Show Notes: officehours.hair/9

The post We Hate Crypto Too | Office Hours 9 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/47

The post Infrastructure Engineer: Seth McCombs | Jupiter Extras 47 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/331

The post Why Computers Suck | BSD Now 331 first appeared on Jupiter Broadcasting.

Show Notes: error.show/73

The post Stealing the Top Bunk | User Error 73 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Project Zero: Breaking the chain

• “Much as we’d like it to be true, it seems undeniable that we’ll never fix all security bugs just by looking for them. One of most productive ways to dealing with this fact is to implement exploit mitigations. Project Zero considers mitigation work just as important as finding vulnerabilities. Sometimes we can get our hands dirty, such as helping out Adobe and Microsoft in Flash mitigations. Sometimes we can only help indirectly via publishing our research and giving vendors an incentive to add their own mitigations.”
• “This blog post is about an important exploit mitigation I developed for Chrome on Windows. It will detail many of the challenges I faced when trying to get this mitigation released to protect end-users of Chrome. It’s recently shipped to users of Chrome on Windows 10 (in M54), and ended up blocking the sandbox escape of an exploit chain being used in the wild.”
• “It’s possible to lockdown a sandbox such as Chrome’s pretty comprehensively using Restricted Tokens. However one of the big problems on Windows is locking down access to system calls. On Windows you have both the normal NT system calls and Win32k system calls for accessing the GUI which combined represents a significant attack surface.”
• “While the NT system calls do have exploitable vulnerabilities now and again (for example issue 865) it’s nothing compared to Win32k. From just one research project alone 31 issues were discovered, and this isn’t counting the many font issues Mateusz has found and the hundreds of other issues found by other researchers.”
• “Much of Win32k’s problems come from history. In the first versions of Windows NT almost all the code responsible for the windowing system existed in user-mode. Unfortunately for 90’s era computers this wasn’t exactly good for performance so for NT 4 Microsoft moved a significant portion of what was user-mode code into the kernel (becoming the driver, win32k.sys). This was a time before Slammer, before Blaster, before the infamous Trustworthy Computing Memo which focussed Microsoft to think about security first. Perhaps some lone voice spoke for security that day, but was overwhelmed by performance considerations. We’ll never know for sure, however what it did do was make Win32k a large fragile mess which seems to have persisted to this day. And the attack surface this large fragile mess exposed could not be removed from any sandboxed process.”
• “That all changed with the release of Windows 8. Microsoft introduced the System Call Disable Policy, which allows a developer to completely block access to the Win32k system call table. While it doesn’t do anything for normal system calls the fact that you could eliminate over a thousand win32k system calls, many of which have had serious security issues, would be a crucial reduction in the attack surface.”
• “However no application in a default Windows installation used this policy (it’s said to have been introduced for non-GUI applications such as on Azure) and using it for something as complex as Chrome wasn’t going to be easy. The process of shipping Win32k lockdown required a number of architectural changes to be made to Chrome. This included replacing the GDI-based font code with Microsoft’s DirectWrite library. After around two years of effort Win32k lockdown was shipping by default.”
• The problem is that plugins, like Flash and PDFium, run via the PPAPI, and cannot have access to the Win32k blocked
• “This would seem a pretty large weak point. Flash has not had the best security track record (relevant), making the likelihood of Flash being an RCE vector very high. Combine that with the relative ease of finding and exploiting Win32k vulnerabilities and you’ve got a perfect storm.”
• “It would seem reasonable to assume that real attackers are finding Win32k vulnerabilities and using them to break out of restrictive sandboxes including Chrome’s using Flash as the RCE vector. The question was whether that was true. The first real confirmation that this was true came from the Hacking Team breach, which occurred in July 2015. In the dumped files was an unfixed Chrome exploit which used Flash as the RCE vector and a Win32k exploit to escape the sandbox. While both vulnerabilities were quickly fixed I came upon the idea that perhaps I could spend some time to implement the lockdown policy for PPAPI and eliminate this entire attack chain.”
• “For a better, more robust solution I needed to get changes made to Flash. I don’t have access to the Flash source code, however Google does have a good working relationship with Adobe and I used this to get the necessary changes implemented. It turned out that there was a Pepper API which did all that was needed to replace the GDI font handling, pp::flash::FontFile. Unfortunately that was only implemented on Linux, however I was able to put together a proof-of-concept Windows implementation of pp::flash::FontFile and through Xing Zhang of Adobe we got a full implementation in Chrome and Flash.”
• So, with some work, most of the code in Flash that needed access to the Win32k API could be removed, so access to it could be blocked
• “From this point I could enable Win32k lockdown for plugins and after much testing everything seemed to be working, until I tried to test some DRM protected video. While encrypted video worked, any Flash video file which required output protection (such as High-bandwidth Digital Content Protection (HDCP)) would not.”
• “Still this presents a problem, as video along with games are some of the only residual uses of Flash. In testing, this also affected the Widevine plugin that implements the Encrypted Media Extensions for Chrome. Widevine uses PPAPI under the hood; not fixing this issue would break all HD content playback.”
• “The ideal way of fixing this would be to implement a new API in Chrome which exposed enabling HDCP then get Adobe and Widevine to use that implementation. It turns out that the Adobe DRM and Widevine teams are under greater constraints than normal development teams. After discussion with my original contact at Adobe they didn’t have access to the DRM code for Flash. I was able to have meetings with Widevine (they’re part of Google) and the Adobe DRM team but in the end I decided to go it alone and implement redirection of these APIs as part of the sandbox code.”
• It seems that the DRM code is so locked down, that even the developers at the companies that created it, cannot modify it
• So the Chrome developer just created a compatibility layer, that brokers the Win32k calls to a separate process, that is outside of the Win32k API blocking, so the calls can succeed
• “From the first patch submitted in September 2015 to the final patch in June it took almost 10 months of effort to come up with a shipping mitigation. The fact that it’s had its first public success (and who knows how many non-public ones) shows that it was worth implementing this mitigation.”
• “In the latest version of Windows 10, Anniversary Edition, Microsoft have implemented a Win32k filter which makes it easier to reduce the attack surface without completely disabling all the system calls which might have sped up development. Microsoft are also taking pro-active effort to improve the Win32k code base.”

‘Avalanche’ Global Fraud Ring Dismantled

• “In what’s being billed as an unprecedented global law enforcement response to cybercrime, federal investigators in the United States, United Kingdom and Europe today say they’ve dismantled a sprawling cybercrime machine known as “Avalanche” — a distributed, cloud-hosting network that for the past seven years has been rented out to fraudsters for use in launching countless malware and phishing attacks.”
• “The Avalanche network was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns. It has caused an estimated EUR 6 million in damages in concentrated cyberattacks on online banking systems in Germany alone. In addition, the monetary losses associated with malware attacks conducted over the Avalanche network are estimated to be in the hundreds of millions of euros worldwide, although exact calculations are difficult due to the high number of malware families managed through the platform.”
• “The global effort to take down this network involved the crucial support of prosecutors and investigators from 30 countries. As a result, 5 individuals were arrested, 37 premises were searched, and 39 servers were seized. Victims of malware infections were identified in over 180 countries. Also, 221 servers were put offline through abuse notifications sent to the hosting providers. The operation marks the largest-ever use of sinkholing[1] to combat botnet[2] infrastructures and is unprecedented in its scale, with over 800 000 domains seized, sinkholed or blocked.”
• “Built as a criminal cloud-hosting environment that was rented out to scammers, spammers other ne’er-do-wells, Avalanche has been a major source of cybercrime for years. In 2009, when investigators say the fraud network first opened for business, Avalanche was responsible for funneling roughly two-thirds of all phishing attacks aimed at stealing usernames and passwords for bank and e-commerce sites. By 2011, Avalanche was being heavily used by crooks to deploy banking Trojans.”
• ““Cyber criminals rented the servers and through them launched and managed digital fraud campaigns, sending emails in bulk to infect computers with malware, ransomware and other malicious software that would steal users’ bank details and other personal data,” the NCA said in a statement released today on the takedown. The criminals used the stolen information for fraud or extortion. At its peak 17 different types of malware were hosted by the network, including major strains with names such as goznym, urlzone, pandabanker and loosemailsniffer. At least 500,000 computers around the world were infected and controlled by the Avalanche system on any given day.””
• “The Avalanche network was especially resilient because it relied on a hosting method known as fast-flux, a kind of round-robin technique that lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies.”
• By constantly changing addresses, it is hard for researchers and others to report the compromised hosts. Even when trying constant lookups, a researcher will only see a fraction of the actual hosts in the network.
• “It’s worth noting here that Avalanche has for many years been heavily favored by crime gangs to deploy Zeus and SpyEye malware variants involved in cleaning out bank accounts for a large number of small to mid-sized businesses. These attacks relied heavily on so-called “money mules,” people willingly or unwittingly recruited into helping fraudsters launder stolen funds.”
• “The Shadowserver Foundation, a non-profit organization of security professionals that assisted in what the organization described in a post on the takedown as an 18-month collaboration with law enforcement, described Avalanche as a “Double Fast Flux” botnet. Individual nodes within the botnet are registered and then quickly de-registered as the host associated with a Domain Name Service A address record for a single DNS name The destination addresses for a DNS record often change as quickly as once every 5 minutes, and can cycle through hundreds or thousands of IP addresses. And there are multiple domain names for command and control nodes hard-coded into the botnet malware, allowing the bots to switch to a different domain name if a specific domain is blocked.”
• Additional Coverage
• EuroPol Announcement
• EuroPol Technical Infographic

Meet the men who spy on women through their webcams

• The article describes some miscreants using RATs (Remote Administration Trojans) to control people’s computers, then using it to harass them and/or spy on them in various ways
• It describes a scenario of a ratter watching and taunting a victim. Trying to scare and shock them
• “See! That shit keeps popping up on my fucking computer!” says a blond woman as she leans back on a couch, bottle-feeding a baby on her lap.
• “The woman is visible from thousands of miles away on a hacker’s computer. The hacker has infected her machine with a remote administration tool (RAT) that gives him access to the woman’s screen, to her webcam, to her files, to her microphone. He watches her and the baby through a small control window open on his Windows PC, then he decides to have a little fun. He enters a series of shock and pornographic websites and watches them appear on the woman’s computer.”
• “The woman is startled. “Did it scare you?” she asks someone off camera. A young man steps into the webcam frame. “Yes,” he says. Both stare at the computer in horrified fascination. A picture of old naked men appears in their Web browser, then vanishes as a McAfee security product blocks a “dangerous site.””
• “Far away, the hacker opens his “Fun Manager” control panel, which provides a host of tools for messing with his RAT victims. He can hide their Windows “Start” button or the taskbar or the clock or the desktop, badly confusing many casual Windows users. He can have their computer speak to them. Instead, he settles for popping open the remote computer’s optical drive”
• “Copies of the incident aren’t hard to find. They’re on YouTube, along with thousands of other videos showing RAT controller (or “ratters,” as they will be called here) taunting, pranking, or toying with victims. But, of course, the kinds of people who watch others through their own webcams aren’t likely to limit themselves to these sorts of mere hijinks—not when computers store and webcams record far more intimate material.”
• “”Man I feel dirty looking at these pics,” wrote one forum poster at Hack Forums, one of the top “aboveground” hacking discussion sites on the Internet (it now has more than 23 million total posts). The poster was referencing a 134+ page thread filled with the images of female “slaves” surreptitiously snapped by hackers using the women’s own webcams. “Poor people think they are alone in their private homes, but have no idea they are the laughing stock on HackForums,” he continued. “It would be funny if one of these slaves venture into learning how to hack and comes across this thread.””
• “Whether this would in fact be “funny” is unlikely. RAT operators have nearly complete control over the computers they infect; they can (and do) browse people’s private pictures in search of erotic images to share with each other online. They even have strategies for watching where women store the photos most likely to be compromising.”
• I have always found people’s storage and organization strategies fascinating, especially for material they are trying to ‘hide in plain sight’
• “RAT tools aren’t new; the hacker group Cult of the Dead Cow famously released an early one called BackOrifice at the Defcon hacker convention in 1998. The lead author, who went by the alias Sir Dystic, called BackOrifice a tool designed for “remote tech support aid and employee monitoring and administering [of a Windows network].” But the Cult of the Dead Cow press release made clear that BackOrifice was meant to expose “Microsoft’s Swiss cheese approach to security.” Compared to today’s tools, BackOrifice was primitive. It could handle the basics, though: logging keystrokes, restarting the target machine, transferring files between computers, and snapping screenshots of the target computer.”
• “”I seem to get a lot of female slaves by spreading Sims 3 with a [RAT] server on torrent sites,” wrote one poster. Another turned to social media, where “I’ve been able to message random hot girls on facebook (0 mutual friends) and infect (usually become friends with them too); with the right words anything is possible.””
• “Calling most of these guys “hackers” does a real disservice to hackers everywhere; only minimal technical skill is now required to deploy a RAT and acquire slaves. Once infected, all the common RAT software provides a control panel view in which one can see all current slaves, their locations, and the status of their machines. With a few clicks, the operator can start watching the screen or webcam of any slave currently online.”
• “One of the biggest problems ratters face is the increasing prevalence of webcam lights that indicate when the camera is in use. Entire threads are devoted to bypassing the lights, which routinely worry RAT victims and often lead to the loss of slaves.”
• “Unfortunately she asked her boyfriend why the light on her cam kept coming on,” one RAT controller wrote. “And he knew, she never came back :)”
• “RATs can be entirely legitimate. Security companies have used them to help find and retrieve stolen laptops, for instance, and no one objects to similar remote login software such as LogMeIn. The developers behind RAT software generally describe their products as nothing more than tools which can be used for good and ill. And yet some tools have features that make them look a lot like they’re built with lawlessness in mind.”
• “RATs aren’t going away, despite the occasional intervention of the authorities. Too many exist, plenty of them are entirely legal, and source code is in the wild (a version of the Blackshades source leaked in 2010). Those who don’t want to end up being toyed with in a YouTube video are advised to take the same precautions that apply to most malware: use a solid anti-malware program, keep your operating system updated, and make sure plugins (especially Flash and Java) aren’t out of date. Don’t visit dodgy forums or buy dodgy items, don’t click dodgy attachments in e-mail, and don’t download dodgy torrents. Such steps won’t stop every attack, but they will foil many casual users looking to add a few more slaves to their collections.”
• “If you are unlucky enough to have your computer infected with a RAT, prepare to be sold or traded to the kind of person who enters forums to ask, “Can I get some slaves for my rat please? I got 2 bucks lol I will give it to you :b” At that point, the indignities you will suffer—and the horrific website images you may see—will be limited only by the imagination of that most terrifying person: a 14-year-old boy with an unsupervised Internet connection.”
• Honestly, this article was rather tame in its list of possibly things the ratters could do to you.
• To pay off webcam spies, Detroit kid pawns $100k in family jewels for $1,500

Feedback:

• OpenVPN Ciphers

• Participating in BSD / Linux Projects

• Encrypted Hard Drive

Round Up:

• Millions exposed to malvertising that hid attack code in banner pixels
• SysAdmin Advent Calendar
• Private Internet Access funds OpenVPN 2.4 audit by noted cryptographer Dr. Matthew Green
• 80 models of Sony security/IP cameras, many used in large enterprise, found to hard coded usernames “primana” and “debug”
• HP shutting down default FTP, Telnet access to network printers
• 6 of the 10 top vulnerabilities used in exploit kits in 2016 were in Flash — Exploit kits adopting the Adobe bug in the past year include Neutrino, Angler, Magnitude, RIG, Nuclear Pack, Spartan, and Hunter
• At least 10 million Android users imperiled by popular AirDroid app
• Crooks can guess Visa card details in six seconds by querying lots of websites at once
• Microsoft bringing full Windows 10 to ARM devices with Qualcomm partnership
• Lenovo: If you value your server, block Microsoft’s November security update
• Court: ‘Falsely’ Accused ‘Movie Pirate’ Deserves $17K Compensation
• The chatroom isn’t dead
• Announcing the AWS Canada (Central) Region
• TR-064: When Shoddy Implementations Come Back to Haunt You

The post Schoolhouse Exploits | TechSNAP 296 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Akamai’s quarterly State of the Internet report: The Krebs Attack

• “Internet infrastructure giant Akamai last week released a special State of the Internet report. Normally, the quarterly accounting of noteworthy changes in distributed denial-of-service (DDoS) attacks doesn’t delve into attacks on specific customers. But this latest Akamai report makes an exception in describing in great detail the record-sized attack against KrebsOnSecurity.com in September, the largest such assault it has ever mitigated.”
• Akamai: “The same data we’ve shared here was made available to Krebs for his own reporting and we received permission to name him and his site in this report.”
• “Akamai said the attack on Sept. 20 was launched by just 24,000 systems infected with Mirai, mostly hacked Internet of Things (IoT) devices such as digital video recorders and security cameras.”
• “The first quarter of 2016 marked a high point in the number of attacks peaking at more than 100 Gbps,” Akamai stated in its report. “This trend was matched in Q3 2016, with another 19 mega attacks. It’s interesting that while the overall number of attacks fell by 8% quarter over quarter, the number of large attacks, as well as the size of the biggest attacks, grew significantly.”
• “The magnitude of the attacks seen during the final week were significantly larger than the majority of attacks Akamai sees on a regular basis,” Akamai reports. “In fact, while the attack on September 20 was the largest attack ever mitigated by Akamai, the attack on September 22 would have qualified for the record at any other time, peaking at 555 Gbps.”
• Krebs has also made a .csv of the data available: “An observant reader can probably correlate clumps of attacks to specific stories covered by Krebs. Reporting on the dark side of cybersecurity draws attention from people and organizations who are not afraid of using DDoS attacks to silence their detractors.” In case any trenchant observant readers wish to attempt that, I’ve published a spreadsheet here (in .CSV format) which lists the date, duration, size and type of attack used in DDoS campaigns against KrebsOnSecurity.com over the past four years.”
• Some comments about the “mega” attacks on Kreb’s site:
• “We haven’t seen GRE really play a major role in attacks until now. It’s basically a UDP flood with a layer-7 component targeting GRE infrastructure. While it’s not new, it’s certainly rare.”
• “Overall, Columbia was the top source of attack traffic. This is surprising, because Columbia has not been a major source of attack traffic in the past. While Columbia only accounted for approximately 5% of the traffic in the Mirai-based attacks, it accounted for nearly 15% of all source IPs in the last four attacks. A country that was suspiciously missing from both top 10 lists was the u.s. With regards to Mirai, this may be due to a comparative lack of vulnerable and compromised systems, rather than a conscious decision not to use systems in the u.s.”
• “There are a few distinctive programming characteristics we initially discovered in our lab, and later confirmed when the source code was published, which have helped identify Mirai-based traffic. At the end of the day what Mirai really brings to the table is a reasonably well written and extensible code base. It’s unknown as to what Mirai may bring in the foreseeable future but it is clear that it has paved the way for other malicious actors to create variants that improve on its foundation.”
• The full report can be downloaded here
• Some other data from the report:
• “Last quarter we reported a 276% increase in NTP attacks compared with Q2 of 2015. This quarter, we analyzed NTP trends over two years and have noticed shrinking capabilities for NTP reflection.” — It is good to finally see NTP falling off the attack charts as it gets patched up
• “Web application attack metrics around the European Football Cup Championship Game and the Summer Games, as analyzed in the Web Application Attack Spotlight, show us that while malicious actors take advantage of high-profile events, there’s also a lull that indicates they might like to watch them.” (see page 26)
• Application Layer DDoS attacks (GET/HEAD/POST/PUT etc) account for only 1.66% of DDoS attacks. Most attacks are aimed at the infrastructure layer (IP and TCP/UDP)
• “Repeat DDoS Attacks by Target / After a slight downturn in Q2 2016, the average number of DDoS attacks increased to an average of 30 attacks per target, as shown in Figure 2-13. This statistic reflects that once an organization has been attacked, there is a high probability of additional attacks.”
• SQL Injection (49%) and Local File Inclusion (40%) make up the greatest share of attacks against web applications

Is your server (N)jinxed ?

• A flaw in the way Debian (and Ubuntu) package nginx, can allow your server to be compromised.
• The flaw allows an attacker who has managed to gain control of a web application, like wordpress, to escalate privileges from the www-data user to root.
• “Nginx web server packaging on Debian-based distributions such as Debian or Ubuntu was found to create log directories with insecure permissions which can be exploited by malicious local attackers to escalate their privileges from nginx/web user (www-data) to root.”
• “The vulnerability could be easily exploited by attackers who have managed to compromise a web application hosted on Nginx server and gained access to www-data account as it would allow them to escalate their privileges further to root access and fully compromise the system.”
• The attack flow works as follows:
  • Compromise a web application
  • Run the exploit as the www-data user
  • Compile your privilege escalation shared library /tmp/privesclib.c
  • Install your own low-priv shell (maybe /bin/bash, or an exploit) as /tmp/nginxrootsh
  • Take advantage of the permissions mistake where /var/log/nginx is writable by the www-data user, and replace error.log with a symlink to /etc/ld.so.preload
  • Wait for nginx to be restarted or rehashed by logrotate
  • When nginx is restarted or rehashed, it creates the /etc/ld.so.preload file
  • Add the /tmp/privesclib.so created earlier to /etc/ld.so.preload
  • Run sudo, which will now load /tmp/privesclib.so before other libraries, running the code
  • sudo will not allow the www-data user to do any commands, but before sudo read its config file, it ran privesclib.so, which made /tmp/nginxrootsh setuid root for us
  • Run /tmp/nginxrootsh as any user, and you now have a shell as the root user
  • The now own the server
• Video Proof of Concept
• Fixes:
• Debian: Fixed in Nginx 1.6.2-5+deb8u3
  • Ubuntu 14.04 LTS: 1.4.6-1ubuntu3.6
  • Ubuntu 16.04 LTS: 1.10.0-0ubuntu0.16.04.3
  • Ubuntu 16.10: 1.10.1-0ubuntu1.1
• Make sure your log directory is not writable by the www-data user

Hacking 27% of the web via WordPress Auto-update

• “At Wordfence, we continually look for security vulnerabilities in the third party plugins and themes that are widely used by the WordPress community. In addition to this research, we regularly examine WordPress core and the related wordpress.org systems. Recently we discovered a major vulnerability that could have caused a mass compromise of the majority of WordPress sites.”
• “The vulnerability we describe below may have allowed an attacker to use the WordPress auto-update function, which is turned on by default, to deploy malware to up to 27% of the Web at once.”
• “The server api.wordpress.org has an important role in the WordPress ecosystem: it releases automatic updates for WordPress websites. Every WordPress installation makes a request to this server about once an hour to check for plugin, theme, or WordPress core updates. The response from this server contains information about any newer versions that may be available, including if the plugin, theme or core needs to be updated automatically. It also includes a URL to download and install the updated software.”
• “Compromising this server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically. This provides a way for an attacker to mass-compromise WordPress websites through the auto-update mechanism supplied by api.wordpress.org. This is all possible because WordPress itself provides no signature verification of the software being installed. It will trust any URL and any package that is supplied by api.wordpress.org.”
• “We describe the technical details of a serious security vulnerability that we uncovered earlier this year that could compromise api.wordpress.org. We reported this vulnerability to the WordPress team via HackerOne. They fixed the vulnerability within a few hours of acknowledging the report. They have also awarded Wordfence lead developer Matt Barry a bounty for discovering and reporting it.”
• “api.wordpress.org has a GitHub webhook that allows WordPress core developers to sync their code to the wordpress.org SVN repository. This allows them to use GitHub as their source code repository. Then, when they commit a change to GitHub it will reach out and hit a URL on api.wordpress.org which then triggers a process on api.wordpress.org that brings down the latest code that was just added to GitHub.”
• “The URL that GitHub contacts on api.wordpress.org is called a ‘webhook’ and is written in PHP. The PHP for this webhook is open source and can be found in this repository. We analyzed this code and found a vulnerability that could allow an attacker to execute their own code on api.wordpress.org and gain access to api.wordpress.org. This is called a remote code execution vulnerability or RCE.”
• “If we can bypass the webhook authentication mechanism, there is a POST parameter for the GitHub project URL that is passed unescaped to shell_exec which allows us to execute shell commands on api.wordpress.org. This allows us to compromise the server.”
• There is security built into the system. Github hashes the JSON data with a shared secret, and submits the hash with the data. The receiving side then hashes the JSON with its copy of the shared secret. If the two hashes match, the JSON must have been sent by someone who knows the shared secret (ideally only api.wordpress.com and github)
• There is a small catch
• “GitHub uses SHA1 to generate the hash and supplies the signature in a header: X-Hub-Signature: sha1={hash}. The webhook extracts both the algorithm, in this case ‘sha1’, and the hash to verify the signature. The vulnerability here lies in the fact the code will use the hash function supplied by the client, normally github. That means that, whether it’s GitHub or an attacker hitting the webhook, they get to specify which hashing algorithm is used to verify the message authenticity”
• “The challenge here is to somehow fool the webhook into thinking that we know the shared secret that GitHub knows. That means that we need to send a hash with our message that ‘checks out’. In other words it appears to be a hash of the message we’re sending and the secret value that only api.wordpress.org and GitHub know – the shared secret.”
• “As we pointed out above, the webhook lets us choose our own hashing algorithm. PHP provides a number of non-cryptographically secure hashing functions like crc32, fnv32 and adler32, which generate a 32bit hash vs the expected 160 bit hash generated by SHA1. These hashing functions are checksums which are designed to catch data transmission errors and be highly performant with large inputs. They are not designed to provide security.”
• So instead of having to brute force a 160 bit hash (1.46 with 48 zeros after it) you only have to brute force 32 bits (4 billion possibilities). But it gets even easier
• “Of these weak algorithms, the one that stood out the most was adler32, which is actually two 16 bit hashing functions with their outputs concatenated together. Not only are the total number of hashes limited, but there’s also significant non-uniformity in the hash space. This results in many hashes being the same even though they were supplied with different inputs. The distribution of possible checksum values are similar to rolling dice where 7 is the most likely outcome (the median value), and the probability of rolling any value in that range would work its way out from the median value (6 and 8 would have the next highest probability, and on it goes to 2 and 12).”
• “The proof of concept supplied in the report utilizes the non-uniformity by creating a profile of most common significant bytes in each 16 bit hash generated. Using this, we were able to reduce the amount of requests from 2^32 to approximately 100,000 to 400,000 based on our tests with randomly generated keys.”
• “This is a far more manageable number of guesses that we would need to send to the webhook on api.wordpress.org which could be made over the course of a few hours. Once the webhook allows the request, the attack executes a shell command on api.wordpress.org which gives us access to the underlying operating system and api.wordpress.org is compromised.”
• “From there an attacker could conceivably create their own update for all WordPress websites and distribute a backdoor and other malicious code to more than one quarter of the Web. They would also be able to disable subsequent auto-updates so that the WordPress team would lose the ability to deploy a fix to affected websites.”
• “We confidentially reported this vulnerability on September 2nd to Automattic and they pushed a fix to the code repository on September 7th. Presumably the same fix had been deployed to production before then.”
• “We still consider api.wordpress.org a single point of failure when distributing WordPress core, plugins and theme updates. We have made attempts to start a conversation with members of Automattic’s security team about improving the security posture of the automatic update system, but we have not yet received a response.”

Feedback:

• Network Test

• SLOW FreeNAS FIXED

• Obligatory ZFS question / feature request

• ZFS replication for backup

Round Up:

• cURL Author: People email me asking for support with their Car’s infotainment system
• Another malicious link that can cause any iOS device to freeze & require a hard reset
• Walmart testing using the blockchain to track food recalls
• Attacking the Washington, D.C. Internet Voting System
• Uber Portal Leaked Names, Phone Numbers, Email Addresses, Unique Identifiers
• Mapping Malware Attack Methodology to Controls
• CocaCola moves most of their data to the cloud, but won’t store its secret formula in the cloud.
• Kaspersky OS: Antivirus Firm Launches Its Own “Hackproof” OS, Based On Microkernel
• Oracle acquires DNS provider Dyn
• Exploit Code Released for NTP Vulnerability
• Vulnerability in InPage publishing software used in attacks against banks

The post Turkey.deb | TechSNAP 294 first appeared on Jupiter Broadcasting.

Liz is in service engineering at Microsoft working in a 20 person team of devs & program managers. She started her venture into technology at the age of 8 making websites.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Liz Hill (@lizbanderhill) | Twitter
• Prodigy Math Game – Learn Math for Free. Forever.
• Girls Who Code | Free Summer Programs & Clubs
• DigiGirlz Home

Are you looking for the transcription? Please let us know you use it and we may bring it back!

• WTR Transcription Poll

The post Starting At 8 | WTR 52 first appeared on Jupiter Broadcasting.

Amazon has a new TLS implementation & the details look great, we’ll share them with you. The technology that powers the NSA’s XKEYSCORE you could have deployed yourself.

Some fantastic questions, a big round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Amazon releases s2n, a new TLS implementation

• s2n (signal2noise) is a brand new implementation of the TLS protocol in only ~6000 lines of code
• It has been fully audited, and will be re-audited once per year, paid for by Amazon
• It does not replace OpenSSL, as it only implements the TLS protocol (libssl) not the crypto primitives and algorithms (libcrypto). s2n can be built against any of the various libcrypto implementations, including: OpenSSL, LibreSSL, BoringSSL, and the Apple Common Crypto framework
• The API appears to be very easy to use, and prevent many common errors
• The client side of the library is not ready for use yet
• Features:
  • “s2n encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.”
  • “s2n uses operating system features to protect data from being swapped to disk or appearing in core dumps.”
  • “s2n avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.”
  • “s2n is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.”
  • “The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n provides every thread with two separate random number generators. One for “public” randomly generated data that may appear in the clear, and one for “private” data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. “
• One of the main features is that, instead of having to specify which set of crypto algorithms you want to prefer, in what order, as we have discussed doing before for OpenSSL (in apache/nginx, etc), to can either use ‘default’, which will change with the times, or a specific snapshot date, that corresponds to what was the best practise at that time
• Github Page
• Additional Coverage – ThreatPost
• It will be interesting to see how this compares with the new TLS API offered by LibreSSL, and which direction various applications choose to go.

How the NSA’s XKEYSCORE works

• “The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.”
• “XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.”
• “The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.”
• “In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.”
• You might expect some kind of highly specialized system to be required to do all of this, but that is not the case:
• “XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.”
• The security of the system is also not as good as than you might imagine:
• “Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.”
• “When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.”
• “There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.”
• The system is not well designed, and could likely have been done better with existing open source tools, or commercial software designed to classify web traffic
• “When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.”
• Your traffic is analyzed and will probably match a number of classifiers. The most specific classifier is added as a tag to your traffic. Eventually (3-5 days), your actual traffic is deleted to make room for newer traffic, but the metadata (those tags) are kept for 30-45 days
• “This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.””
• “One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.”
• “To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).”
• “Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.”
• All of this information is based on the Snowden leaks, and is from any years ago
• “If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.”
• Part 2 of Article

[SoHo Routers full of fail]

Home Routers that still support RIPv1 used in DDoS reflection attacks

• RIPv1 is a routing protocol released in 1988 that was deprecated in 1996
• It uses UDP and so an attacker can send a message to a home router with RIP enabled from a spoofed IP address, and that router will send the response to the victim, flooding their internet connection
• ““Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sourc­es, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.”
• “Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.”
• Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Home Routers used to host Malware

• Home routers were found to be hosting the Dyre malware
• Symantec Research Paper of Dyre
• Affected routers include MikroTik and Ubiquiti’s AirOS, which are higher end routers geared towards “power user” and small businesses
• “We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
• “Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.”

Feedback:

• ZFS with 4K drives?

• ZFS Replication Between FreeNAS and Linux

• Splitting a pool

• DNS Transfer Email Downtime Followup

• FreeBSD Mastery: ZFS — Not just about ZFS

Round Up:

• Hacked OPM and Background Check Contractors Lacked Logs, DHS Says
• How Facebook stores 900 million new photos per day, using Blu-Ray disks Video
• Software developers are failing to implement crypto correctly, data reveals
• Windows 10 will share all of your WiFi passwords with your Outlook (and optionally Facebook) Contacts. Access points can opt out by adding ‘_optout’ to the SSID
• Cisco to buy security firm OpenDNS for $635 million
• Your F5 BIG-IP load balancer is not affected by the Redhat 4.x/5.x bug that might make it reboot during the leap second We are sorry your BIG-IP rebooted during the leap second
• DYN reports possible routing hiccup caused by leap second Turns out it was just someone accidently routing all traffic to Amazon AWS via their AS
• Someone is cutting fiber optic cables in California
• IKEA presents how they patched 3500 RHEL servers for the shellshock vulnerability in only 2.5 hours
• Scaling the Address Resolution Protocol for Large Data Centers (SARP)
• SSLv3 now officially deprecated
• Cisco UCDM (Unified Communications Domain Manager) has a default static password for a root account

The post Ripping me a new Protocol | TechSNAP 221 first appeared on Jupiter Broadcasting.

This week we’re on the other side of the Atlantic, attending EuroBSDCon. For now, we’ve got an awesome interview with Peter Wemm about the FreeBSD web cluster and infrastructure. It’s an inside look that you probably won’t hear about anywhere else! We’ll also get to a couple of your emails today, and be back next week with all the usual goodies, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Interview – Peter Wemm – peter@freebsd.org / @karinjiri

The FreeBSD web cluster and infrastructure

Feedback/Questions

• Todd writes in
• Brandon writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We’ll be back next week from EuroBSDCon, hopefully with some great interviews, come and say hi to us!

The post Beastly Infrastructure | BSD Now 56 first appeared on Jupiter Broadcasting.

The CTO of CoreOS joins us to go into detail about how CoreOS deploys applications in Docker Containers, allows for automatic server updates, and might just finally fix security on the web.

Plus: We’ll wrap up the TrueCrypt upset, and discuss our prefered Linux TrueCrypt replacements, a quick look at Mint 17…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

CoreOS:

Brought to you by: System76

Guest: Brandon Philips is CTO at CoreOS.

• Brandon Philips (BrandonPhilips) on Twitter

CTO @ CoreOS. Worked on Luvit and Cloud Monitoring at Rackspace and was a Linux Kernel Guy at SUSE.

• Worked at SUSE: June 2007 – June 2011 (4 years 1 month).

• Brandon Philips Personal Site

CoreOS Details:

— Recent Events —

Google Cloud Platform Blog: Official CoreOS images are now available on Google Compute Engine

CoreOS integrates easily with Google load balancers and replica pools to easily scale your applications across regions and zones. Using replica groups with CoreOS is easy; configure the project-level metadata to include a discovery URL and add as many machines as you need. CoreOS will automatically cluster new machines and fleet will begin utilizing them. If a single machine requires more specific configuration, additional cloud-config parameters can be specified during boot.

The Companies That Support Linux: CoreOS | Linux.com

On May 19, CoreOS joined the Linux Foundation as a corporate member

• Run Services with Docker

• Service Discovery with etcd

• Cluster Management with fleet

CoreOS Interview:

• Q: I would really like to hear about the motivation behind that project (maybe a little story how and why it was started).

• Q: I’ve read “based on ChromeOS” quite a bit. We assume that means its a fork, could you give us the details?

• Q: How Does CoreOS differ from a traditional “Linux distro”?

• Q: systemd in CoreOS? How critical is it, and can you give us some examples?

• Example: Fleet presents the cluster as a distributed init system by aggregating systemd running on each machine.

• Q: Can you go into more detail about how applications are deployed in Docker?

• Ex: I want to install nginx, would that process be similar to installing a package via apt, but the software is deployed inside a Docker Container?

• Q: Can you talk about etcd is used for distributed config managment?

• Q: If a node fails, how does another node pick up the work if the data is stored in a container? Is central shared storage an important component to a full CoreOS deployment?

• Q: It seems likely that the web would be a lot safer if we all used CoreOS. Do you personally believe that’s true? And why?

• Q: You recently wrote about btrfs features that could benefit servers, and specifically Docker containers. Could you talk a bit about that?

• • Q: MANY More! Catch this week’s episode for answers and more questions!

Find out more about CoreOS:

• Inaugural CoreOS Meetup – San Francisco CoreOS Meetup (San Francisco, CA)

First CoreOS meetup in San Francisco on Tuesday, June 3, 2014 6:30 PM to 8:30 PM. RSVP!

• CoreOS Linux (coreoslinux) on Twitter

— Picks —

Runs Linux

Jimmy Research Humanoid Robot, Runs Linux

• Intel NUC D54250WYK, which features an Intel Core i5-4250U 4th Generation Haswell
• 4GB of DDR3 RAM (up to 16gb expansion)
• 32GB SSD for internal storage.
• Wifi 802.11AC, and Bluetooth.
• 4x USB 3.0 & 2x USB 2.0 ports
• HDMI & Display Port video output
• Gigabit Ethernet
• SATA port

• Up to 8-channel audio.

• The robot is offered in two flavors of Linux- Ubuntu 14.04 LTS for developers who wish to take advantage of a full-featured desktop OS, or Yocto Project Poky distribution OpenEmbedded Linux which has a custom 21C Robots layer to allow for unified support across many different CPU configurations and hardware.

Sent by Jimmy TheRobot.

Desktop App Pick

Gnome Encfs Manager

The Gnome Encfs Manager (or short GEncfsM) is an easy to use manager and mounter for encfs stashes featuring per-stash configuration, Gnome Keyring support, a tray menu inspired by Cryptkeeper and lots of unique features. Whether you want to let it do things as simple as mounting a stash at startup, which is often used in conjunction with cloud-synced folders on services like Dropbox & Co., or whether you want to let it automatically mount and unmount your stashes on removeable drives such as USB-disks, SD-cards or even network-resources, GEncfsM is designed to do all the work for you.

• AUR (en) – gnome-encfs-manager

Linux Mint 15 Review: Arch’s Nemesis?

• What\’s your TrueCrypt replacement?

Weekly Spotlight

Mozilla Labs : TogetherJS

TogetherJS is a free, open source JavaScript library by Mozilla that adds collaboration features and tools to your website. By adding TogetherJS to your site, your users can help each other out on a website in real time!

— NEWS —

TrueCrypt Must Not Die – organizing a future

This is not a fork (yet), we just coordinate, a fork will probably have a new name. Combining efforts is most important for now.

• First priority: Making the product available again.
• Second priority: finding interested and capable persons volunteering to help. Identify and solve legal issues. Identify Security Threats.
• Additionally: we will wait for the result of the Open Crypto Audit
• Third priority: Fork the project and solve security threats. Found a support association for continued development.

4000+ Downloads in the first 24 hours: There is still demand for a product like TrueCrypt!

• Tales from the TrueCrypt | TechSNAP 164

The TrueCrypt project has shut down, and we\’ll run down what we think is the most likely answer to this sudden mystery is.

#TrueCrypt users on Arch https://t.co/CJpDYSHT3H and Gentoo https://t.co/1dsk1rRnpQ your #TrueCrypt has not been updated yet. Keep an eye out

— Chris Fisher (@ChrisLAS) May 28, 2014

Linux Mint 17 Released!

Linux Mint 17 is a long term support release which will be supported until 2019. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use.

• New features in Linux Mint 17 Cinnamon

The Update Manager was hugely improved.

It shows more information, it looks better, it feels faster, and it gets less in your way. It no longer needs to reload itself in root mode when you click on it. It no longer checks for an Internet connection or waits for the network manager and it no longer locks the APT cache at session startup.

The UI was improved, the icons were modified a bit and the changelog retrieval is now much faster and more reliable.

A new \”type\” column was added to differentiate between traditional updates, security updates, backports and romeo updates.

Security updates can now bypass safety levels and two new options were added for you to decide if they should always be visible and if they should be selected. By default these options are respectively set to True and to False.

• Linux Mint 17 “Qiana” MATE released!

Linus Torvalds Reads Mean Tweets

Taking a page from Jimmy Kimmel\’s Mean Tweets series, The Linux Foundation asked Linux creator Linus Torvalds to read some of the community\’s more colorful tweets. Of course, Linus adds his very own commentary.

• Linus Torvalds Reads Your Mean Tweets – YouTube

Leadwerks Game Engine: Indie Edition on Steam

The company today announced that its engine tools have launched on the Ubuntu Software Center — and Leadwerks now plans to focus on Ubunty as its primary supported platform, even over its Windows engine.

— Feedback —

• Happy ArchDay!

• Tech Talk Today launches Monday!

• Support Tech Talk Today and JB on Patreon

• The Jolla – Imgur

— Chris\’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged

• Datamation.com

• BattleBlock Theater – Part 2 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post CoreOS: Future of Servers | LAS 315 first appeared on Jupiter Broadcasting.

Are your projects cursed with knowledge of the present? Mike and Chris discuss the tendency to blame the last guy, and in some cases even scapegoat the absent. And why its only human to see all the mistakes of those who came before you.

Plus our thoughts on Facebook buying Oculus VR, your feedback, and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

— Show Notes: —

Feedback

• Developers preparing for death of Windows XP and supporting old IE 0
• Book tip (Metaprogramming) and some opinions…
• Android development
• Conflicted about FB\’s hack language
• 100 Swag Call out

Dev Hoopla:

• Why your previous developer was terrible

  Don’t worry — your situation is far from unique. I’ve seen it time and time again that a new developer comes in and seems to change everything almost overnight. She or he suggests new tools, new processes, new languages and new everything. All of this while badmouthing the previous developer or team. I’ve been on all sides of this fine play. I’ve been the “previous developer” who got badmouthed by the new guy. I’ve been the new guy that used the previous guy as my scapegoat. I’ve hired developers that have been in both positions. I’ve worked for companies that couldn’t see what was plain to me: this happens all the time.

• Oculus VR employees got death threats after Facebook sale

\”We expected a negative reaction from people in the short term, we did not expect to be getting so many death threats and harassing phone calls that extended to our families,\” Luckey said. \”We know we will prove ourselves with actions and not words, but that kind of sh** is unwarranted, especially since it is impacting people who have nothing to do with Oculus.\”

• Facebook buys Oculus VR. What do you owe early users?

• John Carmack speaks up about Facebook buying Oculus VR

It is Carmack\’s first comment on the deal since it was announced Tuesday. \”I wasn\’t personally involved in any of the negotiations — I spent an afternoon talking technology with [Facebook CEO] Mark Zuckerberg, and the next week I find out that he bought Oculus.\”

Book Pick:

• Ready Player One Audiobook

At once wildly original and stuffed with irresistible nostalgia, Ready Player One is a spectacularly genre-busting, ambitious, and charming debut—part quest novel, part love story, and part virtual space opera set in a universe where spell-slinging mages battle giant Japanese robots, entire planets are inspired by Blade Runner, and flying DeLoreans achieve light speed.

The post The Blame Game | CR 95 first appeared on Jupiter Broadcasting.

The best of Bitcoin podcasting join forces to discuss how Bitcoin could potentially disrupt the big media monopolies and fund a new generation of independent honest content, controlled by its audience.

Plus more challenges facing Mt. Gox, fixing Bitcoin’s infrastructure problem, and the quiet little Litecoin hack no one is talking about.

Downloads:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | Ogg Feed

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

• Tip address:

  1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

— Show Notes: —

— Feedback —

• Gox\’s Ploy?

• Mining in a VM

• If Bitcoin were the de facto

Help spread the word on iTunes with a Rating and Review:

• iTunes – Plan B by Jupiter Broadcasting

Call or txt the Show:

1 (352) 587-5262

(352) 58-PLANB

— Discussion —

• Fixing Bitcoin\’s shaky exchange infrastructure

That means bitcoin exchanges like Tradehill would have to register as a money transmitter with the federal government. That is the easy part, says Kenna, requiring little more than a single page form. The hard part is getting the relevant licence in each US state. They all have different rules, and some (sources single out New York and California) are particularly difficult.

Time (at least a little of it) is on Tradehill\’s side, however. Even though the FinCEN guidance came into immediate effect, it only applies to businesses 180 days after they begin trading in bitcoin. This gives it until mid-September to get its paperwork in order.

• Don\’t trust anonymous e-currencies like Bitcoin

In the real world, if you lose your credit card, checkbook, or even bank account log-on password, your money isn\’t gone. In fact there are lots of services and laws to protect you and your money. Not so in the e-currency world — check out a statement posted on a Bitcoin Wiki Faq regarding the potential loss of Bitcoins: \”Consider it a donation to all other bitcoin users.\”

Ultimately, most e-currencies possess the security of whatever your email address and password is. If hackers break into your computer, learn your password — or even break in and steal all your money at the bank — it will be replaced fairly quickly. This is absolutely not true of e-currency sites.

I\’m not saying that e-currency schemes are evil. And I\’m not saying fiat money is perfectly trusted or protected — the runaway inflation that led to wheelbarrows of money being exchanged in Weimar Germany come to mind. I\’m just saying that by comparison, over the long run, there is no comparison. The trust equation isn\’t even close.

• Bitcoin – the next global reserve currency?

“That committee has chosen to grow its balance sheet by $85 billion per month, to well above $3 trillion in total, by monetizing US Treasury and Agency debt. Accordingly, the long term outlook for the value of the USD will be subject not only to the supply of new money, but also bubbles caused by synthetic support for state-favored asset classes, and record high national debt.”

“In a world of increasing global communication and trade, a nation-agnostic currency would solve many of the problems we’ve seen repeated throughout history and potentially ease the associated international tensions. An asset for which the value is determined solely by international demand, immune to influence from central planners, is a necessary step forward towards a free market.”

• Litecoin Pool Exploit

“Suspected fake miners were clocking at up to150MH/s for 3-4 days. We suspect more cheaters were involved over the past 3-4 days which could have been at least partially to blame for the pools bad luck.”

“During deployment of the fix, we logged changes in valid hash rates. The biggest detected confirmed cheater was Cryptopower who went from 30MH/s to 1MH/s”

• Another Gox funding option eliminated

“After some deliberation and discussion with Technocash, an Australian service for Mt. Gox customer account funding and withdrawals, it has been decided that our customers in Australia will no longer be able to deposit and withdraw funds in AUD using Technocash starting June 15th, 2013.”

• — Adam B. Levine —

• Adam B. Levine (GamerAndy) on Twitter

Writer & Speaker with a passion for explaining complicated topics in understandable terms.

• Let\’s Talk Bitcoin! • Adam B. Levine – Editor-in-Chief – Bio

He is the founder and Editor-in-Chief of Let\’s Talk Bitcoin!

• YouTube is Broken by Adam B Levine

Happy Cakeday bitcointip bot

• Bitcointip

— Watch Live —

Tuesday 2pm PDT / 5pm EDT / 9pm GMT

• JbLive.tv

— Plan B Subreddit —

• Plan B Show

— Contact us —

• Chris on G+
• Drew on G+

— Music —

• Thanks to Ronald Jenkees and his fantastic track 7 Times

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

• Tip address:

  1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

The post Bitcoin Will Disrupt Big Media | Plan B 9 first appeared on Jupiter Broadcasting.

We chat with the creator of BitVegas, how it works, his plans for the future, and how he keeps users bitcoin\’s secure. Plus his thoughts on possible legal issues facing bitcoin gambling sites, Litecoin for gambling, and more.

Plus we run through some of the best Bitcoin news we’ve ever heard yet, using bitcoin for a cause, and some practical security tips.

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | Ogg Feed

Show Notes:

— Feedback —

• My 2 cents on the image issue

• How Bitcoin can make a difference for people living under oppression.

• Andre writes:

Hey Drew and Chris what do you guys think of this idea: BCtip – Printable Bitcoin Tips

Help spread the word on iTunes with a Rating and Review:

• iTunes – Plan B by Jupiter Broadcasting

Call or txt the Show:

1 (352) 587-5262

(352) 58-PLANB

Call in and briefly describe your mining setup. We’re prepping for a mining edition of Plan B, and want to hear what you’ve got! From one GPU to a super secret CIA lab full of ASICs!

— Discussion —

• PayPal president is fascinated by Bitcoin, says company is ‘thinking about’ including the virtual currency

So I\’ve been spending a lot of time looking at it, and it\’s truly fascinating actually: the way that the currency\’s been designed, and the way that inflation is built in to pay for miners, and all that is truly fascinating. I think that for us at PayPal, it\’s just a question whether Bitcoin will make its way to PayPal\’s funding instrument or not. We\’re kinda thinking about it.

• Chris Dixon: Why Silicon Valley Is Obsessed With The Bitcoin

Chris Dixon is co-founder and CEO at Hunch at a co-founder at Founder Collective. In the past he has served as CEO and co-founder at SiteAdvisor.

He has invested in technology companies including Skype, Foursquare and Kickstarter. In 2010, BusinessWeek magazine named Dixon the top angel investor in the technology industry.

Chris Dixon, like many other Silicon Valley investors, is really excited about Bitcoin. He says he\’s invested a significant amount of money into it.

Dixon spoke about why he and the rest of Silicon Valley are excited about Bitcoin, and what types of Bitcoin startups he\’s looking to invest in.

• Another Big VC Says Bitcoin Is \’Gold 2.0. It\’s a Huge, Huge, Huge Deal

Chamath Palihapitiya, venture capitalist, former head of the AOL Instant Messaging division, former Facebook executive, part owner of the Golden State Warriors (NBA)

Think the recent collapse in Bitcoin\’s value was the end of the experimental currency\’s, um, currency? Not even close, says Chamath Palihapitiya, the longtime Facebook executive who now runs The Social + Capital Partnership.

Likening Bitcoin to the \”red pill\” from the movie \”The Matrix,\” which exposes those who take it to a hidden reality, Palihapitiya sounded as bullish as could be during a Q&A at TechCrunch Disrupt NY on Monday morning.

BitVegas

• BitVegas: A casino, a faucet, and most of all, a community.

BitVegas is a Minecraft casino that operates on Bitcoins. It has a very friendly community as well as fun games.

If you enjoy gambling, bitcoins or socializing then you should come and join this server. It usually has at least fifteen players online during the day and up to forty at night (usually thirty). Upon joining you get 5 play BTC to gamble with. These can not be exchanged for any real Bitcoins. However, you also get half a real mBTC (possibly going up soon to 1 mBTC or more) per fifteen minutes. You can use these to gamble on games such as poker(still in beta), roulette, blackjack, pig racing(think horse racing with pigs), minefield, and a lottery (the lottery ticket seller is a chicken who usually hangs out in the roulette room).

The Bitcoins in this server can be exchanged for real Bitcoins to be sent to your wallet.

The player base is very friendly and we often have discussions and debates both related and unrelated to Bitcoins. It\’s a very friendly community as well as a source of free Bitcoins and entertainment.

— Litecoin —

• Mt. Gox delays plan to support virtual currency litecoin

The Tokyo-based exchange said in a news release it was planning to support litecoin two weeks ago \”but events derailed that plan. Right now we are focused on overall stability of the exchange and will launch LTC [litecoin] when we are ready.

• Sent in by James: Coinotron, ltcmine.ru, btc-e.com and give-me-ltc.com are experiencing massive brute force attacks.

A good reminder to use a different password at every pool you try, periodically check your payout address to make sure no one hacked you and changed it to pay them instead of you.

— Watch Live —

Tuesday 2pm PDT / 5pm EDT / 9pm GMT

• JbLive.tv

— Plan B Subreddit —

• Plan B Show

— Contact us —

• Chris on G+
• Drew on G+

— Music —

• Thanks to Ronald Jenkees and his fantastic track 7 Times

— Support the Show —

• Donate to the network with your worthless fiat or your fancy bitcoins!

• Tip address:

  1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

The post Inside BitVegas | Plan B 4 first appeared on Jupiter Broadcasting.

Find out how an entire cities infrastructure depended on a single building, and what happened when it exploded.

Plus the technical details on Android’s security upgrade, the Apple Appstore payment bypass, and some great audience questions.

All that and a lot more, on today’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Limited time offers:
$3.99 .US domain!
Code:  399us4

Support the Show:

   

Show Notes: