Show Notes: selfhosted.show/39

The post We run Arch BTW | Self-Hosted 39 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/393

The post Perfecting Our Plasma | LINUX Unplugged 393 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/316

The post Self Hosted Secrets | LINUX Unplugged 316 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/398

The post Proper Password Procedures | TechSNAP 398 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Internet privacy

• The House just voted to wipe out the FCC’s landmark Internet privacy protections

• Vote Summary

• Who represents You in the U.S. Congress

• Five Ways Cybersecurity Will Suffer If Congress Repeals the FCC Privacy Rules

• A VPN can stop internet companies from selling your data — but it’s not a magic bullet

• How ISPs can sell your Web history—and how to stop them

Alleged vDOS Owners Poised to Stand Trial

• Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

• On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

• According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.

• Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

ZFS is what you want, even though you may not know – Dan talks about why he likes ZFS

• The following is an ugly generalization and must not be read in isolation
• Listen to the podcast for the following to make sense
• Makes sysadmin life easier
• treats the disks as a bucket source for filesystem
• different file system attributes for different purposes, all on the same set of disks
• Interesting things you didn’t know you could do with ZFS

Feedback

• Dealing with waste heat

• PostgreSQL vs MySQL

The following were referenced during the above Feedback segments:

• Dan has bought custom & standard size air filters for computers from these folks

• Dan’s first MySQL post from January 2000

• 17-Year-Old Corrects NASA Mistake In Data From The ISS

• Dan’s first PostgreSQL post from September 2000

Round Up:

• Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs

• Dishwasher has directory traversal bug

• Apple Says It Fixed CIA Vulnerabilities Years Ago

• Data breach disclosure 101: How to succeed after you’ve failed

• LastPass releases fix browser extension security flaws

• Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs

• 17-Year-Old Corrects NASA Mistake In Data From The ISS

• That Time I Trolled the Entire Internet

• Dan’s external Nagios instance

The post Privacy is Dead | TechSNAP 312 first appeared on Jupiter Broadcasting.

We cover the breaking news out of CES, Ford’s new found love for the Amazon Echo, the first big LastPass release after LogmeIn & how Star Trek creator Gene Roddenberry’s words were freed from old floppy disks.

Plus our Kickstarter of the week & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Linux Action Show at SCALE 14x | Teespring
• Nvidia Announces New Drive PX 2 ‘Supercomputer In A Lunchbox’ For Self-Driving Cars | TechCrunch
• NVIDIA CES 2015 press conference: DRIVE PX Computer Vision (part 7) – YouTube
• Ford meets Amazon: Automaker to integrate Echo and Alexa with SYNC, linking cars to homes – GeekWire
• Ford is finally adding CarPlay and Android Auto to its cars | The Verge
• LogMeIn adds emergency break-in feature to LastPass •
• EFF Confirms: T-Mobile’s Binge On Optimization is Just Throttling, Applies Indiscriminately to All Video | Electronic Frontier Foundation
• Oculus Rift preorders start in less than 48 hours, but price and ship date still a mystery – GeekWire
• How Star Trek creator Gene Roddenberry’s words were freed from old floppy disks | PCWorld
• ProGo – A Revolutionary Carry-on Backpack by Ari — Kickstarter

The post Live Long and Floppy | TTT 228 first appeared on Jupiter Broadcasting.

A research team finds various ways to attack LastPass, how to use a cocktail of current Android exploits to own a device & hacking a point of sale system using poisoned barcodes!

Plus some great questions, our answers, a rockin roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Even the last pass will be stolen

• “During one of Alberto’s red team pentests, he gained access to several machines and found that all of them had files with references to LastPass. He came to me and told me it would be cool to check how LastPass works and if it was possible to steal LastPass credentials. 10% of our time is for research so we made that our small project.”
• “We found how creds where stored locally and wrote a Metasploit plugin so he could use it to extract vault contents from all the compromised machines. Thanks to the module, he was able to obtain SSH keys to critical servers and the pentest was a success.”
• They tested three different scenarios:
• Client side attacks: A post-exploitation scenario in which an attacker has certain access to the victim’s machine (no root access needed)
• LastPass side attacks: A scenario in which LastPass employees, attackers compromising their servers, or anyone MiTMing the connection is the attacker
• Attacks from the outside: Attackers that are not on the client nor on LastPass servers side.
• They used a number of different approaches
  • Using cookies
  • Abusing account recovery to obtain the encryption key
  • Bypassing 2 factor authentication
• “URLs/Icons are encoded, not encrypted: This means that there is no privacy. If you like shady pr0n or you are registered in questionable forums, anyone looking at your encrypted vault will know it. Also, if you reset your password in some site and update the LastPass vault account when prompted for it, the unique reset password URL may be stored as well. If the webmaster did not a good job of expiring the unique link, you gave LastPass the link to reset your password again.”
• “Credentials often encrypted with ECB mode: ECB is a weak encryption method that should never be used. LastPass will know if you are reusing passwords from looking at the cipher text. This is bad because LastPass can go check any of the existing password dumps out there, see if you are registered in one of the hacked sites”
• “what would happen if we google “extensions.lastpass.loginpws”. You guessed it! People are sharing their encrypted LastPass credentials with the rest of the world without their knowledge. You can also find credentials in pastebin. The best part is that now you know how to decrypt them and everything you need is right there.”
• Recommendations For you:
• Use the binary version of the plugin
• Do not store the master password
• Activate the new Account Recovery over SMS
• Audit your vault for malicious JS payloads
• Don’t use “password reminder”
• Activate 2FA
• Add country restrictions
• Disallow TOR logins
• Recommendations For LastPass
• Get rid of custom_js!
• Encrypt the entire vault in one chunk
• Don’t use ECB
• Use PBKDF2 between client and LastPass also
• Use cert pinning
• Embrace open source
• Adopt a retroactive, cash rewarded bug bounty program
• Additional Coverage

Google AOSP Email App HTML Injection

• The Google AOSP Email App is vulnerable to HTML Injection on the email body.
• It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email.
• This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.
• The researchers sent an email with the HTML tag meta using the attribute http-equiv refresh to redirect the user to the target URL.
• This vulnerability has a dangerous potential for phishing attacks. With a bit of creativity, a convincing phishing scenario is plausible.
• Other vectors like using intent-based URI are also another possibility. Just this week we learned that in MobilePwn2Own, an exploit was showcased that explores a vulnerability in Javascript V8 engine in Chrome, where a user just needs to browse to a page and it installs a apk without any kind of user interaction.
• During the MobilePwn2Own demo of the V8 engine vulnerability, security researcher Guang Gong showed how easy it was to take advantage of an Android device.

“As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.” While a BMX game is relatively harmless in the grand scheme of things, a lot more damage could have been done.

• This exploit combined with the Email app vulnerability is a very dangerous combo.
• This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android
• From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system.
• Since probably that are still a lot of users using the AOSP Email App the researchers decided to contact Google regarding this issue.
• Google replied they don’t have plans for the fix of this vulnerability.
• Users from Android Ice Cream Sandwich (4.0.3) upwards, should migrate the accounts from the AOSP Email App to the Gmail App, since the Gmail App version 5.0+ is supported.
• Users with previous Android versions should upgrade to Ice Cream Sandwich (4.0.3) or above where possible or use a different email client.

One Barcode Spols the Whole Bunch

• This week’s PanSec 2015 Conference in Tokyo where researchers with Tencent’s Xuanwu Lab demonstrated a number of attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands.
• The attacks, dubbed BadBarcode, are relatively simple to carry out, and the researchers behind the project said it’s difficult to pinpoint whether the scanners or host systems need to be patched, or both—or neither.
• “We do not know what the bad guys might do. BadBarcode can execute any commands in the host system, or [implant] a Trojan,” said Yang Yu, who collaborated with colleague Hyperchem Ma. Yu, last year, was rewarded with a $100,000 payout from Microsoft’s Mitigation Bypass Bounty for a trio of ASLR and DEP bypasses. “So basically you can do anything with BadBarcode.”
• Yu said his team was able to exploit the fact that most barcodes contain not only numeric and alphanumeric characters, but also full ASCII characters depending on the protocol being used.
• Barcode scanners, meanwhile, are essentially keyboard emulators and if they support protocols such as Code128 which support ASCII control characters, an attacker could create a barcode that is read and opens a shell on the computer to which the commands are sent.
• Yu and Ma said during their presentation that Ctrl+ commands map to ASCII code and can be used to trigger hotkeys, which registered with the Ctrl+ prefix, to launch common dialogues such as OpenFile, SaveFile, PrintDialog. An attacker could use those hotkeys to browse the computer’s file system, launch a browser, or execute programs.
• Yu suggest that barcode scanner manufacturers no enable additional features beyond standard protocols by default, nor should they transmit ASCII control characters to the host device by default.

• Hosts in IoT environments, meanwhile, should think twice about using barcode scanners that emulate keyboards, and should disable system hotkeys, Yu said.

• Slides

Feedback:

• Linux Bare Metal Incremental Backup

• ZFS Question…. Yes another freaking ZFS ?

• A couple questions

• Great Network software called Comcast

Round-Up:

• Here’s a Spy Firm’s Price List for Secret Hacker Techniques
• The Great Firewall of Santa Cruz – A fun CS homework assignment
• It’s time to secure your Amazon account with two-factor authentication
• Stanford professor releases draft of textbook “A Graduate Course in Applied Cryptography”
• Flying a cylon raider — hacking without your favourite tools
• Ngrok, a tool to make island hopping easier, proxy any servers from a foreign internal network to your own network via a compromised host
• Platform Independant, Position Independant ASM for loading a .DLL
• Windows Driver Signing Bypass, by: Derusbi, an infamous piece of malware. The oldest identified version was compiled in 2008. It was used on well-known hacks such as the Mitsubishi Heavy Industries hack discovered in October 2011 or the Anthem hack discovered in 2015
• Intel’s 72-Core ‘Knight’s Landing’ Xeon Phi Supercomputer Chip Cleared For Takeoff
• Analysis of GHOST, one of the earlier “named” vulnerabilities
• Gmail will soon warn you when an unencrypted message arrives
• A Boeing 737 tailstrike was cased by: a typo when the flight crew entering the weight on an iPad
• Reverse engineering iOS9 with Javascript
• Kaspersky issues its 2016 security predictions, “IT’S THE END OF THE WORLD FOR APTs AS WE KNOW THEM”
• Sign up for Tinder clone to get laid, instead get screwed

The post A Keyboard Walks into a Barcode | TechSNAP 242 first appeared on Jupiter Broadcasting.

Our best open source alternatives to LastPass. We run down the easy, the straight forward & the totally custom solutions to rolling your password managment. All our picks are totally open source, auditable & ready to use today.

Plus the first reviews of the Steam Machines hit the web, Red Hat’s big buy, GIMP in your browser & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

LastPass Killers

• Yahoo Mail drops passwords and adds third-party email support for new apps

It’s Yahoo Mail‘s 18th birthday this month and to mark the occasion, Yahoo is pulling out all the stops with three major announcements: a brand new mobile app for Android and iOS, the support for multiple third-party email accounts and, perhaps most significantly, the introduction of a completely password-free sign-in experience called Yahoo Account Key.

LastPass Joins the LogMeIn Family

It’s a big day here at LastPass. We’re thrilled to announce that we’re joining LogMeIn. As one of the world’s leading SaaS companies, we can’t imagine a better team to align with our values and product-driven mission. With their experience in growing successful brands like join.me, we’re excited to join LogMeIn in delivering the next generation of identity and access management for individuals, teams and companies, with LastPass at the forefront.

KeePass

• KeepassC

KeePassC is a password manager fully compatible to KeePass v.1.x and KeePassX. That is, your
password database is fully encrypted with AES.

KeePassC is written in Python 3 and comes with a curses-interface. It is completely controlled
with the keyboard (vim-like keys are supported).

Some features are:

• AES encryption of the database with password and/or keyfile
• Included customizable password generator
• KeePassX and KeePass v.1.x compatible (KeePass v2.x planned)
• Database entries are sorted in alphabetically sorted groups
• Subgroups of groups
• Entries are identified by a title
• Search entries by this title and show matches in an own group
• Set expiration dates to remind you that a new password is needed
• Unicode support
• Copy username and password to clipboard
• Auto-locking workspace and self-deleting clipboard with adjustable delays
• Options to remember last database and last keyfile
• Open URLs directly in your standard browser
• Optional use of vim/ranger-like keys
• Simple command line interface
• Network functionality including multiuser support

• The last can be used to omit password entering, too

• kpcli – A command line interface for KeePass

A command line interface (interactive shell) to work with KeePass 1.x or 2.x database files. This program was inspired by my use of the CLI of the Ked Password Manager (“kedpm -c”) combined with my need to migrate to KeePass.

Pass

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

• Pass for Android on F-Droid

How Active is Pass Development?

• Migrating your data to Pass

To free password data from the clutches of other (bloated) password managers, various users have come up with different password store organizations that work best for them.

Using Git to Sync Pass

First install and then setup git

1 $ git config --global user.name  "John Doe"
2 $ git config --global user.email "johndoe@foobar.com"
3 $ pass git init

QtPass GUI for pass, the standard UNIX password manager

• Using pass or git and gpg2 directly
  • Cross platform: Linux, BSD, OS X and Windows
  • Reading pass password stores
  • Decrypting and displaying the password and related info
  • Editing and adding of passwords and information
  • Updating to and from a git repository
  • Per-folder user selection for multi recipient encryption
  • Configuration options for backends and executable/folder locations
  • Copying password to clipboard
  • Configurable shoulder surfing protection options
  • Experimental WebDAV support

Planned features

• Re-encryption after users-change (optional ofcourse).
• Plugins based on key, format is same as password file.
• Colour coding folders (possibly disabling folders you can’t decrypt).
• WebDAV (configuration) support.
• Optional table view of decrypted folder contents.
• Opening of (basic auth) urls in default browser? Possibly with helper plugin for filling out forms?

• Some other form of remote storage that allows for accountability / auditing (web API to retreive the .gpg files)?

• GPG – How to trust an imported key

Encryptr – Powered by Crypton

Encryptr is simple and easy to use. It stores your sensitive data like passwords, credit card data, PINs, or access codes, in the cloud. However, because it was built on the zero-knowledge Crypton framework, Encryptr ensures that only the user has the ability to access or read the confidential information. Not the app’s developers, cloud storage provider, or any third party.

Encryptr only ever encrypts or decrypts your data locally on your device. No plain text is ever sent to the server, not even your passphrase. This is what zero-knowledge means.*

You don’t even need to hand over any personal data to register. Not your name, and not your email address. The app only requires a username and a passphrase.

Encryptr is free, and completely open source. This includes Crypton.

Firefox Password Manager

If you use the same simple password for everything you will be more susceptible to identity theft. The Create secure passwords to keep your identity safe article shows you an easy method for creating secure passwords and using the Password Manager, as described above, will help you remember them all.

Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer can still see or use them. The Use a Master Password to protect stored logins and passwords article shows you how to prevent this and keep you protected in the event your computer is lost or stolen.

When paired with Firefox sync feature this effectively emulates LastPass without Yubikey support, and without the password generation feature.

— PICKS —

Runs Linux

Etch-a-sketch RUNS LINUX!

Over on YouTube user devnulling has uploaded a video showing his “Etch-A-SDR” project. This project involved creating an all-in-one SDR device out of an Odroid C1, Teensy 3.1 and an RTL-SDR dongle. The Odroid C1 is an embedded computer, similar to the Raspberry Pi 2 and the Teensy 3.1 is a microcontroller development board. The “Etch-A-SDR” is named as such because of its resemblance to an Etch-A-Sketch toy. It has two knobs that can be used for tuning and several side buttons for changing demodulation modes etc.

Upon boot the Etch-A-SDR opens GQRX and is ready for tuning within seconds of turning it on. In addition to using it as a portable SDR with GQRX the Etch-A-SDR can also be booted into normal Linux mode and into Etch-A-Sketch mode, where it operates as a normal Etch-A-Sketch toy.

The code can be downloaded from https://github.com/devnulling/etch-a-sdr.

Desktop App Pick

FreeMind Mind Mapping Tool

FreeMind is a premier free mind-mapping software written in Java. The recent development has hopefully turned it into high productivity tool. We are proud that the operation and navigation of FreeMind is faster than that of MindManager because of one-click “fold / unfold” and “follow link” operations.

• Keeping Track of Projects
• Project workplace
• Workplace for Internet Research
• Essay Writing and Brainstorming
• Small Database with structure
• Commented Internet Favorites or Bookmarks

Weekly Spotlight

Hangups

hangups is the first third-party instant messaging client for Google
Hangouts. It includes both a Python library and a reference client with a
text-based user interface.

Unlike its predecessor Google Talk, Hangouts uses a proprietary,
non-interoperable protocol. hangups is implemented by reverse-engineering
this protocol, which allows it to support features like group messaging that
aren’t available in clients that connect via XMPP.

hangups is still in an early stage of development. The reference client is
usable for basic chatting, but the API is undocumented and subject to change.
Bug reports and pull requests are welcome!

— NEWS —

GIMP Online – rollApp

Run GIMP and other X11 apps in your web browser.

Red Hat is buying Ansible for more than $100M

Buying Ansible — one of four major providers of at least partly open-source devops tools — makes sense, because it can add to Red Hat’s line of offerings. Plus, Ansible already integrates with Red Hat’s OpenShift, OpenStack, and Red Hat Enterprise Linux software.

• Red Hat buys Ansible to bolster its developer toolset – Fortune

As part of the deal, about50 Ansible employees will join Red Hat

• Red Hat Is Buying IT Automation Startup Ansible, Reportedly For Around $100M | TechCrunch

Red Hat today also provided a brief update to its earnings as part of the news. It says the acquisition is expected to have no material impact to Red Hat’s revenue for the third and fourth quarters of its fiscal year. Non-GAAP operating expenses for fiscal 2016 will be increased by $2 million, or ($0.01) per share, in Q3 and $4.0 million, or ($0.02) per share, in Q4 as a result of the transaction.

Proxmox VE 4.0 is OUT

This video highlights the new features in Proxmox VE 4.0:

• Debian Jessie 8.2 and 4.2 Linux kernel
• Linux Containers (LXC)
• IPv6 support
• Bash completion
• New Proxmox VE HA Manager

View all updates: https://pve.proxmox.com/wiki/Roadmap

The Alienware Steam Machine: finally, a gaming PC for the living room

I used to laugh when I saw Linux users scramble to build compatibility layers to play “real” PC games. I chuckled when Valve CEO Gabe Newell lambasted Windows 8 as a “catastrophe for everyone,” proffering Linux and SteamOS as a viable alternative. It seemed so far-fetched, so silly. Truth be told, I’m still laughing — but now it’s because I’m enjoying myself. The Alienware Steam Machine has some growing pains, but it’s fun. Lots of fun.

• Steam’s living room hardware blitz gets off to a muddy start | Ars Technica

It’s all very smooth, overall, but there were a few sticking points that seemed a little rough compared to other game consoles. While the system hasn’t frozen on us during a game yet, there have been a handful of times where the whole OS hung when we were closing or opening a title, requiring a system reboot that took 30 to 60 seconds. We ran into occasional problems with webpage scrolling, the on-screen keyboard, and Wi-Fi recognition as well, all of which disappeared with a reboot.

We also found a few SteamOS games that still include an intermediate “launcher” screen that asks players to confirm resolution and other settings. That’s only an annoyance because these screens can’t be navigated with the Steam Controller; you need to plug in a mouse and keyboard to get through to the actual game in these cases. While the SteamOS interface includes large warnings that these games require extra hardware, and Valve isn’t directly responsible for third-party developers’ unfriendly decisions, it still seems like an oversight to have such games be unplayable out of the box.

• ARCH steam controller not detected properly

Feedback:

• https://slexy.org/view/s2Y836bi9B
• https://slexy.org/view/s2sQ9ZkWTx
• https://slexy.org/view/s2VwIphEzi
• https://www.indiegogo.com/projects/open-foss-training#/

Rover Log Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Passing On LastPass | LAS 387 first appeared on Jupiter Broadcasting.

The cultural challenges of living too far out of a “tech hotzone” hit home today. We discuss the recent revelations both of us have had.

And our reactions and lessons learned from LastPass selling, if Microsoft has nailed convergence & the practicality of the Surface Book.

Plus a quick chat about Chef & other automation platforms great for developers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Hoopla

Slack

Trello

LogMeIn buys LastPass password manager for $110 million | Ars Technica

The maker of LastPass, a popular password manager, is being acquired by LogMeIn in a sale worth at least $110 million.

Microsoft Display Dock

Plug your Lumia 950 or 950 XL into a Display Dock and the external monitor starts up. The keyboard and mouse are ready to go, and with a 60 FPS refresh rate, catching up on email is flicker-free and super-smooth. With full HD output and a USB-C port that charges your phone while you work

Surface Book

Feedback

• Have you considered using Chef to automate updating and installing software on your Linux boxes?
• Intro to Chef – YouTube

The post Below the Surface | CR 174 first appeared on Jupiter Broadcasting.

Some say it’s the best Plasma 5 Desktop experience to be had, we review Netrunner Rolling & take a walk on the KDE side of things for the week. Find out what makes this unique distribution stands out & why you might want to give it a try yourself.

Then we put the great Ubuntu Conspiracy to bed, our best LastPass alternatives, a quick look at Slackel & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

Netrunner | GNU/Linux Distribution

Netrunner Rolling 2015.09 Released With New Plasma 5 And Apps Updates

Netrunner is a Linux distribution that comes into two versions – Main version and Rolling release. Main version is based on Kubuntu and the Rolling release is based on Manjaro Linux. The new Netrunner 2015.09 has been released with a completely different look – KDE4 has been transformed to Plasma 5.2 desktop. Let’s look at the complete changes in the Netrunner 2015.09 release.

Netrunner comes with two versions, Main version that is based on Kubuntu and that gets released in sync with Kubuntu new release and the Rolling version is based on Manjaro Linux. Both the desktops have been customized and so makes its own new look & feel.

Calamares Is Default Installer

The default installer in this rolling release has been changed to Calamares installer. If you read my last post, Manjaro has adopted Calamares installer which is easy to use and makes Manjaro to install easily. The release is based on Majaro so this also has Calamares installer.

Noah’s Screw ups

— PICKS —

Runs Linux

VLA New Mexico, Runs Linux

• Karl G. Jansky Very Large Array – Wikipedia, the free encyclopedia

he Karl G. Jansky Very Large Array (VLA) is a radio astronomy observatory located on the Plains of San Agustin, between the towns of Magdalena and Datil, some 50 miles (80 km) west of Socorro, New Mexico. It comprises 27, 25-meter radio telescopes in a Y-shaped array and all the equipment, instrumentation, and computing power to function as an interferometer. Each of the massive telescopes is mounted on double parallel railroad tracks, so the radius and density of the array can be transformed to focus on particular bands of wavelength.[2] Astronomers using the VLA have made key observations of black holes and protoplanetary disks around young stars, discovered magnetic filaments and traced complex gas motions at the Milky Way’s center, probed the Universe’s cosmological parameters, and provided new knowledge about the physical mechanisms that produce radio emission.

• Beyond the Visible: The Story of the Very Large Array – YouTube

Created in 2013 as the new interpretive film for the National Radio Astronomy Observatory’s Karl G. Jansky Very Large Array (VLA) public Visitor Center, this 24-minute production explores the synergies of technology and human curiosity that power the world’s most productive radio telescope.

Desktop App Pick

KeepassC

KeePassC is a password manager fully compatible to KeePass v.1.x and KeePassX. That is, your
password database is fully encrypted with AES.

KeePassC is written in Python 3 and comes with a curses-interface. It is completely controlled
with the keyboard (vim-like keys are supported).

Some features are:

• AES encryption of the database with password and/or keyfile
• Included customizable password generator
• KeePassX and KeePass v.1.x compatible (KeePass v2.x planned)
• Database entries are sorted in alphabetically sorted groups
• Subgroups of groups
• Entries are identified by a title
• Search entries by this title and show matches in an own group
• Set expiration dates to remind you that a new password is needed
• Unicode support
• Copy username and password to clipboard
• Auto-locking workspace and self-deleting clipboard with adjustable delays
• Options to remember last database and last keyfile
• Open URLs directly in your standard browser
• Optional use of vim/ranger-like keys
• Simple command line interface
• Network functionality including multiuser support

• The last can be used to omit password entering, too

• kpcli – A command line interface for KeePass

A command line interface (interactive shell) to work with KeePass 1.x or 2.x database files. This program was inspired by my use of the CLI of the Ked Password Manager (“kedpm -c”) combined with my need to migrate to KeePass.

Weekly Spotlight

Open Source GPS Tracking System – Traccar

Traccar is an open source GPS tracking system for various GPS tracking devices. System supports more than 80 different communication protocols from popular vendors. It includes web interface to manage tracking devices online.

— NEWS —

The Ubuntu Conspiracy

If Microsoft bought Canonical, millions of users would have to jump ship or accept life
under the Microsoft banner.

Ubuntu Is Planning To Make The ZFS File-System A “Standard” Offering

Through the wonderful ZFS On Linux project there is a native port of the ZFS file-system driver to Linux natively (unlike the ZFS FUSE implementation) but due to the GPL vs. CDDL licensing issue it can’t be mainlined into the Linux kernel.

Mark Shuttleworth sent out a brief mailing list message today responding to a user interested in making ZFS Snappy support for Ubuntu. Mark wrote, “If it’s ZFS you’re after, it will be included in Ubuntu as standard in due course.”

By “standard” he presumably means that Ubuntu will maintain a DKMS kernel package for it in the official Ubuntu archive and perhaps we’ll see that package installed by default for Ubuntu Server, but that it wouldn’t be directly patched into their kernel. That’s what I’d assume at least given the license issues. Ubuntu wouldn’t support ZFS for the root file-system, but could be useful on Ubuntu Server for some secondary drives with RAID-Z.

LastPass Joins the LogMeIn Family

It’s a big day here at LastPass. We’re thrilled to announce that we’re joining LogMeIn. As one of the world’s leading SaaS companies, we can’t imagine a better team to align with our values and product-driven mission. With their experience in growing successful brands like join.me, we’re excited to join LogMeIn in delivering the next generation of identity and access management for individuals, teams and companies, with LastPass at the forefront.

Slackel Linux: Not Your Father’s Slackware

For a Slackware-based distro, one of Slackel’s strong points is the systems tool collection from Salix Linux. Slackel uses the Gslapt Package Manager for access to Slackware, Salix and Slackel package repositories.

Gnome Builder Dev Joins Red Hat

The real news, however, is that I’ve accepted a wonderful role at Red Hat. I’ll be focusing on the Xdg-App developer story, and Builder is an important part of that. We want to make it as easy as possible for you to create and deploy software that users can trust.

Feedback:

Rover Log Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

https://slexy.org/view/s2BB3GL4sm

https://slexy.org/view/s201MZSUmW

https://slexy.org/view/s2fgtx2Rgp

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Rolling with Netrunner | LAS 386 first appeared on Jupiter Broadcasting.

LastPass gets bought, FireFox loves Flash long time, just not your plugins, good iPhone vs bad iPhone & why the rest of the world laughs at the state of the US’ mobile payments.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• LogMeIn acquires LastPass for $125m
• Obama administration opts not to force firms to decrypt data — for now – The Washington Post
• Mozilla Firefox will drop support for NPAPI plugins by the end of 2016, but will keep Flash around | VentureBeat | Dev | by Emil Protalinski
• Samsung and TSMC iPhone 6s Chips Show Smaller Real-World Battery Impacts Compared to Benchmarks – Mac Rumors
• Apple Claims TSMC vs Samsung A9 Chip Variants Result in Only 2-3% Difference in ‘Real World’ Battery Life – Mac Rumors
• The story in English | MobilePay

The post LogMeIn to LastPass | TTT 217 first appeared on Jupiter Broadcasting.

Kaspersky labs has been hacked, we’ll tell you why it looks like a nation state was the attacker, why OPM data is too valuable sell & the real situation with LastPass.

Plus some great questions, our answers & a rocking round up.

All that and much, much more on this week’s TechSNAP!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Kaspersky Lab hacked

• “Russia-based Kaspersky Lab, one of the biggest and most well-known cybersecurity research firms in the world, has admitted to being hacked. In a blog post published earlier today, Kaspersky Lab CEO and founder Eugene Kaspersky wrote, “We discovered an advanced attack on our own internal networks. It was complex, stealthy, it exploded several zero-day vulnerabilities, and we’re quite confident that there’s a nation state behind it.“”
• “The firm dubbed this attack Duqu 2.0. It’s named after a specific series of malware called Duqu, which was considered to be related to the Stuxnet attack that targeted states like Iran, India, France, and the Ukraine in 2011.”
• “The post went on to say that it was not wise to use an advanced never-before-used technology to spy on a firm. For one, Kaspersky sells access to a great deal of its technologies, so this group could have just paid for it. Also, in its attempt to infiltrate Kaspersky, it clued the company into the next generation spying technologies hackers are developing.”
• “”They’ve now lost a very expensive technologically-advanced framework they’d been developing for years,” the post explained.”
• “In the case of Kaspersky Lab, the attack took advantage of a zero-day in the Windows Kernel, and possibly up to two other, currently patched vulnerabilities, which were zero-day at that time. The analysis of the attack revealed that the main goal of the attackers was to spy on Kaspersky Lab technologies, ongoing research and internal processes. No interference with processes or systems was detected. More details can be found in our technical paper.”
• “From a threat actor point of view, the decision to target a world-class security company must be quite difficult. On one hand, it almost surely means the attack will be exposed – it’s very unlikely that the attack will go unnoticed. So the targeting of security companies indicates that either they are very confident they won’t get caught, or perhaps they don’t care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers probably took a huge bet hoping they’d remain undiscovered; and lost.”
• Blog: Kaspersky statement on Duqu 2.0 attack
• Research: The mystery of Duqu 2.0
• Research: The Duqu 2.0 persistence module

U.S. Office of Personnel Management (OPM) hacked

• “OPM discloses breach affecting up to 4 million federal employees, offers 18 months of free credit monitoring through CSID. Follow-up reports indicate that the breach may extend well beyond federal employees to individuals who applied for security clearances with the federal government.”
• The Office of Personnel Management (OPM) confirmed that both current and past employees had been affected.
• The breach could potentially affect every federal agency
• OPM said it became aware of the breach in April during an “aggressive effort” to update its cyber security systems.
• As the OPM’s Inspector General report put it, “attacks like the ones on Anthem and Premera [and OPM] are likely to increase. In these cases, the risk to Federal employees and their families will probably linger long after the free credit monitoring offered by these companies expires.”
• “In those files are huge treasure troves of personal data, including “applicants’ financial histories and investment records, children’s and relatives’ names, foreign trips taken and contacts with foreign nationals, past residences, and names of neighbors and close friends such as college roommates and co-workers. Employees log in using their Social Security numbers.”
• “That quote aptly explains why a nation like China might wish to hoover up data from the OPM and a network of healthcare providers that serve federal employees: If you were a state and wished to recruit foreign spies or uncover traitors within your own ranks, what sort of goldmine might this data be? Imagine having access to files that include interviews with a target’s friends and acquaintances over the years, some of whom could well have shared useful information about that person’s character flaws, weaknesses and proclivities.”
• Krebs Coverage
• The Krebs article has a great timeline
• US Law Makers demand encryption after OPM hack
• DHS says: Encryption would not have helped OPM
• OPM’s archaic IT infrastructure to blame for breach
• Krebs finds that [version of OPM data on the darkweb] is actually from a different hack of ](https://krebsonsecurity.com/2015/06/opms-database-for-sale-nope-it-came-from-another-us-gov/)

Feedback:

• Choosing a Dedicated Server Provider

• Home Backup Plan

• stmps vs smtpd

• ZFS Worth it for a Single Drive?

• ZFS and different sized disks.

BSDCan Videos:

The videos from BSDCan have started to appear. Not all of them are online yet, but a good sample to get you started.

• https://www.youtube.com/playlist?list=PLWW0CjV-TafY0NqFDvD4k31CtnX-CGn8f

Round Up:

• LastPass compromise
• Netflix Instance Analysis talk at Monitorama
• New exploit turns Samsung Galaxy phones into remote bugging devices
• Microscopic Adventures of a Chip Circuitry Repairman
• US Baseball team being investigated for hacking another teams computer systems
• US Navy was trying to buy zero day exploits
• Chromium on Linux silently downloads binary blob that listens to everything you say
• Blockchain bitcoin wallet app relied on random.org via unencrypted http connection for all randomness, error caused $8100 worth of bitcoins to be sent to the wrong person
• Fake Mobile Phone Towers Operating In The UK
• Google expands its bug bounty program for Android, will pay for exploits that work on a patched Nexus 6
• How did game developers pack entire games into so little memory 25 years ago?
• TRIM on some models of SSD under linux causing issues
• Krebs on Twitter
• More Krebs

The post OPM Data too Valuable to Sell | TechSNAP 219 first appeared on Jupiter Broadcasting.

LastPass discloses it’s been compromised, we discuss the scope of the hack & what our best and worst options are moving forward.

Plus a recap of the most interesting things from E3 so far & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• LastPass Security Notice | The LastPass Blog
• Microsoft unveils new $150 Xbox One Elite controller—and we’ve held it | Ars Technica
• Microsoft is building a special version of Minecraft for HoloLens | The Verge
• Microsoft is also partnering with Valve for VR on Windows 10
• The Kinect is dead | Polygon
• LeanChair: The portable, reclining standing desk by Wayne Yeager — Kickstarter
• Nintendo Digital Event @ E3 2015 – YouTube
• “For the Love of Spock” – A Documentary Film by Adam Nimoy — Kickstarter

The post LostPass | Tech Talk Today 183 first appeared on Jupiter Broadcasting.

Sony is rumored to be hacking back, a P2P browser is in the works, Microsoft starts accepting Bitcoin & automatically changing your web passwords.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Sony hack: Studio Tries to Disrupt Downloads of its Stolen Files | Re/code

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter.

Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy.

BitTorrent Inc Works on P2P Powered Browser | TorrentFreak

BitTorrent Inc, the company behind the popular file-sharing client uTorrent, is working on a P2P powered browser. Dubbed Project Maelstrom, the browser will be able to “keep the Internet open” by serving websites with help from other users.

Project Maelstrom, as it’s called, is in the very early stages of development but BitTorrent Inc. is gearing up to send out invites for a closed Alpha test.

“It works on top of the BitTorrent protocol. Websites are published as torrents and Maelstrom treats them as first class citizens instead of just downloadable content. So if a website is contained within a torrent we treat it just like a normal webpage coming in over HTTP.”

More details are expected to follow during the months to come. Those interested in Project Maelstrom can sign up for an invite to the Alpha test here.

• BitTorrent launches invite-only alpha of Project Maelstrom, the first torrent-based browser | VentureBeat | Business | by Emil Protalinski

US Navy approves first laser weapon for operation aboard Persian gulf ship | Ars Technica

On Wednesday the Office of Naval Research (ONR) announced that it would approve an experimental laser weapon for use on the USS Ponce in the Persian Gulf. The laser weapon system is part of a $40-million research program to test directed energy weapons, and it is the first to be officially deployed and operated on a naval vessel.

Although the laser weapon system is not as powerful as other weapons aboard the Ponce, Christopher Harmer, Senior Naval Analyst with the Institute for the Study of War told the Wall Street Journal that the directed energy of the laser aimed at a target would “cause a chemical and physical disruption in the structural integrity of that target.” Harmer added that the advantage of the laser weapon system is that it can disable many oncoming targets without needing to reload ammunition: “as long as you’ve got adequate power supply, and adequate cooling supply.”

The laser shot doesn’t look like the photon torpedoes of Star Trek—in fact it looks like nothing at all. The energy beam is invisible (and costs the Navy $0.59 per shot, according to the WSJ). A press release from ONR stated that the laser weapon system was able to hit targets out of the sky and at sea in high winds, heat, and humidity without fail.

LastPass Now Lets You Change Loads of Passwords at Once

Now when you use the password manager, you’ll see an option to change your password automatically below your login info for each site.

Currently, the service supports over 75 accounts, including Facebook, Twitter, Amazon and Dropbox. Rather than going through a cloud network, LastPass says these changes happen locally on your device, so the company never have access to your actual password.

How do I use Bitcoin with my Microsoft account?

You can now use Bitcoin to add money to your Microsoft account. Once you add money to your Microsoft account, you can use it as a payment option to buy apps, games, and other digital content from Windows, Windows Phone, Xbox Games, Xbox Music, or Xbox Video stores.

• 356.94 USD | BitcoinAverage Price Index

The post Distributed Denial of Sony | Tech Talk Today 104 first appeared on Jupiter Broadcasting.

We follow up on our review of openSUSE 13.2 & discuss how life on the rolling side has been going for some of our LUG members.

Plus the hardware box that promises to replace your password manager & we say goodbye to the Linux Outlaws.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Unity 7 Won’t Go Away until Most Agree U8 is Better than U7

In a long list of life’s lessons learned, ‘be gentle pushing people onto your new code’ is high up. So we won’t require U8 for everyone even when it’s first class. It will be opt in till most people agree it’s better than U7

• Docker on Google Compute Now

FU:

• Save me from Unity!

• Linux hardware detection

• btrfs woes

openSUSE 13.2 Follow Up

• openSUSE 13.2 is Released

Dear contributors, friends and fans: openSUSE 13.2 is out! After one year on continuous improvement in the tools and procedures and many hours of developing, packaging, testing and fixing issues a new stable release is here providing the best that Free and Open Source has to offer with our special green touch: stable, innovative and fun!

• Facts about Tumbleweed and Factory merging

Installation

• openSUSE will always try to install alongside another distro or OS.
• Any btrfs partition assigned to root will automatically have subvolumes created.
• As stated, the disc prompt will go away if unselected in Software Repositories module of YaST.

Software

• gnome-software is good for software discovery and installation.
  • openSUSE didn’t have anything like this until now.
• Software Management is the YaST module for more advanced software management.
• Package Updater runs in the background and prompts via notification if there are updates.
• Software Repositories is the YaST module for configuring software repositories.
• YMP One-Click Installer extension for Chrome (https://chrome.google.com/webstore/detail/ymp-one-click-installer/chldcpnlaiffaelmcjkeodakmnkomldg?utm_source=chrome-ntp-icon)

Font Rendering

• Infinality is not dead, just updated.
• Add this repo (by infinality)

Tumbleweed/Factory

• Initial article
• Facts about Tumbleweed and Factory Merging
• Tumbleweed and Factory are now synonymous under the name Tumbleweed (as of November 4th)
• Factory continues to be the name of the development project.
• A how-to will be published soon, until then: https://lists.opensuse.org/opensuse-factory/2014-11/msg00073.html
• Factory is aliased to Tumbleweed for 6 months, after which Factory repos will no longer exist.
• Is truly rolling.
  • Tumbleweed was a stable base with rolling packages and kernel.
• Snapshot ISOs are available.

Goodbye to Linux Outlaws

• The Last Stand

After more than seven years of Linux Outlaws, my co-host Dan and myself have decided to end the show. This decision has been a while in the making and it is with a heavy heart that I am committing to finally announce it.

Mooltipass: Open Source Offline Password Keeper

Our team believes that great security can only be achieved through complete transparency. That’s why we have been publishing everything that goes into making the Mooltipass on our GitHub repository from the project’s start.

Just like Linux-based operating systems, open source allows our product to benefit from many engineers’ expertise. This results in better code quality, more trust from our final users and verified security implementation.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

• tearing with ubuntu mate 14.10 with nvidia titan running 340 drivers.

The post OpenSUSE Followup | LINUX Unplugged 65 first appeared on Jupiter Broadcasting.

A batch of Dropbox usernames and passwords hit the web, Court document reveal Apple’s $50 Million for product leak fine & Newsweek comes under fire.

Plus our thoughts on the return of PC market growth & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Change Your Password: Hackers Are Leaking Dropbox User Info

After first surfacing Reddit, several Pastebin files have been found to contain hundreds of Dropbox users’ usernames and passwords—and the anonymous poster claims that there are millions more to come.

• According to the Next Web, the leaked lists are meant to entice users to donate Bitcoin, at which point the purported hacker will release more users’ info. The message atop the list reads:
  

  Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts

  To see plenty more, just search on [redacted] for the term Dropbox hack.

  More to come, keep showing your support

• To put it another way: You need to change your password. Now. And then make sure that two-factor authentication is turned on.

Update 11:29pm:

• A spokesperson from Dropbox has provided us with the following statement:
  

  Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

• DROPBOX.COM HACKED First Teaser – Pastebin.com

• Two Factor Auth List

Court document reveals that Apple could fine sapphire glass manufacturer $50 Million for product leaks

GT Advanced Technologies filed for Chapter 11 bankruptcy protection last week and the court documents have revealed an interesting agreement with Apple. GT Advanced, who was contracted to make sapphire glass displays for Apple, stated that there was a clause in its contract that would see them fined upward of a $50 million (USD) penalty for any leaked products.

Man Pegged By Newsweek as Satoshi Nakamoto Plans Legal Action | NEWSBTC

Dorian Prentice Satoshi Nakamoto’s name became public — very public — in a highly sensationalized exposé entitled The Face Behind Bitcoin _written by journalist Leah McGrath Goodman, employed by _Newsweek.

Legal defense fund

Nakamoto, along with the Kirschner & Associates law firm, have started a website at NewsweekLied.com to ask for donations to help establish a defense fund in an ultimate lawsuit against Newsweek.

Yes. Bitcoin accepted.

You can read all the reasons that Dorian is angry here on the site’s background page, and it’s perfectly understandable where he’s coming from.

“Newsweek must be held accountable for its reckless reporting,” the site reads.

• Background — The Dorian Nakamoto Legal Defense Fund

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED

Today a group of privacy-focused developers plans to launch a Kickstarter campaign for Anonabox. The $45 open-source router automatically directs all data that connects to it by ethernet or Wifi through the Tor network, hiding the user’s IP address and skirting censorship. It’s also small enough to hide two in a pack of cigarettes.

Decline in PC Sales Starts to Slow; Largest Makers See Growth – NYTimes.com

IDC and Gartner on Wednesday released numbers on the worldwide demand for PCs that showed only a slight drop in demand, a distinct contrast to the trend of the last three years. This likely means, analysts said, that consumers may not be choosing tablets and smartphones over PCs to the same degree they had in the past. Soon, they said, the industry might see growth again.

It has come already for the biggest manufacturers. Companies like Lenovo, Hewlett- Packard and Dell all had good growth, particularly in a strong U.S. market.

In the United States, IDC said 17.3 million PCs were shipped, an increase of 4.3 percent from a year ago. Gartner put the number at 16.9 million, a rise of 4.2 percent. The top five companies were HP, Dell, Apple, Lenovo and Toshiba, both IDC and Gartner said.

• Stocks Benefiting From Increasing PC Sales Include Hewlett-Packard (NYSE: HPQ), Seagate Technology (NASDAQ: STX) – 24/7 Wall St.

The post Dropbox Those Passwords | Tech Talk Today 75 first appeared on Jupiter Broadcasting.

Russian hackers collect 1.2 billion usernames and passwords, and while questions remain the details are compelling.

Plus simply working around two-factor authentication, crypto-malware that targets NAS Boxes, your questions, our answers and much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Reportedly 1.2 billion username and password combinations found in Russian cybercrime stash

• The data was apparently stolen from 420,000 different websites using SQL injection and other common techniques
• Original post at Hold Security
• “So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.”
• The Russian cybercrime group (called CyberVor by Hold Security) appears to have used a large botnet to scan most of the internet looking for vulnerable sites and software and collecting as much data as possible
• “Criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique”
• Because of the varied sources of the data, the passwords are likely a combination of plain text, simple hashes (md5, sha1, sha256), esoteric hashes like md5(salt.password.salt) or md5(salt.md5(password)) etc, and proper cryptographic hashes
• Original Coverage from 6 months ago
• Alex Holden was the researcher who originally discovered the Adobe breach late last year, and tracked the trafficking of the stolen Target data
• Krebs has a Q&A on the subject, based on his past working with Alex Holden, or Holden Security
• There has been a bit of backlash against Hold Security, because they are charging $120/year for their “Breach Notification Service” (BNS) to be alerted if your website was one of the ones compromised
• Sophos and others still have questions about the data from CyberVor
• While still under construction, there is a individual version of the service that will allow you to find out if your electronic identity was found in possession of the CyberVor gang, which will be provided free for the first 30 days
• This service will take a SHA512 hash of your password(s), and then compare that to the passwords in the data dump, notifying you which of your passwords may have been compromised
• The issue with this is that if a compromised site used proper cryptographic hashes, the only way to compare the passwords without knowing your original password in plain text, is to brute force the hash and return it to the plain text. If Hold Security had your plain text password, they could compare it to the database much more quickly and accurately, but it would then lead them to being a bigger security threat than the exposure of the hashed passwords
• Additional Coverage: Forbes

PayPal 2 factor authentication contained simple bypass used for linking ebay account

• While investigating the usefulness of the PayPal 2 Factor Authentication system, a security researcher (Joshua Rogers) was astonished to find a simple by pass
• PayPal (owned by eBay) has a system to link your eBay account to your PayPal account to facilitate sending and receiving payments in connection with auctions
• This system works by sending an additional HTTP GET parameter when directing the user to the PayPal login or signup page
• By using “cmd=_integrated-registration” in the request, PayPal skips asking for any two factor authentication, allowing an attacker that knows your username and password to access your account without requiring the second factor
• The exploit can be used without needing to have an affiliated eBay account
• The issue was reported to PayPal on June 5th 2014, who replied on June 27th and July 4th
• After two months the issue has not been resolved, so the researcher released his findings
• It is not clear if the issue was reported via the PayPal Bug Bounty program, but if it was, publicly disclosing the vulnerability voids the researchers eligibility for the bug bounty reward

SynoLocker malware targets Synology NAS appliances, encrypts files and demands ransom

• New malware has serviced that has been targeting Synology NAS appliances exposed to the Internet
• Users will be greeted by a screen telling them that the files on their NAS have been encrypted, and directing them to use tor to visit a website and pay a 0.6 Bitcoin (~$350) ransom to get the decryption keys to regain access to their files
• It was not immediately clear how the NAS devices were being compromised
• Synology reports: “Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0”
• Users are encouraged to upgrade to the latest DSM 5.0 or:
• For DSM 4.3, please install DSM 4.3-3827 or later
• For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
• For DSM 4.0, please install DSM 4.0-2259 or later
• If you suspect you have been affected by this, Synology recommends following these steps:
  1. Shutdown the Synology NAS to prevent any more files being encrypted
  2. Contact the Synology support team at security@synology.com or fill out the support form
• Users whose files have already been encrypted may not be out of luck, yesterday a new service launched that can decrypt files locked by CryptoLocker similar malware that targetted Windows

Feedback:

• DNSsec and DANE

• LastPass Trick

• USB 3 faster then HDD 7200rpm

• cruelfate comments on “Kreb’s Law”

• ZM-VE300-B 2.5″ SATA USB 3.0 External HDD Enclosure

Round Up:

• PFChangs posts update about security breach
• Microsoft blocks older versions of Skype, leaving customers using older versions of OS X without a version they can install. Linux users also need to upgrade to 4.3.0 or higher in order to connect
• Mozilla accidently discloses email addresses of 76,000 members of the Mozilla Developers Network, as well as 4000 hashes passwords. The email and password columns were supposed to be sanitized from the database before it was disclosed, but for a period of approximately 30 days this was not happening correctly
• Dan Geer @ Blackhat – Cybersecurity as Realpolitik
  
• CIA infosec guru: US govt must buy all zero-days and set them free
• US State Department Passport database (largest known Oracle database in the world) suffers outage, “crashed shortly after maintenance was performed. We believe the root cause of the problem was a combination of software optimization and hardware compatibility issues.”
• David Litchfield @ Blackhat: Oracle Database Redaction service is trivial to bypass
• Catherine Pearce and Patrick Thomas @ Blackhat: Multipath TCP may leave security appliances blind to new types of attacks
• The FinFisher spyware used by governments, cannot intercept calls from the Metro version of Skype
• Docker does not provide security, stop assuming it does

The post Two-factor Exemption | TechSNAP 174 first appeared on Jupiter Broadcasting.

We’ve got the details about critical vulnerabilities in LastPass and other popular password managers, Russian hackers attack the NASDAQ, and how to pull off an SSH Man in Middle attack.

Plus a fantastic batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Critical vulnerabilities found in online password managers including LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword

• Four researchers from the University of California, Berkeley, did a manual analysis of some of the most popular online password managers
• Their findings are troubling, showing problems with all of the popular services
• “Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop”
• The researchers found problems with each of the services they investigated, including bookmarklet vulnerabilities, web vulnerabilities (CSRF and XSS), user interface vulnerabilities, and authorization vulnerabilities.
• The paper shows how an attacker might be able to steal a LastPass users’ dropbox password when the user visits the attackers site
• The paper also discusses a vulnerability in the LastPass OTP (One Time Password) feature, where an attacker specifically targeting you (requires knowing your lastpass username) could access the encrypted LastPass database. While the attacker would have to resort to an offline brute force attack to decrypt it and get the passwords, they would also have a list of all of the sites that the user has saved passwords for. In addition, the attack can delete saved credentials from the database, possibly allowing them to lock the user out of other sites.
• An authorization vulnerability in the password sharing system at My1login could allow an attack to share a web card (url/username/password) they do not own with another user, only needing to know the unique id#, which is a globally unique incrementing counter, so can be predicted. It also allows an attacker to modify another users’ web cards once they are shared
• “Since our analysis was manual, it is possible that other vulnerabilities lie undiscovered”
• “Of the five vendors whose products were tested, only the last one (NeedMyPassword) didn’t respond when they contacted them and responsibly shared their findings. The other four have fixed the vulnerabilities within days after disclosure.”
• Research Paper

How Russian Hackers stole the Nasdaq (2010)

• In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq
• The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger.
• The Secret Service had notified NASDAQ of suspicious activity previously and suspected the new activity may be related, and requested to take the lead on the investigation, but was denied and shut out of the investigation.
• “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is”
• Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director.
• The hackers had used two zero-day vulnerabilities in combination to compromise machines on the NASDAQ network
• The NSA claimed they had seen very similar malware before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency.
• Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
• “While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.”
• What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
• an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened
• By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it
• Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding

Tutorial: SSH MITM Downgrade Attack

• This is a tutorial on how to perform an SSH Man-In-The-Middle downgrade attack
• This attack involves tricking the user connecting to the SSH server you are intercepting into using the old version 1 of the SSH protocol
• SSH1 uses a separate SSH Fingerprint from SSH2, so the user will be prompted to accept the different key
• Many users will blindly accept this warning
• If the user can be tricked into dropping to SSH1, it may be possible to steal the username and password they use to login with
• Luckily, most modern SSH servers do not allow SSH1
• However, some clients, including PuTTY, allow both SSH1 and SSH2, with a preference for the latter
• Users are encouraged to change the setting on their server and in their client to only allow SSH2
• Many embedded devices still allow SSH1, including many older Cisco Security Appliances
• These devices are perfect targets for this type of downgrade attack

Feedback

• ZFS Transaction Log (ZIL)

• WWAD (What Would Allan Do?)
  • ZFS Stripe Width

• building a new PC

• How to Sysadmin?

• DNS Made Easy (Email backups), and tiny war story

Round-Up:

• US claims jurisdiction over all servers on the internet. “any company with operations in the United States must comply with valid warrants for data, even if the content is stored overseas”
• Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux”
• Canadian ISP Rogers updates privacy policy, promises to require a warrant to turn over data
• Microsoft tells users to stop using strong passwords everywhere
• Sony forgets to renew a domain name (SonyOnline.net) where all of the name servers are hosted, takes out all of SOE (Sony Online Entertainment), including forums and websites. Did not have a valid email address on the domain registration
• Cisco Security Advisory: Cisco Wireless Residential Gateway Remote Code Execution Vulnerability
• Where do online services go when they die?
• fail2ban security update
• Robert Watson and SRI/Cambridge University open source the CHERI secure processor design

The post SSH1tty leakage | TechSNAP 171 first appeared on Jupiter Broadcasting.

A company known for backup shuts down after their AWS account gets hacked, the Hedge fund thats under attack, how far you can get with a little cab data…

Your questions, our answers, and much, much more!

Thanks to:

— Show Notes: —

Company shuts down after their AWS account compromised, all customer data deleted

• Code Spaces, a source code hosting and backup service has ceased doing business
• On June 17th the company came under a DDoS attack, which is apparently business as normal for them
• Later, they found messages in their Amazon Web Services portal, urging them to contact a hotmail address
• When contacted, the attacker demanded a large ransom
• When Code Spaces attempted to change their passwords in the AWS control panel, additional administrator accounts added by the attacker were used to delete all EC2 virtual machines, S3 stores and EBS volumes in the account before all accessed could be revoked
• The most embarrassing part of the situation is the text on the original Code Spaces website:
  “Backing up data is one thing, but it is meaningless without a recovery plan, not only that [but also] a recovery plan—and one that is well-practiced and proven to work time and time again,” “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.”
• It is not clear what the Code Spaces backup strategy was, but it seemed to involve the same Amazon account
• In general, the idea with an “offsite” backup is to separate it from a failure of the primary. If you keep the backups for your database beside the database server and your office burns down, what good are the backups
• What if Amazon suffered a catastrophic data loss? or what if your account is compromised?
• The backups should have at least been in a different Amazon account that was very strictly controlled, or better yet, stored in some other service
• It is still unclear how the account was compromised, but it seems likely that Code Spaces was not making use of the Amazon’s Multi-Factor Authentication service, which offers either a mobile phone app, or two different types of hardware authenticators (key fob and credit-card style)

Poorly anonymized NYC Taxi data, de-anonymized

• Under an Open Data initiative, the New York City Taxi & Limousine Commission released the anonymized GPS logs of all taxi trips in 2013 (173 million trips)
• Chris Whong got a hold of this data and did some interesting stuff with it
• When he was done with it, he posted the data for everyone
• Developer Vijay Pandurangan took a look at the data and noticed that the medallion and hack numbers appeared to simply be MD5 hashes
• In particular, the driver with ID# CFCD208495D565EF66E7DFF9F98764DA appeared to have an impossibly large number of trips
• Turns out, that is the MD5 hash of “0”, cases where the data was unavailable
• Realizing that the data was only anonymized using MD5, and knowing the structure of a drivers license # (5-7 characters, with specific characters being numbers or letters), he was able to brute force all 24 million combinations in only 2 minutes using a single CPU
• Once this was done, he had the original un-anonymized data
• Using other websites, it is possible to link the medallion and hack numbers to the owners names
• Original Post
• Additional Coverage – Ars Technica
• To prevent this, there are a number of approaches, the fastest but weakest is a ‘secret key’. Instead of md5(hack#) just do md5(SUPERLONGSECRETKEYhack#), as long as the attacker doesn’t know the secret key, and it is long enough to make guessing it impractical, the data would remain anonymized
• Another option is to use the md5 hash of the encrypted form of the value. However this eventually just relies on a secret key as well. However, if the data never needs to be anonymized, a very strong key can be used, and that key can then be destroyed, making decryption impossible.

Hackers attack hedge fund for monetary gain

• BAE systems, a British defense contractor that also specializes in cyber security, was called in to investigate after computers at a hedge fund were hacked
• The attackers somehow infiltrated the HFT (High Frequency Trading) system, and injected delays of several hundred microseconds into the order entry system
• This causes the Hedge Fund to miss out on profits it could have made on the trades
• It is suspected, that the attackers capitalized on this to make those profits themselves
• “Hedge funds “really have inadequate cybersecurity as a whole” and the attacks threaten to undermine the systems used globally for high-speed trading, said Tom Kellerman, chief cyber security officer for Trend Micro Inc. ”

Feedback:

• Docker flaw

• RE: Docker containers and “secure root” in a container 0

• Mirror SSD with HDD?

• SnapRAID

Round Up:

• Massachusetts high court orders suspect to decrypt his computers
• Department of Justice Canada IT department runs moch phishing campaign against staff, 37% take the bait in December, rates cut in half in April re-test after awareness campaign and additional training
• Security Industry is failing to fix underlying dangers – applications need to be securely written, rather than have security bolted on
• Huawei (Chinese router manufacturer) has some very strict password complexity requirements
• Company wins law suite with bank to recover funds stolen by hackers. 3.5 million was stolen from the company account in 2011 when it was taken over by hackers. The bank managed to claw back all but $299,000 of it, and the company sued the bank for the remaining balance and won $350,000
• Cisco open sources FNR cipher, designed to very quickly encrypt IP addresses to anonymize log data
• World Cup Security Team Accidentally Shares Its Awful Wi-Fi Password
• “Yo” mobile app hacked by 3 Georgia Tech students, founder hires one of the hackers
• LastPass CEO: The Truth About Your Password Security

The post Restores are Everything | TechSNAP 168 first appeared on Jupiter Broadcasting.

The GTK camp is pushing hard for Client Side Decorations, but there are some major drawbacks on non-Gnome desktops. We discuss the pros and cons, and if this is going to lead to a new kind of desktop Linux fragmentation.

Plus our thoughts on the best password managers, your follow up, and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

F.U.

• Ubuntu One.. Not Dead Yet!

• Switching to Linux

• RE: Heartbleed This is what I see

• LibreSSL

• DigitalOcean, perfect use case for a HUGE (16 core, 48G RAM) VM

• A small segment on LAS that introduces and discusses password managers?

• Straw Poll: Your Password Manager Choice?

Client Side Diva

• Open Letter: The issues with client-side-window-decorations

That’s why I decided to CC the Ayatana mailinglist and publish this letter as an open letter on my blog. CSD is a topic that is important for every user and nothing we should discuss in a small group.

Consistent window decorations: This in fact is my greatest doubt. The current situation is that all windows have the same window decoration. For CSD to work applications have to be changed to support them. This will render the changed applications using CSD while all other applications are decorated by the window manager. I think it is impossible to have the same behavior for both CSD and wm decos. I think there are lots of legacy applications which cannot be changed, for example Amarok 1.4 which is still used by many users even in GNOME. I doubt you will be able to change Qt 3 to use CSD. My bigger concern is that we will end up with applications shipping their own style and doing their own kind of decorations. So we end up with situations like one window has buttons on left, one on the right, one in order close, maximize, minimize, the other in close, minimize, maximize, etc.

Just look on the Microsoft Windows desktop to see what proprietary applications tend to do when they get the chance to influence the decorations.

The Wayland Reason, he disagrees with:

Get gtk+ working on Wayland: I don’t see how Wayland can be an argument for CSD. Could we consider Wayland as unimportant till it is looking like something is actually going on? I checked the commits in 2010 in the public git repository and well it looks like KWin has more commits per day. It’s nice that you think of the future, but please don’t use it for argumentation. So also not valid.

On the Gnome Wiki they state this about Wayland and Client Side Decorations:

• Initiatives/Wayland/GTK+ – GNOME Wiki!

Under Wayland, it is preferred that clients render their own window decorations. Since gnome-shell will need to keep support for decorating X clients, it would be good if GTK+ and gnome-shell could share the css theming.

The comment thread on this post introducing CSD in Gnome 3.10 is quite interesting

• CSDs came to stay in GNOME 3.10! | woGue

The post Client Side Drama | LINUX Unplugged 37 first appeared on Jupiter Broadcasting.