from the hack could go on for months.
• That seems to suggest that the hackers will soon leak something that will look very, very bad for the company, Schneier says.
• Earlier this week, Sony sent a letter to news outlets reporting on the leaks, saying that they could face prosecution for downloading stolen information. That letter, Schneier said, was a signal that the worst is still to come.
• Gawker posts a copy of the threatening letter
• “The fact that they sent that letter tells me there is stuff still to be found that Sony is terrified of. There’s some really bad stuff in there—stuff they did, stuff they said, stuff that’s illegal. Someone [from Sony] is going to jail for this.”
• Reaction to the Sony hack is beyond the realm of stupid – This is not terrorism
• Cisco analysis of Wiper malware used at Sony
• Newer version of Wiper malware signed with stolen Sony certificate
• ThreatPost Digital Undergound Podcast – Details of the Sony Breach
• The leak has also covered a number of different plans and plots by the MPAA
• Inclusing the MPAA’s post-SOPA plan to make ISP DNS Servers block sites

Feedback:

• FW Question

• IP management with 257 devices

• Isolating a server

• Certificate for web site
  • Mozilla TLS Server Side settings

• OpenYourMouth · GitHub

• Cipherli.st – Strong Ciphers for Apache, nginx and Lighttpd

Round Up:

• Viber calls out ESET for flagging them, ESET responds with a digital uppercut
• Yahoo releases new disclosure policy, all new bugs it finds will be disclosed within 90 days
• Report: Mysterious Russian Malware Is Infecting 100,000+ WordPress Sites
• Red October APT team is back, with the CloudAtlas APT attack
• Verizon’s new “end-to-end” encrypted calling app, includes “Government Access Option” – Cellcrypt’s vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. “It’s only creating a weakness for government agencies,” he says. “Just because a government access option exists, it doesn’t mean other companies can access it.”
• Leaked Government documents reveal Canadian Telco’s offering the Government “Surveillance Ready Networks”, to avoid legislation, and to force small operators out of the market
• Ars was briefly hacked yesterday; here’s what we know (Ars uses PHPass to hash passwords, that is 2048 rounds of MD5. Not as bad as it sounds: If you want to put this into “OL Hashcat” terms, a single R9 290X (video card) can pull ~ 12.2 GH/s on raw MD5, but only 3 MH/s against PHPass. Divide that by 1,071,734 unique salts, and that means our effective speed is only 2.86 H/s. That’s beyond properly slow.)
• A small bank in Kansas may be the future of banking, replacing ‘batched processed’ ACH transfers with instant transfers backed by the existing ATM processing network
• phpBB Status Update
• Study by Dell SecureWorks researchers finds that prices on the Internet Underground are rising

The post Don’t Fire IT | TechSNAP 193 first appeared on Jupiter Broadcasting.

Is there a fix to the human flaw in banking systems? We’ll debate. Plus how hackers can take over your internal network using a pixel on a webpage.

Then its a huge batch of your storage questions, the Giganews conspiracy & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

5 people charged in identity theft ring linked to bank tellers

• Five people have been charged as part of an identity theft ring in which bank tellers used personal information about customers to withdraw a total of $850,000 from numerous accounts over the course of several years.
• The tellers used customer information to create fake driver’s licenses and checks to gain access to accounts
• “The victims were customers at several of banks in the region, including JPMorgan Chase and Bank of America locations in the Bronx, White Plains and Yonkers”
• “The banks reimbursed the customers whose accounts were affected”
• The five defendants were each charged with grand larceny, identity theft and scheme to defraud. Four of the five have already been arrested, while the fifth is from Florida and is currently being sought by the New York State Attorney’s office
• The three women involved in the scheme worked as tellers at a TD Bank in Apollo Beach, Fla., a Bank of America in White Plains, a JPMorgan Chase in White Plains, and a Wachovia (now Wells Fargo), in Newburgh, N.Y.”
• How do you maintain security when it is the people who are supposed to enforce that security that are stealing the information?

Hacked Brazillian news site targets router dns settings

• In an attack we practically predicted on a previous TechSNAP…
• The website of Politica Estadao (one of the biggest newspapers in Brazil) was compromised
• The pages had a series of iframes injected, which basically carried out a simple brute-force attack against the admin credentials of common routers
• “Five domains and nine DNS servers were found in this attack hosting bank phishing sites“
• “The payload was trying the user admin, root, gvt and a few other usernames, all using the router default passwords,”
• “Hackers are well aware of the shortcomings of home and small business routers, most of which are woefully shy of appropriate patching levels, and are likely protected only by a default or weak password“
• “At the DEF CON conference last month, the SOHOpelessly Broken contest enumerated the security issues around SOHO routers. Fifteen zero-day vulnerabilities were disclosed and demonstrated during the contest, leading to seven full router compromises and another attack that could have led to corruption of the internal network.“
• Watch your browser disclose your local network configuration
• Additional Coverage: Sucuri
• Additional Coverage: SecureList
• Previous Coverage: TechSNAP 86
• Previous Coverage: TechSNAP 106

Feedback:

• Having some FreeNAS iSCSI and NFS performance problems

• Self healing drive

• ZFS on Linux

• zfs linux story

• Comcast is awful : techsnap

Round Up:

• Giganews Is an FBI Operation
• New Archie exploit kit targets Adobe Flash and Microsoft Silverlight vulnerabilities
• IRC Freenode Network Hacked
• US Government threatened to fine Yahoo $250,000/day in 2008 to force them to release data on users and become part of PRISM
• Malware going around Twitch.tv that steals your steam account, puts your games up for sale, and empties your steam wallet
• Why is it taking so long to secure Internet Routing?
• Apple will no longer unlock most iPhones, iPads for police, even with search warrants
• Facebook turns off entire data center to test resiliency

The post Pixel Imperfect Security | TechSNAP 180 first appeared on Jupiter Broadcasting.

We embrace Daylight saving time with a special call-in edition of Coder Radio. Topics include a chat with one of the developers behind the online JavaScript assembly emulator, the encroachment of DRM in everyday life, and why Mozilla’s Persona has been put out to pasture and the difficult problem that creates for developers.

Plus your feedback, and much more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• Git workflow with bitbucket
• Stypi

Open Mic:

• yasp

• Keurig Will Use DRM In New Coffee Maker To Lock Out Refill Market

• RubyGems.org Amazon Bill (+$7000)…

• Mozilla cutting support for Persona

• Five reasons Microsoft could become a top Android smartphone company

• Identity at Mozilla

• Identity/Firefox Accounts – MozillaWik i
• Our live doc

The post Persona Non Grata | CR 92 first appeared on Jupiter Broadcasting.

We chat with Jesse Heaslip one of the team members from Bex.io, they aim to provide a end-to-end solution to setup your own Bitcoin exchange. Is the solution to the Gox problem hundreds, or even thousands of small Bitcoin exchanges?

Plus Avalon customers suspect the company of pre-mining with their hardware for weeks, a new and stronger theory on Satoshi Nakamoto’s true identity, the good news for Litecoin, and more!

Downloads:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | Ogg Feed

— Support the Show —

If you enjoyed this episode, found value or information from it, please consider contributing using Bitcoin. Each episode gets its own unique Bitcoin address so by tipping you\’re not only making our continued efforts possible but telling us what you liked. Our episode specific address is listed at the bottom of the show notes.

— Feedback —

• ASICs and a 51% attack?

• USB ASICs

• Coinstar Kiosks and Bitcoin

• Namcoin – Building on Bitcoin

• What are Namecoins and .bit domains?

It is based on exactly the same code as Bitcoin. In fact, the two currencies are almost identical. However, in the same way that Bitcoin is a decentralised currency that cannot be shut down; Namecoin is the basis for a decentralised domain name system (DNS), i.e. web URLs, which could put a stop to Internet censorship.

• What have we done with our LTC?

Help spread the word on iTunes with a Rating and Review:

• iTunes – Plan B by Jupiter Broadcasting

Call or txt the Show:

1 (352) 587-5262

(352) 58-PLANB

— Discussion —

• Bex.io || Own your own Bitcoin Exchange

We do the tech. You do the rest. Bex removes all the technical complexity of running a Bitcoin Exchange.

• Erik Voorhees – The Role of Bitcoin as Money – Bitcoin 2013 Conference

Erik is a well-known member of the Bitcoin community forum (screen name- evoorhees), and is CEO of Coinapult, based in Panama City. Furthermore, Erik is also a partner in a couple top-secret super-subversive Bitcoin-based projects and coordinates the Free State Bitcoin Consortium group among liberty activists in New Hampshire.

• Erik Voorhees (ErikVoorhees) on Twitter

• Kenya Primed For Wide-Scale Bitcoin Adoption – Thx to Todd for Sending.

One locale stands out as particularly primed for widespread adoption: Kenya. Africa today has one of the fastest growing mobile phone markets in the world with 20% annual growth and 93% of Kenyan households owning mobile phones. What makes Kenya a particularly unique case for bitcoin is that it is also a world leader in mobile payment usage.

• NSA paper, 1996: \”How To Make A Mint: The Cryptography of Anonymous Electronic Cash\”. One referenced crypto expert is named Tatsuaki Okamoto. : Bitcoin

• Comment Thread Has Indications It Could be Satoshi .

Okamoto worked with Adi Shamir (co-creator of RSA) and is proficient in C++.

• Running on Karma–P2P Reputation and Currency Systems – Committee Chair: Tatsuaki Okamoto

• Avalon is officially mining with customers\’ ASICS before delivering them.

• Is Avalon mining with customer hardware? Answer is here.

Today I finally received my units from Feb. 2 order. One unit was almost clean, while other one is moderate dusty. After checking all connections and desoldering F1 fuse, I started to configure units. First unit has been tuned to ozco.in and that is not surprise, cos same config was on my unit from batch one. Second unit has more interesting config:
https://puu.sh/3hrak.png
As you can see, first pool is eligius.st and most important is address: https://blockchain.info/address/1AYdAw8CcrQ2wx55LTbFHRn5bxgNZhaRLW?offset=0&filter=0
716.40851602 BTC was mined from April 22 by various units. And only gods know, how much was mined on ozco.in.
So, regardles what said Yifu, the answer is: YES, Team Avalon is mining with customer units.

Litecoin Update:

• Litecoin Core Development Fundraising Meets Goal

A big sponsor who wishes to be anonymous is willing to support the Litecoin Development Team. They are offering a challenge grant where if we receive an additional 5,000 LTC in community donations by June 18th noon GMT, the anonymous sponsor will match with an additional 5,000 LTC. These combined funds will go a long way toward enabling long-term development of the Litecoin software and related vendor integration tools.

— Watch Live —

Tuesday 2pm PDT / 5pm EDT / 9pm GMT

• JbLive.tv

— Plan B Subreddit —

• Plan B Show

— Contact us —

• Chris on G+
• Drew on G+

— Music —

• Thanks to Ronald Jenkees and his fantastic track 7 Times

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

The post Be Your Own Bitcoin Exchange | Plan B 11 first appeared on Jupiter Broadcasting.