Show Notes: linuxunplugged.com/457

The post Automated Chaos | LINUX Unplugged 457 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/330

The post 'Tis the SSHession | LINUX Unplugged 330 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cisco’s Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to ‘WannaCry’

FCC Filings Overwhelmingly Support Net Neutrality Once Anti-Net Neutrality Spam is Removed

• Net Neutrality II: Last Week Tonight with John Oliver (HBO)

• Because of a procedural quirk, the FCC will not be considering any comments on the issue of net neutrality that are submitted over the next week or so.

• https://youtu.be/qI5y-_sqJT0 — follow up video

Feedback

• IPv6 only

• ZoL and other Linux Filesystems

Round Up:

• Ways in which the WannaCry ransomware could have been much worse

• Postmortem for outage of us-east-1

• 1.9 million Bell customer email addresses stolen by ‘anonymous hacker’ – Technology & Science – CBC News

• Appcanary – Everything you need to know about HTTP security headers

• GitHub – schollz/howmanypeoplearearound: Count the number of people around you by monitoring wifi signals

The post Kill Switch Engage | TechSNAP 320 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Unix Trifecta — Patch Your Shit

• This week saw the trifecta, critical vulnerabilities in 3 of the most important and widely used server applications
• CVE-2016-8610 – OpenSSL: A remote attacker who can initiate handshakes with an OpenSSL based server can cause the server to consume a lot of computation power with very little bandwidth usage, and may be able to use this technique in a leveraged Denial of Service attack.
• The flaw is in the way OpenSSL handles “SSL Alerts”. The SSL alert protocol is a way to communicate problems within a SSL/TLS session. Due to improper handling of alert packets, OpenSSL would consume an excessive amount of CPU time processing undefined alert messages.
  • CVE-2016-8864 – Bind: A remote attacker who could cause a server to make a query deliberately chosen to trigger the failed assertions could cause named(8) to stop, resulting in a Denial of Service condition to its clients.
  • A defect in BIND’s handling of responses containing a DNAME answer could cause a resolver to exit after encountering an assertion failure in db.c or resolver.c.
  • CVE-2016-8858 – OpenSSH: A remote attacker may be able to cause a SSH server to allocate an excessive amount of memory. Note that the default MaxStartups setting on FreeBSD will limit the effectiveness of this attack.
• During the SSH handshake procedure, the client and server exchanges the supported encryption, MAC and compression algorithms along with other information to negotiate algorithms for initial key exchange, with a message named SSH_MSG_KEXINIT.
• When processing the SSH_MSG_KEXINIT message, the server could allocate up to a few hundreds of megabytes of memory per each connection, before any authentication take place.
• Patches for most OSes should be out by now, make sure you install them.

LessPass, an open source, storage-less password manager? Or is it…

• “Managing your Internet passwords is not easy. You probably use a password manager to help you. The system is simple, the tool generates random passwords whenever you need them and save them into a file protected with a strong password. This system is very robust, you only need to remember one password to rule them all! Now you have a unique password for each site on the Internet.”
• But, there are some shortcomings to that type of password manager
• How do I synchronize this file on all my devices?
• How do I access a password on my parents’ computer without installing my password manager?
• How do I access a password on my phone, without any installed app?
• To solve this, LessPass does it differently
• “The system uses a pure function, i.e. a function that given the same parameters will always give the same result. In our case, given a login, a master password, a site and options it will returns a unique password”
• “No need to save your passwords in an encrypted file. You just need to access the tool to recalculate a password from information that you know (mostly the login)”
• There are some issues though.
  • Some sites have different password complexity requirements, such as banks that limit the length of your password, or require a PIN that is all digits
  • Some sites obviously do not hash passwords correctly, and do not allow some characters
  • What if you want to, or need to, change your password?
• LessPass has a solution for all of these, where you specify “password profile”, to remember the different complexity settings to generate the valid password
• To manage to change the password, there is also a counter, that starts at 1, and you increment to get a different password.
• Of course now, you have to remember: your login, your master password, the password complexity profile for each site, and how many times you have changed your password on that site
• So, they have a “connected” version, that remembers each site, your login, the password profile, and your password change counter.
• There are obviously some privacy concerns, and security concerns here.
• How do you restrict access in the connected version, with a username and password? Is that password the same or different from your master password. Is your profile data encrypted per user?
• Of course, being an open source project, there is the option to self-host, which eliminates a number of those concerns
• “You can host your own LessPass database if you do not want to use the official one. The requirement for self-hosting is to have docker and docker-compose installed on your machine.”
• The fact that the installation instructions are curl | bash (written the other way around, so that when you stick sudo in front of it it works), does raise some other concerns
• This leaves a few problems:
  • You can never change your master password, as it will effectively change all of your passwords
  • It is still technically possible for someone to brute force your master password. Each attempt will require them to do the full PBKDF2 run, but 8192 rounds will take only a small fraction of a second, and it can be parallelized quite well. If someone does compromise your master password (via brute force, or with a keylogger, or whatever), they have access to all of your passwords, but worse, they even have access to your ‘new’ passwords, if you change your password, it just changes the ‘count’ parameter, so I could generate your next 10 gmail passwords and keep them for later.
  • The key-derivation seems weak, 8192 rounds of PBKDF2 is likely not enough. LastPass uses 100,000 rounds for its server-side key-derivation. FreeBSD’s GELI disk encryption uses a number of rounds that will take approximately 2 seconds, which on modern machines is over 1 million rounds. The issue is that changing this number in the future will change all of your passwords. At a minimum, it should be part of the password profile, so you can select a different value for each site, so you can change the default for new sites in the future, and increase the strength of the password for one site by changing the password.
  • LessPass cannot deal with SSO (Single Sign On). There are a number of sites for which I have the same password, because they all authenticate against the same LDAP database (or ActiveDirectory). LessPass ONLY allows you to use its derived passwords, which might not always work.
• There are definitely some interesting aspects to LessPass, especially being able to self host, but, I don’t think I’ll be switching to it.

A very valuable vulnerability

• It all started with a facebook post by Colin Percival: “I think I just accidentally exploited a “receive arbitrarily large amounts of money” security vulnerability. Oops.”
• Colin Percival is a security and cryptography expert, and a former FreeBSD Security Officer
• Colin’s day job is running Tarsnap – backups for the truly paranoid.
• To accept payments for his business, he uses Stripe – a credit card processing service, which also allows him to accept bitcoins
• “While I very firmly wear a white hat, it is useful to be able to consider things from the perspective of the bad guys, in order to assess the likelihood of a vulnerability being exploited and its potential impact. For the subset of bad guys who exploit security vulnerabilities for profit — as opposed to selling them to spy agencies, for example — I imagine that there are some criteria which would tend to make a vulnerability more valuable:”
  • the vulnerability can be exploited remotely, over the internet;
• the attack cannot be blocked by firewalls;
  • the attack can be carried out without any account credentials on the system being attacked;
  • the attack yields money (as opposed to say, credit card details which need to be separately monetized);
  • once successfully exploited, there is no way for a victim to reverse or mitigate the damage; and
  • the attack can be performed without writing a single line of code.
• “Much to my surprise, a few weeks ago I stumbled across a vulnerability satisfying every one of these criteria.”
• “The vulnerability — which has since been fixed, or else I would not be writing about it publicly — was in Stripe’s bitcoin payment functionality. Some background for readers not familiar with this: Stripe provides payment processing services, originally for credit cards but now also supporting ACH, Apple Pay, Alipay, and Bitcoin, and was designed to be the payment platform which developers would want to use; in very much the way that Amazon fixed the computing infrastructure problem with S3 and EC2 by presenting storage and compute functionality via simple APIs, Stripe fixed the “getting money from customers online” problem. I use Stripe at my startup, Tarsnap, and was in fact the first user of Stripe’s support for Bitcoin payments: Tarsnap has an unusually geeky and privacy-conscious user base, so this functionality was quite popular among Tarsnap users.”
• “Despite being eager to accept Bitcoin payments, I don’t want to actually handle bitcoins; Tarsnap’s services are priced in US dollars, and that’s what I ultimately want to receive. Stripe abstracts this away for me: I tell Stripe that I want $X, and it tells me how many bitcoins my customer should send and to what address; when the bitcoin turns up, I get the US dollars I asked for. Naturally, since the exchange rate between dollars and bitcoins fluctuates, Stripe can’t guarantee the exchange rate forever; instead, they guarantee the rate for 10 minutes (presumably they figured out that the exchange rate volatility is low enough that they won’t lose much money over the course of 10 minutes). If the “bitcoin receiver” isn’t filled within 10 minutes, incoming coins are converted at the current exchange rate.”
• “For a variety of reasons, it is sometimes necessary to refund bitcoin transactions: For example, a customer cancelling their order; accidentally sending in the wrong number of bitcoins; or even sending in the correct number of bitcoins, but not within the requisite time window, resulting in their value being lower than necessary. Consequently, Stripe allows for bitcoin transactions to be refunded — with the caveat that, for obvious reasons, Stripe refunds the same value of bitcoins, not the same number of bitcoins. (This is analogous to currency exchange issues with credit cards — if you use a Canadian dollar credit card to buy something in US dollars and then get a refund later, the equal USD amount will typically not translate to an equal number of CAD refunded to your credit card.)”
• The vulnerability lay in the exchange rate handling. As I mentioned above, Stripe guarantees an exchange rate for 10 minutes; if the requisite number of bitcoins arrive within that window, the exchange rate is locked in. So far so good; but what Stripe did not intend was that the exchange rate was locked in permanently — and applied to any future bitcoins sent to the same address. This made a very simple attack possible:
  • Pay for something using bitcoin.
  • Wait until the price of bitcoin drops.
  • Send more bitcoins to the address used for the initial payment.
  • Ask for a refund of the excess bitcoin.
• “Because the exchange rate used in step 3 was the one fixed at step 1, this allowed for bitcoins to be multiplied by the difference in exchange rates; if step 1 took place on July 2nd and steps 3/4 on August 2nd, for example, an arbitrary number of bitcoins could be increased by 30% in a matter of minutes. Moreover, the attacker does not need an account with Stripe; they merely need to find a merchant which uses Stripe for bitcoin payments and is willing to click “refund payment” (or even better, is set up to automatically refund bitcoin overpayments).”
• “Needless to say, I reported this to Stripe immediately. Fortunately, their website includes a GPG key and advertises a vulnerability disclosure reward (aka. bug bounty) program; these are two things I recommend that every company does, because they advertise that you take security seriously and help to ensure that when people stumble across vulnerabilities they’ll let you know. (As it happens, I had Stripe security’s public GPG key already and like them enough that I would have taken the time to report this even without a bounty; but it’s important to maximize the odds of receiving vulnerability reports.) Since it was late on a Friday afternoon and I was concerned about how easily this could be exploited, I also hopped onto Stripe’s IRC channel to ask one of the Stripe employees there to relay a message to their security team: “Check your email before you go home!””
• “Stripe’s handling of this issue was exemplary. They responded promptly to confirm that they had received my report and reproduced the issue locally; and a few days later followed up to let me know that they had tracked down the code responsible for this misbehaviour and that it had been fixed. They also awarded me a bug bounty — one significantly in excess of the $500 they advertise, too.”
• “As I remarked six years ago, Isaac Asimov’s remark that in science “Eureka!” is less exciting than “That’s funny…” applies equally to security vulnerabilities. I didn’t notice this issue because I was looking for ways to exploit bitcoin exchange rates; I noticed it because a Tarsnap customer accidentally sent bitcoins to an old address and the number of coins he got back when I clicked “refund” was significantly less than what he had sent in. (Stripe has corrected this “anti-exploitation” of the vulnerability.) It’s important to keep your eyes open; and it’s important to encourage your customers to keep their eyes open, which is the largest advantage of bug bounty programs — and why Tarsnap’s bug bounty program offers rewards for all bugs, not just those which turn out to be vulnerabilities.”
• “And if you have code which handles fluctuating exchange rates… now might be a good time to double-check that you’re always using the right exchange rates.”
• A very interesting attack, that was only found because someone accidentally did the wrong thing

Feedback:

• ipV6 vs Mirai

• Freenas replication

• Freenas 10 question

• Backup & LUKS

• Chromecast across subnets

• A user wrote in about the mention of BCP38 the other week, and asked what other best practises there are: here is a list

Round Up:

• Windows Atom Tables popped by security researchers
• The Million-Key Question—Investigating the Origins of RSA Public Keys
• Microsoft stops selling Windows 7 and Windows 8.1 to computer makers i
• Researchers make high performance battery from junkyard scraps
• Why Windows hack is being blamed on Russia-linked group
• “Decimeter-Level Localization with a Single WiFi Access Point” — Locating a device to within 4 inches using only 1 WiFi access point
• Stealth Cell Tower
• Kaspersky quarterly DDoS report: 70-80% of botnets consist of Linux devices, most attacks last under 4 hours.
• Level 3 drops its packets for hours, causing Internet traffic jam
• Microsoft Reimagines Open Source Cloud Hardware
• Pagliano Emails Detail Attempts to Hack Clinton Unsecure Email Server 10 Times in Two Days in November 2010 – U.S. Secret Service Informed of Hacking Attempts – Judicial Watch
• Teenager accidentally DDoSes 911 system

The post Unix Security Trifecta | TechSNAP 292 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Shadow Brokers steal hacking tools from NSA linked Equation Group

• “On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.”
• “The previously unknown group said that it broke into the cyberespionage organization known as the Equation Group and has now put the hacking tools that it acquired up for auction”
• “In addition to selling the hacking tools to whoever would end up as the highest bidder, the Shadow Brokers said that if it will be paid 1 million bitcoins, which currently carries a value of about $568 million, the cyberweapons will be publicly released”
• “To back up its claims, the Shadow Brokers uploaded what looks like attack code that focuses on the security systems of routers that direct computer traffic online. According to security experts, the code looks legitimate, affecting routers manufactured by three United States companies and two Chinese companies. Specifically, the companies involved are Cisco Systems, Fortinet, Juniper Networks, Shaanxi Networkcloud Information Technology and Beijing Topsec Network Security Technology.”
• “Last year, researchers from Kaspersky Lab described the Equation Group as one of the most advanced hacking groups in the world. The compressed data that accompanied the post by the Shadow Brokers had a size of just over 256 MB and is said to contain hacking tools that are dated as early as 2010 belonging to the Equation Group”
• Additional Coverage: The Intercept: The NSA Leak Is Real, Snowden Documents Confirm
• “Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.”
• This does not necessarily mean that the tools were stolen directly from the NSA, just that Shadow Brokers stole them from someone who had them. Maybe the Equation Group stole them, or maybe the NSA stole them from the Equation Group.
• “The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.”
• “The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.”
• “SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.”
• “SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.”
• “Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.”
• Additional Coverage: SoftPedia: List of Equation Group Files Leaked by Shadow Brokers
• The list of names is quite amusing, likely computer generated by sticking two random words together. Reminds me of a domain-name generator I wrote when I was a teenager
• Additional Coverage: Wired: Of Course Everyone’s Already Using the Leaked NSA Exploits
• “All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.”
• “Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities. For his experiment, Dolan-Gavitt used a Cisco security software bug from the leak that people have learned to fix with workarounds, but that doesn’t have a patch yet.”
• “Within 24 hours Dolan-Gavitt saw someone trying to exploit the vulnerability, with a few attempts every day since. “I’m not surprised that someone tried to exploit it,” Dolan-Gavitt says. Even for someone with limited technical proficiency, vulnerable systems are relatively easy to find using services like Shodan, a search engine of Internet-connected systems. “People maybe read the blog post about how to use the particular tool that carries out the exploit, and then either scanned the Internet themselves or just looked for vulnerable systems on Shodan and started trying to exploit them that way,” Dolan-Gavitt says. He explains that his honeypot was intentionally very visible online and was set up with easily guessable default passwords so it would be easy to hack.”
• “The findings highlight one of the potential risks that come with hoarding undisclosed vulnerabilities for intelligence-gathering and surveillance. By holding on to bugs instead of disclosing them so they can be patched, spy agencies like the NSA create a potentially dangerous free-for-all if their exploits are exposed.”
• Additional Coverage: Softpedia: Computer Science Professor Gives Failing Grade to Newly Leaked NSA Hacking Tool
• Additional Coverage: Stephen Checkoway: Equation Group Initial Impressions
• Additional Coverage: @musalbas: NSA’s BENIGNCERTAIN sends IKE packets to Cisco VPNs, then parses config and private keys from the response
• Additional Coverage: @thegrugq: speculation that the ShadowBrokers leak was from another Snowden is “completely wrong”
• Additional Coverage: Matt Blaze

Google Login Issue Allows Credential Theft

• Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
• A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
• “Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.
• The login page checks to ensure that the parameter points to .google.com/, but doesn’t determine which Google service the parameter is pointing to.
• “The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process.”
• Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials.
• For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.
• Exploiting the flaw should be simple, an “Attacker would not need to intercept traffic to exploit – they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter,”
• Woods opened three separate reports with Google about the vulnerability, but to no avail.
• In a message to Woods, Google representatives said they saw phishing as the only attack vector, and didn’t consider this a security problem.
• “The simplest action Google can take to address this would be to remove the redirect feature at login. If they want to retain that feature and also address this problem, they need to properly validate the contents of the parameter: Google needs to make sure the values they allow can’t be abused, and validate the allowed values are also safe themselves,” Woods said.
• “This could be done by building a whitelist of [sub-]domains, (including paths if necessary) that they wish to redirect to.”
• Aidan Woods: Google’s Faulty Login Pages

Researchers map the Netflix content delivery network, find 4669 servers

• “When you open Netflix and hit “play,” your computer sends a request to the video-streaming service to locate the movie you’d like to watch. The company responds with the name and location of the specific server that your device must access in order for you to view the film.”
• “For the first time, researchers have taken advantage of this naming system to map the location and total number of servers across Netflix’s entire content delivery network, providing a rare glimpse into the guts of the world’s largest video-streaming service.”
• “A group from Queen Mary University of London (QMUL) traced server names to identify 4,669 Netflix servers in 243 locations around the world. The majority of those servers still reside in the United States and Europe at a time when the company is eager to develop its international audience. The United States also leads the world in Netflix traffic, based on the group’s analysis of volumes handled by each server. Roughly eight times as many movies are watched there as in Mexico, which places second in Netflix traffic volume. The United Kingdom, Canada, and Brazil round out the top five.”
• “In March, Netflix did publish a blog post outlining the overall structure of its content delivery network, but did not share the total number of servers or server counts for specific sites.”
• “Last January, Netflix announced that it would expand its video-streaming service to 190 countries, and IHS Markit recently predicted that the number of international Netflix subscribers could be greater than U.S. subscribers in as few as two years.”
• “Steve Uhlig, the networks expert at Queen Mary University of London who led the mapping project, says repeating the analysis over time could track shifts in the company’s server deployment and traffic volumes as its customer base changes.”
• “Traditionally, content delivery services have chosen one strategy or the other. Akamai, for example, hosts a lot of content with Internet service providers, while Google, Amazon, and Limelight prefer to store it at IXPs. However, Uhlig’s group found that Netflix uses both strategies, and varies the structure of its network significantly from country to country.”
• “Timm Böttger, a doctoral student at QMUL who is a member of the research team, says he was surprised to find two Netflix servers located within Verizon’s U.S. network. Verizon and other service providers have argued with Netflix over whether they would allow Netflix to directly connect servers to their networks for free. In 2014, Comcast required Netflix to pay for access to its own network.”
• “Tellingly, the group did not find any Netflix servers in Comcast’s U.S. network. As for the mysterious Verizon servers? “We think it is quite likely that this is a trial to consider broader future deployment,” Böttger says. Netflix did not respond to a request for comment.”
• “Their search revealed that Netflix’s server names are written in a similar construction: a string of numbers and letters that include traditional airport codes such as lhr001 for London Heathrow to mark the server’s location and a “counter” such as c020 to indicate the number of servers at that location. A third element written as .isp or .ix shows whether the server is located within an Internet exchange point or with an Internet service provider.”
• “To study traffic volumes, the researchers relied on a specific section of the IP header that keeps a running tally of data packets that a given server has handled. By issuing multiple requests to these servers and tracking how quickly the values rose, the team estimated how much traffic each server was processing at different times of the day. They tested the servers in 1-minute intervals over a period of 10 days.”
• That counter is only 32 bit, and the larger Netflix servers push 80 gigabits per second (enough to wrap a 32 bit counter every 24 seconds)
• “The U.K. has more Netflix servers than any other European country, and most of those servers are deployed within Internet service providers. All French customers get their films streamed through servers stationed at a single IXP called France-IX. Eastern Europe, meanwhile, has no Netflix servers because those countries were only just added to the company’s network in January.”
• The researchers expected to see a lot more servers embedded in ISPs rather than at Internet exchanges. There are two reasons why this is not so: It would require more hardware, since machines at a specific ISP cannot service a second ISP, and: many ISPs like Comcast are resisting accepting Netflix CDN boxes
• “In March, the company said it delivers about 125 million total hours of viewing to customers per day. The researchers learned that Netflix traffic seems to peak just before midnight local time, with a second peak for IXP servers occurring around 8 a.m., presumably as Netflix uploads new content to its servers.”
• See Netflix and Fill – BSDNow 157 for more on how Netflix runs their FreeBSD powered CDN.

Feedback:

• Block windows connections Follow up

• IPv6, Firewall and Security confusion.

• Single disk ZFS for offsite backups

• A Different Take on Secure File Syncing

• DemonSaw DEFCON Talk

Round Up:

• FBI Director wants ‘adult conversation’ about backdooring encryption
• More on Sweet32 from Bruce Schneier and Matthew Green
• Over 18,000 Redis Instances Targeted by Fake Ransomware
• Proof that the dropbox hack is real
• Popular BitTorrent Client Transmission Gets Infected With Malware Again
• The Big Short: Taking a short stock position against companies when you find security flaws in their hardware/software
• FBI Warned State Election Board Systems of Hacks
• Samsung set to recall all Galaxy Note 7 devices over concerns that the batteries may explode
• Acer’s Predator 21 X puts a curved screen and dual GTX 1080s in a laptop
• Lenovos new Yoga Book is so thin it has to use a touch screen keyboard
• The story of how WoSign gave me an SSL certificate for GitHub.com
• Amazon experimenting with 30 hour flexible work week. Required hours are Mon-Thur 10am to 2pm. Pays less than full time, but same benefits as full time

The post The Shadow Knows | TechSNAP 282 first appeared on Jupiter Broadcasting.

Chris and Noah argue over the practicality of IPv6 & if it will ever take off. Plus the big player that just got into Cyber security, Stingray’s big Baltimore outing & the big Google algorithm change this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Raytheon to Plow $1.7 Billion Into New Cyber Venture

Raytheon Co. RTN 0.89% is betting it can leverage the cybersecurity skills it honed for the U.S. military and intelligence agencies to sell to banks and retailers, investing almost $1.7 billion to establish a stand-alone business in an area where its defense peers have struggled to make money.

The company on Monday said it would buy control of Websense Inc. from private-equity firm Vista Partners LLC. Raytheon said Austin, Texas-based Websense, which has 21,000 data-security clients, half of them overseas, will form the core of a new cyber joint venture with forecast sales of $500 million this year and margins of around 20%.

Baltimore Police Used Stingrays For Phone Tracking Over 25,000 Times

The Baltimore Police Department is starting to come clean about its use of cell-phone signal interceptors — commonly known as Stingrays — and the numbers are alarming. According to recent court testimony reported by The Baltimore Sun, the city’s police have used Stingray devices with a court order more than 25,000 times. It’s a massive number, representing an average of nearly nine uses a day for eight years (the BPD acquired the technology in 2007), and it doesn’t include any emergency uses of the device, which would have proceeded without a court order.

Why the Journey To IPv6 Is Still the Road Less Traveled

The writing’s on the wall about the short supply of IPv4 addresses, and IPv6 has been around since 1999. Then why does the new protocol still make up just a fraction of the Internet? Though IPv6 is finished technology that works, rolling it out may be either a simple process or a complicated and risky one, depending on what role you play on the Internet. And the rewards for doing so aren’t always obvious. For one thing, making your site or service available via IPv6 only helps the relatively small number of users who are already set up with the protocol, creating a nagging chicken-and-egg problem.

Big Google algorithm change this week will usher in a new mobile era

The change has been a long time coming — Google first announced it back in November — but starting Tuesday, companies that haven’t made the switch will start feeling the hit in Google’s search results. The changes will favor sites that avoid technologies like Flash that don’t work on phones, have layouts that automatically scale so that users don’t have to scroll side-to-side or zoom, and have links placed far enough apart that they can be easily tapped with a finger.

The post IPv6 The Road Never Taken | Tech Talk Today 160 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

The pfSense project has a new release, we’ll run down some of our favorite features and how we use them. Plus Valve’s Gabe Newell says Linux is the future of gaming, and we’ll break down exactly why he feels that way.

Then: CyanogenMod’s got some big plans, but are they stepping on the community open source developers to get there? Plus a LinuxCon 2013 wrap up, the big Steam rumors…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Making pfSense in a Linux World!

Brought to you by: System76

Check out System76 on G+

• pfSense 2.1-RELEASE now available!

This release brings many new features, with the biggest change being IPv6 support in most every portion of the system. There are also a number of bug fixes, and touch ups in general.

• BSD Now talks a bit about the new PBI package support

• Chris’ pfSense hardware from ebay

• pfSense Digest » Blog Archive » pfSense Gold Subscription Now Available!

pfSense Gold is our $99 per year premium membership subscription program, designed to provide special benefits to our members while supporting ongoing development of the Open Source pfSense project.

• pfSense Open Source Firewall Distribution – Recommended Hardware Vendors

The following companies sell the hardware the developers use. This means purchasing from these vendors ensures
the device is thoroughly tested, and if compatibility problems come up in future releases they will likely be quickly
found and fixed more.

Other Nice Features:

• NTP Server for your LAN, can even pull from a serial attached GPS

• Wake on LAN. Add a MAC address from a PC on your LAN, then wake it from the firewall as needed.

• Easy to manage uPNP for balanced security and convenience.

• High Availability Sync

pfsync transfers state insertion, update, and deletion messages between firewalls. Each firewall sends these messages out via multicast on a specified interface, using the PFSYNC protocol (IP Protocol 240). It also listens on that interface for similar messages from other firewalls, and imports them into the local state table.

---

– Picks –

Runs Linux:

• The Peachy Printer – The First $100 3D Printer & Scanner!

Weekly Spotlight Pick:

• Twelve keynote videos from LinuxCon 2013 · LinuxGizmos.com

The Linux Foundation held its LinuxCon North America conference in New Orleans this week, and has once again published keynote session videos. The videos feature Linux luminaries including Google’s Chris DiBona, Valve’s Gabe Newell, Raspberry Pi’s Eben Upton, Intel’s Dirk Hohndel, and a panel with Tejun Heo, Greg Kroah-Hartman, Sarah Sharp, and Linus Torvalds

Desktop App Pick:

• Flowblade Video Editor

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

---

— NEWS —

• LinuxCon & CloudOpen North America 2013 – Linux & Gaming – Gabe Newell, Valve – YouTube

From LinuxCon & CloudOpen North America in New Orleans, LA. Join Gabe Newell as he shares his insights on the future of Linux gaming.

• Gabe Talks about Why Valve Got Intrested in Linux – 8:16

• Gabe belives locking down the PC Indstury is partially repsonbile for its decline, but that decline has not hit gamming as hard because the PC is open and allows for innovation – 11:22

• Valve has seen with their own games, that app stores by their very nature add friction which delays things and limits who can be a publisher. But their own data shows user generated content is exploding and it’s their job to enable it – 19:06

• The Steam Universe is Expanding in 2014

• Valve making three Steam-related announcements next week

• Canonical Confirms Launch Date for Ubuntu Touch 1.0: October 17

• Cyanogen raises $7 million to build a better version of Android

• I remained silent about the whole Focal relicensing…

• Focal

• It Looks Like Oppo Is Cyanogen’s First Hardware Partner – Cyanogen Will Be At The N1 Announcement On September 23rd

• Announcement – OpenZFS

• Who writes Linux? Almost 10,000 developers

– Feedback: –

• Git-Annex and Git-Annex-Assistant

• Whither Plasma Active?

• Plasma Active 4 for Nexus 7 (2012) and Archos G9

• Can you take time to recognize a LUG that’s been around for 20 years??

• Bellingham Linux Users Group for 15 Years

• Everett Linux Users Group

• NAS running costs

Bitmessage:

BM-GuJRSMgViBNXnafzuRQL3tpHHFSJQ5Wm

— Chris’ Stash —

• New updates to the Chrome and Firefox extensions!

• Engineering and Powder Kegs | BSD Now 2

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Matt’s Birthday – Chopper Video
• Linux Commands: Video of Time-Saving Commands

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —Hang

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post pfSense Makes Sense | LAS s28e09 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/41332/cost-of-encryption-techsnap-122/ Thu, 08 Aug 2013 11:53:41 +0000 https://original.jupiterbroadcasting.net/?p=41332 We’ll have a frank discussion about the encryption Arms race underway, the side channel attack against gpg research have found, headlines from Back Hat...

The post Cost of Encryption | TechSNAP 122 first appeared on Jupiter Broadcasting.

]]>

We\’ll have a frank discussion about the encryption Arms race underway, the side channel attack against gpg research have found, headlines from Back Hat…

And then an epic batch of your questions, our answers!

---

— Show Notes —

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

Researchers have found a side-channel attack which could possibly be used to steal your gnupg keys

• Researchers Yuval Yarom and Katrina Falkner from The University of Adelaide presented their paper at Blackhat
• The Flush+Reload attack is a cache side-channel attack that can extract up to 98% of the private key
• The attack is based on the L3 cache, so it works across all cores, unlike previous attacks where the attacker had to be on the same CPU core as the victim
• This attack works across VMs, so an attacker in one VM could extract the GnuPG from another VM, even if it is executing on a different CPU
• Research Paper

---

More Encryption Is Not the Solution

• Poul-Henning Kamp (PHK) wrote an article for ACM Queue about how Encryption is not the answer to the spying problems
• Inconvenient Facts about Privacy
• Politics Trumps Cryptography – Nation-states have police forces with guns. Cryptographers and the IETF (Internet Engineering Task Force) do not.
• Not Everybody Has a Right to Privacy – Prisoners are allowed private communication only with their designated lawyers
• Encryption Will Be Broken, If Need Be – Microsoft refactors Skype to allow wiretapping
• Politics, Not Encryption, Is the Answer
• “There will also always be a role for encryption, for human-rights activists, diplomats, spies, and other professionals. But for Mr. and Mrs. Smith, the solution can only come from politics that respect a basic human right to privacy—an encryption arms race will not work”
• PHK postulates that a government could approach a cloud service as say “on all HTTPS connections out of the country, the symmetric key cannot be random; it must come from a dictionary of 100 million random-looking keys that I provide” and then hide it in the Cookie header

---

Interview with Brendan Gregg

• Buy on Amazon: DTrace: Dynamic Tracing in Oracle Solaris, Mac OS X and FreeBSD
• Yelling at hard drives

---

Feedback:

• When will we see IPv6?

• What good habits should I force myself into?

• Ubuntu Forums

• Creating a Virtual LAN for Learning?

• ZFS Array Quest & GPG Key Managment

• The Age Old Certs Question

• Convert a Production FreeBSD into pfSense

• ZFS Summer Project

• Looking for Input on a new AP

• Amazon.com: TP-LINK TL-WR1043ND Ultimate Wireless N300 Router , Gigabit, 300Mbps, USB port , 3 Detachable Antenna x3/ IP QoS/ QSS Button: Electronics

Correction Section

• MegaFeedback

• In Defence of RHEL

• Pluggable CC in Linux

Echos from the Hall of Shame

• [HallOfShame] Microsoft not allowing passwords longer than 16 characters. Not hashing? : techsnap

• [HallOfShame] Commonwealth Bank Password Limitations : techsnap

Round Up:

• Gmail, Outlook.com and e-voting \’pwned\’ on stage in crypto-dodge hack
• Judge blocks researching from disclosing vulnerability in Volkswagen immobiliation system
• Researchers reveal how to hack an iPhone in 60 seconds
• Edward Snowden is not the story, the Death of the Internet is
• Moscow Subway To Use Devices To Read Data On Phones
• Black Hat paper spells out how advertising networks will build future botnets
• Google changes stance on Net Neutrality
• Black Hat: Disabling a car’s brakes by backing its onboard computer
• Google Copyright Infringement Reports to Quadruple This Year
• PHK’s musings and rants about HTTP/2.0

The post Cost of Encryption | TechSNAP 122 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/20817/peek-inside-techsnap-63/ Thu, 21 Jun 2012 16:00:02 +0000 https://original.jupiterbroadcasting.net/?p=20817 We take a peek inside a few never before seen data centers, and find out what makes the unique, then a major flaw affecting Intel chips, and some big answers to the Flame malware mystery! Plus some great Q&A and a few follow up stories you won’t want to miss! All that and more, on […]

The post Peek Inside | TechSNAP 63 first appeared on Jupiter Broadcasting.

]]>

We take a peek inside a few never before seen data centers, and find out what makes the unique, then a major flaw affecting Intel chips, and some big answers to the Flame malware mystery!

Plus some great Q&A and a few follow up stories you won’t want to miss!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Washington Post and New York Times suggest Flame malware created by US and Israel

• American officials say that Flame was not part of Operation Olympic Games (which was begun under President G.W. Bush)
• Officials have declined to say whether the United States was responsible for the Flame attack
• Obama repeatedly expressed concerns that any American acknowledgment that it was using cyber weapons could enable other countries, terrorists or hackers to justify their own attacks
• New York Times Coverage
• Noted Security Expert Bruce Schneier calls cyber warfare destabilizing and dangerous
• Compared the 2007 Israeli attack on the Syrian nuclear facility, Stuxnet did not result in any loss of life, or risk to friendly personnel
• However, Stuxnet has damaged the U.S.’s credibility as a fair arbiter and force for peace in cyberspace. Its effects will be felt as other countries ramp up their offensive cyberspace capabilities in response
• The offensive use of cyber weapons opens a pandora’s box and weakens the U.S.’s long term position, in exchange for a short term gain
• Have Stuxnet and Flame already destroyed the U.S.’s credibility as a leader for a free and open Internet?
• Richard Clarke (Former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, and Author of ‘Cyber War’), contends that there is a firm distinction between cyber-espionage and offensive cyber-attacks
• Clarke argues that while cyber-espionage should be considered a routine, acceptable practice of any country as part of government intelligence operations, cyber-attacks are much more grave, and should be considered on par with physical attacks
• Clarke and others argue for international cyber weapon arms control treaties
• Richard Clark: How China Steals Our Secrets

---

US-CERT discloses security flaw in 64 bit Intel chips

• The issue surrounds the AMD64 processor instruction SYSRET
• The instruction is implemented differently by AMD (who developed the AMD64 instruction set) than by Intel
• Some implementations, notably: Microsoft, FreeBSD/NetBSD and Xen, used the AMD specifications
• This resulted in a mismatch in the expected behavior, that could result in a privilege escalation
• Microsoft’s Statement: An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights
• FreeBSD’s Statement: Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system
• Xen’s Statement: 64-bit PV guest to host privilege escalation vulnerability. This issue only impacts servers running on Intel processors and could permit a 64-bit PV guest to compromise the XenServer host
• Intel’s Statement: This is a software implementation issue. Intel processors are functioning as per specifications and this behavior is correctly documented in the IntelR64 Software Developers Manual, Volume 2B Pages 4–598–599
• AMD’s Statement: AMD processors’ SYSRET behavior is such that a non-canonical address in RCX does not generate a #GP while in CPL0. We have verified this with our architecture team, with our design team, and have performed tests that verified this on silicon. Therefore, this privilege escalation exposure is not applicable to any AMD processor
• Additional Source

---

Team at Fujitsu cracks proposed new pairing-based cryptography standard

• The team at Fujitsu, working in partnership with the Japanese National Institute of Information and Communications Technology (NICT) and Kyushu University, have successfully cracked 923-bit pairing based cryptography, in 148.2 days
• Based on previous results it was estimated to take several hundred thousand years to break a 923-bit key
• This does not mean that the security of pairing-based cryptography is entirely broken, just that a larger key size is required to maintain security
• This type of research is why only open cryptography standards should be trusted, and why it takes so long to select new standards
• The competition for the SHA–3 algorithm opened in 2007 and is not expected to be completed until later this year. More than 50 algorithms were entered into the competition, only 5 remain
• Among the rejected algorithms is MD6, which proported to scale to very large numbers of CPU cores for long messages, due to speed problems and unsufficient proof if its resistance to differential cryptanalysis. MD6 is still a work in progress and may still be used sometime in the future
• Additional Source
• NICT paper on cracking 676 bit pairing cryptography

---

A tour of GoDaddy’s Data Center

• Photo Tour
• Go Daddy is the registrar for over 52 million domain names
• DNS infrastructure responds to 10 billion DNS queries per day
• SSL infrastructure handles more than 1 billion OCSP responses every day
• Currently hosts more than 5 million web sites on 35,000 servers
• Blocks 2.5 million brute force attacks every hour.
• More than 23 petabytes of data housed on its storage systems
• Processes more than 350 million emails every day

---

OVH deploys world’s largest data center in Canada

• The new data center makes use of OVH’s ‘Cube Data Center’ design, where servers are servers are kept in the outer corridors of the cube, and the center of the cube is open
• Cold air is inlet from the outside of the cube, and the hot exhaust air is vented outside in the center of the cube
• OVH also makes extensive use of water cooling for their servers, which they found can save as much as 30% on their energy bills
• OVH Beauharnois, Quebec Data Center Video
• The Quebec data center is located adjacent to the electrical sub station for the 1900 megawatt Beauharnois Hydroelectric Power Station, which will provide renewable energy for the data center
• The data center also takes feeds from two additional power grids
• Additional Coverage

---

Feedback:

• Q: Eric asks about AD PW Storage

• Check the GPO Setting “Store passwords using reversible encryption”. – You DON’T want reversible encryption, unless application requirements outweigh the need to protect password information.

• Does Windows really still use unsalted MD4 for password storage?

• Q: Frank wants to know what more he could be doing to stay secure.

• Q: Robert wants to do some testing!

Round-Up:

• Breaking: Hacker claims to have breached 79 different banks and acquired 50GB of customer data
• FBI & DEA Warn That IPv6 May Be Too Damn Anonymous
• Let’s talk about secure password storage
• Leaked Documents Show the U.N.’s Internet Power Grab…
• Apple granted patent for polluting facebook pages with false data, to hamper data mining
• Password Manager LastPass 2.0 Released
• SSD Prices down 46% since 2011
• Lego Data Center

The post Peek Inside | TechSNAP 63 first appeared on Jupiter Broadcasting.

]]>