##Headlines
###OpenBSD 6.4 released

• See a detailed log of changes between the 6.3 and 6.4 releases.
• See the information on the FTP page for a list of mirror machines.
• Have a look at the 6.4 errata page for a list of bugs and workarounds.
• signify(1) pubkeys for this release:
• base: RWQq6XmS4eDAcQW4KsT5Ka0KwTQp2JMOP9V/DR4HTVOL5Bc0D7LeuPwA
• fw: RWRoBbjnosJ/39llpve1XaNIrrQND4knG+jSBeIUYU8x4WNkxz6a2K97
• pkg: RWRF5TTY+LoN/51QD5kM2hKDtMTzycQBBPmPYhyQEb1+4pff/H6fh/kA

###GhostBSD 18.10 RC2 Announced

This second release candidate of GhostBSD 18.10 is the second official release of GhostBSD with TrueOS under the hood. The official desktop of GhostBSD is MATE. However, in the future, there might be an XFCE community release, but for now, there is no community release yet.

• What has changed since RC1

• Removed drm-stable-kmod and we will let users installed the propper drm-*-kmod

• Douglas Joachin added libva-intel-driver libva-vdpau-driver to supports accelerated some video driver for Intel

• Issues that got fixed

• Bug #70 Cannot run Octopi, missing libgksu error.

• Bug #71 LibreOffice doesn’t start because of missing libcurl.so.4

• Bug #72 libarchive is a missing dependency

Again thanks to iXsystems, TrueOS, Joe Maloney, Kris Moore, Ken Moore, Martin Wilke, Neville Goddard, Vester “Vic” Thacker, Douglas Joachim, Alex Lyakhov, Yetkin Degirmenci and many more who helped to make the transition from FreeBSD to TrueOS smoother.

• Updating from RC1 to RC2:

• sudo pkg update -f

• sudo pkg install -f libarchive curl libgksu

• sudo pkg upgrade

• Where to download:

• All images checksum, hybrid ISO(DVD, USB) and torrent are available here: https://www.ghostbsd.org/download

• [ScreenShots]

• https://www.ghostbsd.org/sites/default/files/Screenshot_at_2018-10-20_13-22-41.png

• https://www.ghostbsd.org/sites/default/files/Screenshot_at_2018-10-20_13-27-26.png

###OpenSSH 7.9 has been released and it has support for OpenSSL 1.1

Changes since OpenSSH 7.8
=========================

This is primarily a bugfix release.

New Features
------------
 * ssh(1), sshd(8): allow most port numbers to be specified using
   service names from getservbyname(3) (typically /etc/services).
 * ssh(1): allow the IdentityAgent configuration directive to accept
   environment variable names. This supports the use of multiple
   agent sockets without needing to use fixed paths.
 * sshd(8): support signalling sessions via the SSH protocol.
   A limited subset of signals is supported and only for login or
   command sessions (i.e. not subsystems) that were not subject to
   a forced command via authorized_keys or sshd_config. bz#1424
 * ssh(1): support "ssh -Q sig" to list supported signature options.
   Also "ssh -Q help" to show the full set of supported queries.
 * ssh(1), sshd(8): add a CASignatureAlgorithms option for the
   client and server configs to allow control over which signature
   formats are allowed for CAs to sign certificates. For example,
   this allows banning CAs that sign certificates using the RSA-SHA1
   signature algorithm.
 * sshd(8), ssh-keygen(1): allow key revocation lists (KRLs) to
   revoke keys specified by SHA256 hash.
 * ssh-keygen(1): allow creation of key revocation lists directly
   from base64-encoded SHA256 fingerprints. This supports revoking
   keys using only the information contained in sshd(8)
   authentication log messages.

Bugfixes
--------

 * ssh(1), ssh-keygen(1): avoid spurious "invalid format" errors when
   attempting to load PEM private keys while using an incorrect
   passphrase. bz#2901
 * sshd(8): when a channel closed message is received from a client,
   close the stderr file descriptor at the same time stdout is
   closed. This avoids stuck processes if they were waiting for
   stderr to close and were insensitive to stdin/out closing. bz#2863
 * ssh(1): allow ForwardX11Timeout=0 to disable the untrusted X11
   forwarding timeout and support X11 forwarding indefinitely.
   Previously the behaviour of ForwardX11Timeout=0 was undefined.
 * sshd(8): when compiled with GSSAPI support, cache supported method
   OIDs regardless of whether GSSAPI authentication is enabled in the
   main section of sshd_config. This avoids sandbox violations if
   GSSAPI authentication was later enabled in a Match block. bz#2107
 * sshd(8): do not fail closed when configured with a text key
   revocation list that contains a too-short key. bz#2897
 * ssh(1): treat connections with ProxyJump specified the same as
   ones with a ProxyCommand set with regards to hostname
   canonicalisation (i.e. don't try to canonicalise the hostname
   unless CanonicalizeHostname is set to 'always'). bz#2896
 * ssh(1): fix regression in OpenSSH 7.8 that could prevent public-
   key authentication using certificates hosted in a ssh-agent(1)
   or against sshd(8) from OpenSSH <7.8.

Portability
-----------

 * All: support building against the openssl-1.1 API (releases 1.1.0g
   and later). The openssl-1.0 API will remain supported at least
   until OpenSSL terminates security patch support for that API version.
 * sshd(8): allow the futex(2) syscall in the Linux seccomp sandbox;
   apparently required by some glibc/OpenSSL combinations.
 * sshd(8): handle getgrouplist(3) returning more than
   _SC_NGROUPS_MAX groups. Some platforms consider this limit more
   as a guideline.

##News Roundup

###MeetBSD 2018: The Ultimate Hallway Track

Founded in Poland in 2007 and first hosted in California in 2008, MeetBSD combines formal talks with UnConference activities to provide a level of interactivity not found at any other BSD conference. The character of each MeetBSD is determined largely by its venue, ranging from Hacker Dojo in 2010 to Intel’s Santa Clara headquarters this year. The Intel SC12 building provided a beautiful auditorium and sponsors’ room, plus a cafeteria for the Friday night social event and the Saturday night FreeBSD 25th Anniversary Celebration. The formal nature of the auditorium motivated the formation of MeetBSD’s first independent Program Committee and public Call for Participation. Together these resulted in a backbone of talks presented by speakers from the USA, Canada, and Poland, combined with UnConference activities tailored to the space.

• MeetBSD Day 0

Day Zero of MeetBSD was a FreeBSD Developer/Vendor Summit hosted in the same auditorium where the talks would take place. Like the conference itself, this event featured a mix of scheduled talks and interactive sessions. The scheduled talks were LWPMFS: LightWeight Persistent Memory Filesystem by Ravi Pokala, Evaluating GIT for FreeBSD by Ed Maste, and NUMA by Mark Johnston. Ed’s overview of the advantages and disadvantages of using Git for FreeBSD development was of the most interest to users and developers, and the discussion continued into the following two days.

• MeetBSD Day 1

The first official day of MeetBSD 2018 was kicked off with introductions led by emcee JT Pennington and a keynote, “Using TrueOS to boot-strap your FreeBSD-based project” by Kris Moore. Kris described a new JSON-based release infrastructure that he has exercised with FreeBSD, TrueOS, and FreeNAS. Kris’ talk was followed by “Intel & FreeBSD: Better Together” by Ben Widawsky, the FreeBSD program lead at Intel, who gave an overview of Intel’s past and current efforts supporting FreeBSD. Next came lunch, followed by Kamil Rytarowski’s “Bug detecting software in the NetBSD userland: MKSANITIZER”. This was followed by 5-Minute Lightning Talks, Andrew Fengler’s “FreeBSD: What to (Not) Monitor”, and an OpenZFS Panel Discussion featuring OpenZFS experts Michael W. Lucas, Allan Jude, Alexander Motin, Pawel Dawidek, and Dan Langille. Day one concluded with a social event at the Intel cafeteria where the discussions continued into the night.

• MeetBSD Day 2

Day Two of MeetBSD 2018 kicked off with a keynote by Michael W. Lucas entitled “Why BSD?”, where Michael detailed what makes the BSD community different and why it attracts us all. This was followed by Dr. Kirk McKusick’s “The Early Days of BSD” talk, which was followed by “DTrace/dwatch in Production” by Devin Teske. After lunch, we enjoyed “A Curmudgeon’s Language Selection Criteria: Why I Don’t Write Everything in Go, Rust, Elixir, etc” by G. Clifford Williams and, “Best practices of sandboxing applications with Capsicum” by Mariusz Zaborski. I then hosted a Virtualization Panel Discussion that featured eight developers from FreeBSD, OpenBSD, and NetBSD. We then split up for Breakout Sessions and the one on Bloomberg’s controversial article on backdoored Supermicro systems was fascinating given the experts present, all of whom were skeptical of the feasibility of the attack. The day wrapped up with a final talk, “Tales of a Daemontown Performance Peddler: Why ‘it depends’ and what you can do about it” by Nick Principe, followed by the FreeBSD 25th Anniversary Celebration.

• Putting the “meet” in MeetBSD

I confess the other organizers and I were nervous about how well one large auditorium would suit a BSD event but the flexible personal space it gave everyone allowed for countless meetings and heated hacking that often brought about immediate results. I watched people take ideas through several iterations with the help and input of obvious and unexpected experts, all of whom were within reach. Not having to pick up and leave for a talk in another room organically resulted in essentially a series of mini hackathons that none of us anticipated but were delighted to witness, taking the “hallway track” to a whole new level. The mix of formal and UnConference activities at MeetBSD is certain to evolve. Thank you to everyone who participated with questions, Lightning Talks, and Panel participation. A huge thanks to our sponsors, including Intel for both hosting and sponsoring MeetBSD California 2018, Western Digital, Supermicro, Verisign, Jupiter Broadcasting, the FreeBSD Foundation, Bank of America Merrill Lynch, the NetBSD Foundation, and the team at iXsystems.

See you at MeetBSD 2020!

###Setup DragonflyBSD with a desktop on real hardware ThinkPad T410
+Video Demo

Linux has become too mainstream and standard BSD is a common thing now? How about DragonflyBSD which was created as a fork of FreeBSD 4.8 in conflict over system internals. This tutorial will show how to install it and set up a user-oriented desktop. It should work with DragonflyBSD, FreeBSD and probably all BSDs.
Some background: BSD was is ultimately derived from UNIX back in the days. It is not Linux even though it is similar in many ways because Linux was designed to follow UNIX principles. Seeing is believing, so check out the video of the install!
I did try two BSD distros before called GhostBSD and TrueOS and you can check out my short reviews. DragonflyBSD comes like FreeBSD bare bones and requires some work to get a desktop running.

• Download image file and burn to USB drive or DVD

• First installation

• Setting up the system and installing a desktop

• Inside the desktop

• Install some more programs

• How to enable sound?

• Let’s play some free games

• Setup WiFi

• Power mode settings

• More to do?

You can check out this blog post if you want a much more detailed tutorial. If you don’t mind standard BSD, get the GhostBSD distro instead which comes with a ready-made desktop xcfe or mate and many functional presets.

• A small summary of what we got on the upside:

  • Free and open source operating system with a long history
  • Drivers worked fine including Ethernet, WiFi, video 2D & 3D, audio, etc
  • Hammer2 advanced file system
  • You are very unique if you use this OS fork

• Some downsides:

• Less driver and direct app support than Linux

• Installer and desktop have some traps and quirks and require work

###Porting Keybase to NetBSD

Keybase significantly simplifies the whole keypair/PGP thing and makes what is usually a confusing, difficult experience actually rather pleasant. At its heart is an open-source command line utility that does all of the heavy cryptographic lifting. But it’s also hooked up to the network of all other Keybase users, so you don’t have to work very hard to maintain big keychains. Pretty cool!
So, this evening, I tried to get it to all work on NetBSD.
The Keybase client code base is, in my opinion, not very well architected… there exist many different Keybase clients (command line apps, desktop apps, mobile apps) and for some reason the code for all of them are seemingly in this single repository, without even using Git submodules. Not sure what that’s about.
Anyway, “go build”-ing the command line program (it’s written in Go) failed immediately because there’s some platform-specific code that just does not seem to recognize that NetBSD exists (but they do for FreeBSD and OpenBSD). Looks like the Keybase developers maintain a Golang wrapper around struct proc, which of course is different from OS to OS. So I literally just copypasted the OpenBSD wrapper, renamed it to “NetBSD”, and the build basically succeeded from there! This is of course super janky and untrustworthy, but it seems to Mostly Just Work…
I forked the GitHub repo, you can see the diff on top of keybase 2.7.3 here: bccaaf3096a
Eventually I ended up with a ~/go/bin/keybase which launches just fine. Meaning, I can main() okay. But the moment you try to do anything interesting, it looks super scary:

charlotte@sakuracity:~/go/bin ./keybase login
▶ WARNING Running in devel mode
▶ INFO Forking background server with pid=12932
▶ ERROR unexpected error in Login: API network error: doRetry failed,
attempts: 1, timeout 5s, last err: Get
https://localhost:3000/_/api/1.0/merkle/path.json?last=3784314&load_deleted=1&load_reset_chain=1&poll=10&sig_hints_low=3&uid=38ae1dfa49cd6831ea2fdade5c5d0519:
dial tcp [::1]:3000: connect: connection refused

There’s a few things about this error message that stuck out to me:

• Forking a background server? What?
• It’s trying to connect to localhost? That must be the server that doesn’t work …

Unfortunately, this nonfunctional “background server” sticks around even when a command as simple as ‘login’ command just failed:

charlotte@sakuracity:~/go/bin ps 12932
  PID TTY STAT    TIME COMMAND
  12932 ?   Ssl  0:00.21 ./keybase --debug --log-file
  /home/charlotte/.cache/keybase.devel/keybase.service.log service --chdir
  /home/charlotte/.config/keybase.devel --auto-forked 

I’m not exactly sure what the intended purpose of the “background server” even is, but fortunately we can kill it and even tell the keybase command to not even spawn one:

charlotte@sakuracity:~/go/bin ./keybase help advanced | grep -- --standalone
   --standalone                         Use the client without any daemon support.

And then we can fix wanting to connect to localhost by specifying an expected Keybase API server – how about the one hosted at https://keybase.io?

charlotte@sakuracity:~/go/bin ./keybase help advanced | grep -- --server
   --server, -s                         Specify server API.

Basically, what I’m trying to say is that if you specify both of these options, the keybase command does what I expect on NetBSD:

charlotte@sakuracity:~/go/bin ./keybase --standalone -s https://keybase.io login
▶ WARNING Running in devel mode
Please enter the Keybase passphrase for dressupgeekout (6+ characters): 

charlotte@sakuracity:~/go/bin ./keybase --standalone -s https://keybase.io id dressupgeekout
▶ WARNING Running in devel mode
▶ INFO Identifying dressupgeekout
✔ public key fingerprint: 7873 DA50 A786 9A3F 1662 3A17 20BD 8739 E82C 7F2F
✔ "dressupgeekout" on github:
https://gist.github.com/0471c7918d254425835bf5e1b4bcda00 [cached 2018-10-11
20:55:21 PDT]
✔ "dressupgeekout" on reddit:
    
      My Keybase proof [reddit:dressupgeekout = keybase:dressupgeekout] (D4emf2X3JH5vi4R-FvelGoUUkPGg4oQCk5XvYpZy0F8) from      KeybaseProofs    
    
[cached 2018-10-11 20:55:21 PDT]

###Initial implementation of draft-ietf-6man-ipv6only-flag

This change defines the RA "6" (IPv6-Only) flag which routers
may advertise, kernel logic to check if all routers on a link
have the flag set and accordingly update a per-interface flag.

If all routers agree that it is an IPv6-only link, ether_output_frame(),
based on the interface flag, will filter out all ETHERTYPE_IP/ARP
frames, drop them, and return EAFNOSUPPORT to upper layers.

The change also updates ndp to show the "6" flag, ifconfig to
display the IPV6_ONLY nd6 flag if set, and rtadvd to allow
announcing the flag.

Further changes to tcpdump (contrib code) are availble and will
be upstreamed.

Tested the code (slightly earlier version) with 2 FreeBSD
IPv6 routers, a FreeBSD laptop on ethernet as well as wifi,
and with Win10 and OSX clients (which did not fall over with
the "6" flag set but not understood).

We may also want to (a) implement and RX filter, and (b) over
time enahnce user space to, say, stop dhclient from running
when the interface flag is set.  Also we might want to start
IPv6 before IPv4 in the future.

All the code is hidden under the EXPERIMENTAL option and not
compiled by default as the draft is a work-in-progress and
we cannot rely on the fact that IANA will assign the bits
as requested by the draft and hence they may change.

Dear 6man, you have running code.

Discussed with: Bob Hinden, Brian E Carpenter

##Beastie Bits

• Running FreeBSD on macOS via xhyve
• Auction Winners
• OpenSSH Principals
• OpenBSD Foundation gets a second Iridium donation from Handshake
• NetBSD machines at Open Source Conference 2018 Kagawa
• Absolute FreeBSD now shipping!
• NextCloud on OpenBSD
• FreeBSD 12.0-BETA2 Available
• DTrace on Windows ported from FreeBSD
• HELBUG fall 2018 meeting scheduled – Thursday the 15th of November
• 35C3 pre-sale has started
• Stockholm BSD User Meeting: Tuesday Nov 13, 18:00 – 21:30
• Polish BSD User Group: Thursday Nov 15, 18:30 – 21:00

##Feedback/Questions

• Greg – Interview suggestion for the show
• Nelson – Ghostscript vulnerabilities
• Allison – Ports and GCC

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Ghostly Releases | BSD Now 270 first appeared on Jupiter Broadcasting.

Show Notes/Links: linuxunplugged.com/265

The post Privacy Priorities| LINUX Unplugged 265 first appeared on Jupiter Broadcasting.

What’s taking the states so long to catch up to the rest of the civilized world and dip the chip? Turns out it’s really complicated, we explain. Plus keeping a Hospital secure is much more than following HIPAA, and an analysis of Keybase malware.

Plus great questions, our answers, and much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The great American EMV fake-out

• “Many banks are now issuing customers more secure chip-based credit cards, and most retailers now have card terminals in their checkout lanes that can handle the “dip” of chip-card transactions (as opposed to the usual swipe of the card’s magnetic stripe).”
• But how many people have been to a retailer and ended up swiping their chip card?
• “Comparatively few retailers actually allow chip transactions: Most are still asking customers to swipe the stripe instead of dip the chip. This post will examine what’s going on here, why so many merchants are holding out on the dip, and where this all leaves consumers”
• “Visa CEO Charles W. Scharf said in an earnings call late last month that more than 750,000 locations representing 17 percent of the U.S. face-to-face card-accepting merchant base are now enabled to handle chip-based transactions, also known as the EMV. Viewed another way, that means U.S. consumers currently can expect to find chip cards accepted in checkout lines at fewer than one in five brick-and-mortar merchants.”
• This leaves the question of why more retailers are not using the chip. In Canada, and the EU, almost all transactions use chip-and-pin
• “New MasterCard and Visa rules that went into effect Oct. 1, 2015 put merchants on the hook to absorb 100 percent of the costs of fraud associated with transactions in which the customer presented a chip-based card yet was not asked or able to dip the chip. The chip cards encrypt the cardholder data and are far more expensive and difficult for card thieves to clone.”
• “Some merchants — particularly the larger ones — want to turn the often painful experience of training customers how to use the chip cards and terminals into someone else’s problem.” “They see [chip cards] as just slowing down lines and chose to wait until consumers learned what to do — and do it quickly — at someone else’s store”
• It seems that even with the liability shift, which Visa and Mastercard hopes would push merchants to be ready on time, many merchants have not completed upgrades to their payment systems and cash registers. Apparently many of the acquiring banks have long queues to ‘certify’ the upgraded software, further causing delays
• “Visa said based on recent client surveys it expects 50% of face-to-face card accepting merchants to have chip card transactions enabled by the end of this year. But even 50 percent adoption can mask a long tail of smaller merchants who will put off as long as they can the expensive software and hardware upgrades for accepting chip transactions.”
• In Canada, the transition was fairly quick, although this might be due to the fact that many people use debit cards that already required a pin, so the change for the customer was just inserting the card rather than swiping it
• “The United States is the last of the G20 nations to move to more secure chip-based cards. As late as the United States is on EMV implementation globally, the process of merchants shifting to all-EMV transactions is still going to take several more years. Visa has said it typically took about three years after the liability shifts in other countries before 90% of payment card transactions were “chip-on-chip,” or generated by a chip card used at a chip-based terminal.”
• “Historically, software was developed by terminal manufacturers and some-few contract programmers who kept up with the old-school operating systems, software development kits and so on for each terminal manufacturer. It was so easy that merchants and processors installed specialized tweaks that created countless variants in the marketplace.”
• Now the software is more complicated, as it involves correctly implementing cryptography, and the terminal vendors seem to be struggling to keep up
• “There are very few EMV software developers who understand the U.S. market”
• “There’s an invisible hand at work that is about to kick everyone in the pants and accelerate U.S. dipping into EMV slots,” Crowley said. “If you use a chip card at a point of sale that says swipe — and you later say that wasn’t me – there’s very little a merchant can do to dispute that charge. It’s going to happen because what people aren’t thinking about is the friendly fraud. When people are made aware that if I swipe and I have a chip card, that lunch can be free if I’m a bad consumer.”
• Note that this is still fraud, and you could go to jail
• “If you’re curious about chip card swipe adoption in your area, take an informal survey: My own decidedly unscientific survey involved a shopping spree one recent morning to no fewer than seven different retail locations, which revealed exactly seven different chip-capable payment terminals instructing customers to “Please Swipe Card.””
• Does typing your pin really take much longer than signing the receipt?

Securing Hospitals

• Researchers working for a hospital were able to compromise both Patient Monitors and the Drug Dispensary
• “The research results from our assessment of 12 healthcare facilities, 2 health care data facilities, 2 active medical devices from one manufacturer, and 2 web applications that remote adversaries can easily deploy attacks that target and compromise patient health. We demonstrated that a variety of deadly remote attacks were possible within these facilities, of which four attack scenarios are presented in this report.”
• “One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective. The background, motivating factors, nuances, and misunderstandings that perforate the healthcare industry with regard to security are discussed at length in this report. In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.”
• “The two major flaws in the healthcare industry with regard to threat model are that 1) the focus is almost entirely on protecting patient records, and 2) the measures taken address only unsophisticated adversaries: essentially, only one of the adversaries listed above — the Individual or Small Group adversary highlighted above in yellow. The industry is aware and speaks to Organized Crime and Nation State adversaries, but underestimates their sophistication and motivation. The strategies aim to curtail blanket, untargeted (i.e., indiscriminate) attacks to obtain patient healthcare records, and ignores the motivations and strategies that would be employed if targeting patient health or specific victims’ health records. These motivations and scenarios are highlighted in red in the above table”
• The protection of health records has been the focus for quite some time, even before records were computerized, but it seems the industry has not “noticed” that medical devices have been connected to the network, and are insufficiently protected from attack
• Devices compromised during the testing were: an insulin infusion pump, a patient monitor station, and a barcode reader
• The following attack surfaces / areas of vulnerability were identified:
  • Patient Health
  • Patient Records
  • Service Availability
  • Community Confidence and Trust
  • R&D, Intellectual Property
  • Business Advantage
  • Hospital Finances
  • Hospital Reputation
  • Physician Reputation
• PDF Report, 71 pages

KeyBase malware analysis

• “The usage of a rather simple keylogger malware has gone through the roof after its builder got leaked online last summer”
• “KeyBase is a spyware family that can capture keystrokes, steal data from the user’s clipboard, and take screenshots of the victim’s desktop at regular intervals”
• “Caught red-handed, its author promised to stop working on the malware, closed down the website from where he was selling KeyBase for $50 / €45, and abandoned the project.”
• “Researchers also discovered that while KeyBase’s control panel was secured with authentication, the folder in which images were sent for storage was not, meaning that after all this time, they could easily put together a simple script and find all the KeyBase panels available online.”
• “Using this simple method, Palo Alto staff discovered 62 Web domains where the KeyBase control panel was installed, 82 different control panels, and 125,083 screenshots from 933 Windows computers.”
• “Of all infected computers, 216 were workstations in corporate environments, 75 were personal computers, and 134 were used for both. 43 of the 933 computers also included details from more than one user, meaning they were shared assets, used by multiple family members or work colleagues.”
• “Taking a look at the screenshots, researchers discovered images depicting banking portals, invoices, blueprints, video camera feeds, email inboxes, social media accounts, financial documents, booking software, and many more.”
• Both personal and corporate banking details were seen, as well as a Hotel reservation system
• “The set for educational institutions wasn’t notably attributable to any one panel, but equally distributed. What made it stand out though is that the same tactic for delivering the KeyBase phish was applied here and “Admissions” people were targeted. These individuals are constantly sent Word or PDF documents, allegedly from parents, so it’s no surprise they would open the malicious files”
• “In the original KeyBase report, Palo Alto revealed that the malware’s creator managed to infect himself during the keylogger’s tests, and had his activities recorded through screenshots and then sent to the Web control panel. This apparently happened again, and 16 of the actors behind this new wave of KeyBase infections also managed to infect their computers. The screenshots saved from their PCs shows that while a few were just curious script kiddies, some of the other hackers were actually professionals involved in highly-targeted campaigns.”
• These screenshots provide interesting insight into the attackers
• “This next actor’s resolution was such that the screenshots only captured the top left portion of his or her screen; however, it was enough to make some interesting observations on tactics. The actor appears to be trying to engage in romance scams with multiple women, along with preying on seniors through dating sites”
• “Our analysis provides a unique opportunity to see the entire life cycle of a malware infection. Commonly, we’d see the first image in a set to be the KeyBase executable or malicious document all the way through until the Anti-Virus alerts of an infection. Sometimes that happened all within one screenshot.”

Feedback:

• Read Only File Server?

• How much Power Does a Server use at Home ?

• pfSense on TP-LINK?

• Software Freedom Conservancy condemns Ubuntu including ZFS

Round Up:

• MouseJack Technical Details
• How To Kill A Supercomputer: Dirty Power, Cosmic Rays, and Bad Solder — In the IBM Blue Gene, After weeks of searching, the culprit was uncovered: the solder used to make the boards carrying the processors. Radioactive lead in the solder was found to be causing bad data in the L1 cache
• FBI Insists It’s Not Trying To Set A Precedent, But Law Enforcement Is Drooling Over Exactly That Possibility
• OpenSSL to release new versions on March 1st to fix “high” severity issues
• Google Is Lighting Up Dark Fiber All Over the Country
• Asus Settles FTC Charges re: security vulnerabilities and negligent practices related to Asus routers and accompanying services, Agrees To 20 Years Of Supervision
• Judge confirms what many suspected: Feds hired CMU to break Tor
• Linux Mint site hacked, ISOs injected with malware. This is why posting an MD5 checksum on the site is not good enough
• Researchers manage to disarm SimpliSafe Wireless Home Security System
• glibc vulnerability worse than thought, “a skeleton key of unknown strength”
• Rumor: IBM gobbles Bruce Schneier, Resilient for $100m

The post Dip the Chip | TechSNAP 255 first appeared on Jupiter Broadcasting.

Teams collaborating over Slack is the new hot trend sweeping many open source projects, communities & others. We compare Rocket.Chat, Mattermost & Slack. See which best protects your privacy & makes it easier than ever to work with a group of people. Don’t hate, collaborate with this week’s episode!

Plus all the details on the announced Ubuntu Tablet, the Keybase filesystem & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Mattermost vs RocketChat

RocketChat vs Mattermost vs Let’s Chat Stackup | StackShare

Setup

RocketChat Using their Offical Docker Image

For more information about this image and its history, please see the relevant manifest file (library/rocket.chat). This image is updated via pull requests to the docker-library/official-images GitHub repo.

Production Install on Ubuntu 14.04 LTS — Mattermost 1.3 documentation

Mattermost suggest you install on the OS for production use cases, and Docker for test/dev

Mobile

• Rocket.Chat on the App Store
• Rocket.Chat – Android Apps on Google Play
• Mattermost on the App Store

— PICKS —

Runs Linux

Linux Solves Rubics Cube

The fastest time for a human to solve a Rubik’s cube is 4.9 seconds. This robot can do it in 1.019 seconds.

Software engineers Jay Flatland and Paul Rose built this piece of kit, which uses four webcams to determine the state of the jumbled cube. The information is then fed into a computer, using the Kociemba Rubik’s cube-solving algorithm to work out a set of moves to solve the puzzle. A set of small motors mounted in a 3D-printed frame then swivel the, presumably extremely well-oiled, Rubik’s cube.

The previous quickest time for a robot to solve the cube is 2.39 seconds, so it looks like this could be a record breaker; however, they’re still waiting for official verification from Guinness World Records.

Pretty impressive. Although some super slow-motion footage wouldn’t go amiss.

Desktop App Pick

Wallpaper Timer

Variety is an open-source wallpaper changer for Linux

Hey, help me test the new kid in town – Variety Slideshow!

Variety is packed with great features, yet slim and easy to use. It can use local images or automatically download wallpapers from lots of online sources, allows you to rotate them on a regular interval, and provides easy ways to separate the great images from the junk. Variety can also display wise and funny quotations or a nice digital clock on the desktop.

sudo add-apt-repository ppa:peterlevi/ppa
sudo apt-get update
sudo apt-get install variety

Weekly Spotlight

Stikked: An advanced and beautiful pastebin written in PHP

Stikked is an Open-Source PHP Pastebin, with the aim of keeping a simple and easy to use user interface.

Stikked allows you to easily share code with anyone you wish. Based on the original Stikked with lots of bugfixes and improvements.

— NEWS —

Everything You Need to Know About The Ubuntu Tablet

View post on imgur.com

The ‘BQ Aquaris M10 Ubuntu Edition’ (to give the model its full name) is a high-resolution 10-inch tablet —and then some.

• Ubuntu’s first tablet doubles as a desktop, goes on sale in Q2

Introducing the Keybase filesystem

Every file you write in there is signed. There’s no manual signing process, no taring or gzipping, no detached sigs. Instead, everything in this folder appears as plaintext files on everyone’s computers. You can even open /keybase/public/yourname in your Finder or Explorer and drag things in.

Why The Internet of Things and the Cloud Should Break Up

For IoT developers, the cloud is like beer in a college dorm: a cold one is around every corner you turn and … beer just becomes a constant of academic life.

XCOM 2 System Requirements

Linux System Requirements

RECOMMENDED:

• OS: Ubuntu 14.04.2 64-bit or Steam OS
• Processor: Intel i3-3225 3.3ghz
• RAM: 8GB
• Graphics: 2GB NVIDIA 960

NOTE: AMD and Intel GPUs are not supported at time of release.

Feedback:

Brought to you by: System76

Mail Bag

• https://stikked.luisaranguren.com/view/a5874f88
• https://stikked.luisaranguren.com/view/4b20608b
• https://stikked.luisaranguren.com/view/680476ae
• @ChrisLAS, It’s Lamda ([lam-duh] ), not “la bam da” and it’s pretty cool, Amazon’s take on serverless architecture!

Call Box

• Chris’ call out for the community to help him with his background for the Linux Action

Were you around for today’s (10 January 2016) live show? If not, you should seriously consider taking some time with us on Sunday and watch the live show. Not only will you get more content, but you’ll be able to interact with Chris and Noah.
One of the things that came up today was Chris talking about his background in today’s episode.

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Rocket Chat & Mattermost Cut the Slack | LAS 403 first appeared on Jupiter Broadcasting.