RSS Feeds:

MP3 Feed | Video Feed | iTunes Feed

Become a supporter on Patreon:

Links

• YouTube TV – Watch & DVR Live Sports, Shows & News
• YouTube Is Shutting Down My Channel and I’m Not Sure What To Do – YouTube
• YouTube is leaving its creators in the dark | The Outline
• Facing $750 Million Ad Boycott, YouTube Implements Broader Demonetization Policies – Tubefilter
• TV News Roundup: ‘The Orville’ Becomes Fox’s Biggest Drama Debut in Two Years in Delayed Viewing – Variety
• Can CBS Change the Streaming Game With ‘Star Trek: Discovery’? | Hollywood Reporter
• Katy Perry – BEST MOMENTS (StarTalk with Neil deGrasse Tyson) – YouTube
• Katy Perry – Mind Blown By Neil deGrasse Tyson (Witness World Wide) – YouTube

The post Poop Legs | User Error 27 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Extended File Attributes – What?

• Extended File Attributes Rock! – article from 2011

• Extended file attributes are file system features that enable users to associate computer files with metadata not interpreted by the filesystem, whereas regular attributes have a purpose strictly defined by the filesystem (such as permissions or records of creation and modification times). from Wikipedia

• Different namespaces (or attribute spaces if you will), often system and user. You can use the user namespace as non-root.

• Use them for your own purposes, e.g.backup tags, reminders

• If you rely upon them, make sure your archive & restore tools suppor them. – test test test

• Most Linux and BSD modern file systems have had this capability for years. So does Mac OS X. Apart from minor interface differences, the feature works identically on all three systems.

• We mention this mostly to prompt ideas, perhaps you’ve been trying to solve a problem and suddenly this information will show you the solution you’ve been waiting for.

On internet privacy, be very afraid

• In the internet era, consumers seem increasingly resigned to giving up fundamental aspects of their privacy for convenience in using their phones and computers, and have grudgingly accepted that being monitored by corporations and even governments is just a fact of modern life.

• In fact, internet users in the United States have fewer privacy protections than those in other countries. In April, Congress voted to allow internet service providers to collect and sell their customers’ browsing data. By contrast, the European Union hit Google this summer with a $2.7 billion antitrust fine.

• Right now, the answer is basically anything goes. It wasn’t always this way. In the 1970s, Congress passed a law to make a particular form of subliminal advertising illegal because it was believed to be morally wrong. That advertising technique is child’s play compared to the kind of personalized manipulation that companies do today.

• …. The result is that there are more controls over government surveillance in the U.S. than in Europe. On the other hand, Europe constrains its corporations to a much greater degree than the U.S. does.

Inside the Massive 711 Million Record Onliner Spambot Dump

• The mechanics of this spambot

• The one I’m writing about today is 711m records which makes it the largest single set of data I’ve ever loaded into HIBP. Just for a sense of scale, that’s almost one address for every single man, woman and child in all of Europe. This blog posts explains everything I know about it.

• I’ll take a stab at it and say that there’s not many legitimate drivers using the New South Wales toll road system with Russian email addresses!

• A random selection of a dozen different email addresses checked against HIBP showed that every single one of them was in the LinkedIn data breach.

• Yet another file contains over 3k records with email, password, SMTP server and port (both 25 and 587 are common SMTP ports):

• This immediately illustrates the value of the data: thousands of valid SMTP accounts give the spammer a nice range of mail servers to send their messages from. There are many files like this too; another one contained 142k email addresses, passwords, SMTP servers and ports.

Feedback

• ZFS Comments & Question see How I Learned to Stop Worrying and Love RAIDZ

• Upgrading Bacula

• “Can you please provide the Amazon link to the product Dan mentioned at the beginning of show #334” – Cinolink HA008 USB 2.0 to SATA Converter Adapter Cable for 2.5″/3.5″ Hard Drive Disk HDD and SSD, with On/Off Switch, Power Adapter Included – not yet used but it did arrive

Round Up:

• Internet providers could easily snoop on your smart home

• The very dirty history of on-demand video technology

• Hardening Docker Hosts with User Namespaces

Zsh Configuration From the Ground Up

The post Extended Usefulness | TechSNAP 335 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

GUNPG encryption broken

• Fixed in Libgcrypt version 1.7.8

• The study – PDF

• obtain a very efficient full key recovery for RSA-1024

• For RSA-2048 the attack is efficient for 13% of keys (i.e. 1 in 8).

NASDAQ leaks test data

• Financial Times link- paywall

• A data glitch briefly made online games group Zynga more valuable than Goldman Sachs when prices of a host of Nasdaq-listed stocks including Amazon, Apple and Microsoft were reset to exactly $123.47.

• Prices on Nasdaq’s official website appeared unaltered but those shown on financial data services including Bloomberg, Thomson Reuters and Google Finance did display the price changes to $123.47.

• New York Stock Exchange data were unaffected. Typically, vendors discard the test prices when checks are done. While the reason this did not happen for Nasdaq on Monday is not known, there was speculation it was linked to changed timings on the eve of the US Independence Day holiday.

• “It was no error by Nasdaq,” the exchange operator said. “Some vendors took test data and put it out as live prices.”

• Nasdaq said the glitch did not affect any market trading, including after hours. However, traders in Hong Kong said they saw a handful of trades reported at those prices, although many deals were subsequently cancelled.

Taking Control of All .io Domains With a Targeted Registration

• Previous post same person – The Hidden Risks of Domain Extensions

• The .io domain has several top level DNS servers under .io (e.g. a1.io)

• Not so much an exploit as failure of TLD to protect its assets

• Hard part is finding the servers which can be registered and then registering them

• Dan notes that .org does not suffer as easily from this problem because all of the .org NS records are under a given domain: org.afilias-nst.info. (re dig NS org. @k.root-servers.net.)

In the what’s new category for Dan

• Two Samsung 850 EVO 500GB SSDs in ICY DOCK MB882SP-1S-3B converters so I can mount them in 3.5″ drive trays.

• ‘Divider Boxes’ from @LeeValleyTools, set of 5 for CAD$9.50.

• LTO-4 labels for my laser printer

• Inserted 2nd of 6 5TB drives to replace my 3TB drives.

• Uploaded two scripts for my Let’s Encrypt project to GitHub: collect-certs & check-for-new-certs

Feedback

• RISC is Good?

• ZFS checksum errors on DigitalOcean block storage volume

• Alternate e-mail hosting service

• Check Your Backups! You might learn pg_dump better

• Google, MX, email, $1?

• vim customization

Round Up:

• Let’s code a TCP/IP stack, 5: TCP Retransmission

• OpenBSD Will Get Unique Kernels on Each Reboot. Do You Hear That Linux, Windows? – as detailed in BSDNow Episode 199: Read the source, KARL

• Privileged Ports Cause Climate Change – “I’m going to hazard a guess that the same 16-24 core Xeon with ~256gb of RAM that probably hosts less than a hundred 768mb VMs could probably host thousands of user workloads if those workloads ran directly on the same kernel without the cost of a hypervisor or the bloat of containers.” – FreeBSD jails – each one runs on the same kernel

• Pokemon or Big Data

The post Unsecured IO | TechSNAP 327 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages

• Extortionists Wipe Thousands of Databases, Victims Who Pay Up Get Stiffed

• Spiral Toys xCEO denies voice recordings stolen

• CloudPets left their database exposed publicly to the web without so much as a password to protect it.

• There are references to almost 2.2 million voice recordings of parents and their children exposed by databases that should never have contained production data.

• CloudPets has absolutely no password strength rules

• The CloudPets Twitter account has also been dormant since July last year so combined with the complete lack of response to all communications, it looks like operations have well and truly been shuttered.

Spammers expose their entire operation through bad backups

• Today we release details on the inner workings of a massive, illegal spam operation. The situation presents a tangible threat to online privacy and security as it involves a database of 1.4 billion email accounts combined with real names, user IP addresses, and often physical address. Chances are that you, or at least someone you know, is affected. Spammergate: The Fall of an Empire

• The data from this well-known, but slippery spamming operation, was discovered by Chris Vickery, a security researcher for MacKeeper and shared with Salted Hash, Spamhaus, as well as relevant law enforcement agencies.

• Vickery also discovered thousands of warm-up email accounts used by RCM to skirt anti-spam measures

• RCM’s data breach also exposed 2,199 IP addresses used for public-faced activities; as well as the group’s internal assets. This is in addition to the 60 IP blocks RCM has identified for activities in the past, as well as current and future operations; and the 140 active DNS servers that are rotated frequently.

• Based on campaign logging documents, the data breach also exposed more than 300 active MX records. In just two spreadsheets alone, RCM recorded nearly 100,000 domains used for their campaigns.

• If an offer doesn’t inbox (meaning it is rejected, or otherwise dumped into a spam or junk folder), or a given domain is blacklisted, RCM goes back to a list of thousands of domains and selects another to restart the process.

Feedback

• Using ZFS mirrors on a motherboard without RAID support

• Rack Noise

• Big heatsink
• Vendor
• IP address question
• Changing volume sizes in bacula?

Round Up:

• Vault 7: CIA Hacking Tools Revealed

• Google: We’re hiking bug bounties because finding security flaws is getting tougher

• Xbox, Skype, Outlook, and more recover from Microsoft Account issues

• Secure computing for journalists – use your phone, use iOS

• EFF to Court: Forcing Someone to Unlock and Decrypt Their Phone Violates the Constitution

• Changes to Ragel in Response to the Cloudflare Incident

• Arbitrary code execution in TeX distributions

• Operation Rosehub

The post Bad Boy Backups | TechSNAP 309 first appeared on Jupiter Broadcasting.

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links

• Clinton Foundation hired cyber firm after suspected hacking: sources | Reuters
• Rita Katz on Twitter: “Pro#ISIS media grp attempts to instill fear in #Canada after #AaronDriver incident: “our wolves will come to you” https://t.co/VGqTjXgo2H”
• Wikileaks Says Clinton Was In A Plane Crash In Iran |
• State Dept.: $400M to Iran was contingent on US prisoners’ release | New York Post
• Video Shows Bill Clinton Meeting With AG Loretta Lynch at Airport
• WikiLeaks Has Morphed from Journalism Hotshot to Malware Hub – Backchannel
• The NSA Leak Is Real, Snowden Documents Confirm
• Britain’s top human rights lawyer who represented Julian Assange and worked alongside George Clooney’s wife Amal dies in apparent suicide – The Sun
• Paul Manafort Quits Donald Trump’s Campaign After a Tumultuous Run – NYTimes.com
• Exclusive: U.S. withdraws staff from Saudi Arabia dedicated to Yemen planning | Reuters
• Why Russia has advanced strike fighters at an air base in Iran – The Washington Post
• 41 men targeted but 1,147 people killed: US drone strikes – the facts on the ground | US news | The Guardian
• Seth Rich Disappeared For Almost Two Hours Before He Was Murdered | Nwo Report
• Renowned lawyer who represented Julian Assange died after being struck by train in West Hampstead
• Police find young fugitive on Cape Cod disguised as ‘elderly man’ | Fox News
• Foundation Ties Bedevil Hillary Clinton’s Presidential Campaign – NYTimes.com
• ‘Clinton death list’: 33 spine-tingling cases
• Colin Powell Hillary Clinton Him Email Scandal, ‘She Was Using for Year’ : People.com
• Page not found – Bipartisan Report
• American journalism is collapsing before our eyes | New York Post
• WSJ: “The Clintons Really Do Think They Can Get Away With Anything” | Zero Hedge
• Rita Katz on Twitter: “3) Photos of #ISIS children used as suicide bombers in the last 6 days alone! https://t.co/o9zlsRjBSk”
• Hillary Clinton Told F.B.I. Colin Powell Advised Her to Use Private Email – The New York Times
• Emails reveal Clinton aide gave foundation donors ‘special’ access, group says | Fox News
• The FBI found 15,000 emails Hillary Clinton didn’t turn over. Uh oh. – The Washington Post
• Leaked memo proves George Soros ruled Ukraine in 2014, minutes from “Breakfast with US Ambassador Geoffrey Pyatt”
• NBC’s $12 Billion Olympics Bet Stumbles, Thanks to Millennials – Bloomberg
• 12-year-old running Trump campaign office in Colorado – KMOV.com
• FBI uncovers 14,900 more documents in Clinton email probe – The Washington Post
• Army Opsec Brief Lists Hillary Clinton As Insider Threat | The Daily Caller
• Panic as intruder scales embassy wall where Julian Assange is living | UK | News | Daily Express
• Russia done using Iranian bases to hit Syria – CNN.com
• Germany’s Angela Merkel Calls for More Sharing of Intelligence Information in EU – WSJ
• Did Gary Johnson Just Get Boxed Out of the Debates? – POLITICO Magazine
• Happy 25th birthday, Linux | TechCrunch
• General to testify about burning letters inBergdahl case
• Oregon collects $25.5M in taxes on recreational marijuana through July 31, 2016 | KOMO
• At least 150 dead as quake rocks central Italy
• Syrian rebels backed by Turkey and U.S. claim major victory over Islamic State – LA Times
• The health problem Clinton actually has | Washington Examiner
• Hillary Clinton & Huma Abedin: Many Troubling Questions, Influence Peddling, Corruption | National Review
• Commercial flights are too ‘burdensome’ for Clinton | New York Post
• Syria, Kurds condemn Turkish incursion
• SNL’s Leslie Jones Hacked … Nude Photos Released | TMZ.com
• Putin offers Middle East peace talks | News | The Times & The Sunday Times
• MSNBC tops CNN for third straight week in August | TheHill
• Obama Admin Won’t Tell Congress How It Paid Iran $1.3 Billion
• Many donors to Clinton Foundation met with her at State
• Pentagon decides to officially support Al-Qaeda in Syria. Sets up “exclusion zones” to shoot down Syrian and Russian jets
• Soros Leaks: The Most Important Story You’re Not Hearing
• New York Times’s Moscow Bureau Was Targeted by Hackers – The New York Times
• Obama Visits Louisiana Flood Victims, but Some Are Busy Just Hanging On – The New York Times
• Why “Obama’s Katrina” Never Sticks But Won’t Die | New Republic
• Louisiana Paper to Obama: Call Off Your Vacation and Visit Our Flood-Ravaged State | Mediaite
• Media Horrified By Clinton Health Accusations, Treat Trump Health Accusations as Fair Game | Mediaite
• Gary Johnson: 70% of Americans Don’t Know Me ‘…and That Bodes Well For Me Winning!’ | Mediaite

The post Russia’s Cyber Sneak Attack | Unfilter 201 first appeared on Jupiter Broadcasting.

Mike & Chris rip up the thinking behind iPad-only is the new desktop Linux mantra, discuss the date of LaunchKit, announce a new coding challenge & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Coding Challenge

This Winner Roars To Victory

Ok so we have a winner @ChrisLAS #CoderRadio pic.twitter.com/1uFlwSL3gs

— Michael Dominick (@dominucco) August 1, 2016

Hoopla

Shit pic.twitter.com/Pqdl4rsV5U

— Michael Dominick (@dominucco) July 28, 2016

LaunchKit team heads to Google and open-sources its tools for helping devs launch their apps

The team behind LaunchKit, a set of tools that helps developers launch their apps, is heading to Google and joining the Developer Product Group.

Microsoft’s SwiftKey Suspends Sync After Keyboard Leaks Strangers’ Contact Details

Swiftkey has suspended its cloud-sync service and switched off email address predictions amid reports of Microsoft-owned keyboard app delivering suggestions for strangers’ email addresses and phone numbers.

Puck.js – the ground-breaking bluetooth beacon by Gordon Williams

An Open Source JavaScript microcontroller you can program wirelessly – perfect for IoT! No software needed so get started in seconds.

• iPad-only is the new desktop Linux

Feedback

• Functional OO programming – A real world look at isolation techniques and stateful containers

The post Mismatch Patterns in Productivity | CR 216 first appeared on Jupiter Broadcasting.

Leaks of DNC emails lead to total chaos at Hillary’s big event. We cover the content of those leaks, the fallout & debunk the spin from the Clinton campaign.

Plus some important world news updates, the FBI restarting the encryption debate & our coverage of the 2016 Democratic National Convention.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links:

• Turkey declares three-month state of emergency days after attempted military coup – LA Times
• Heidi Cruz rushed out by security after crowd turns on Ted Cruz
• Wikileaks Releases Nearly 20,000 DNC Emails | The Daily Caller
• Glenn Greenwald on Twitter: “Pro-HRC pundits spent a year harping on tweets from random users. This is rancid bigotry from a *top DNC official https://t.co/ARhTQPyCYn”
• Zaid Jilani on Twitter: “Before primary had concluded, top DNC Comms staff were pitching anti-Bernie stories. https://t.co/UNFCJwCmi1 https://t.co/NNq2behGZW”
• DNC Staffers Mocked the Bernie Sanders Campaign, Leaked Emails Show
• Hillary’s America: The Secret History of the Democratic Party — Dinesh D’Souza on the Clinton Foundation | National Review
• ‘Art Of The Deal’ Ghostwriter On Why Trump Should Not Be President : NPR One
• DNC Email Leak Megathread : politics
• Trump & Putin. Yes, It’s Really a Thing
• Bernie Sanders Campaign Chief Says Someone Must Be ‘Accountable’ for What DNC Emails Show – ABC News
• Dems open convention without Wasserman Schultz – CNNPolitics.com
• Wasserman Schultz booed off stage in Philadelphia | TheHill
• Debbie Wasserman Schultz Booed at Chaotic Florida Delegation Breakfast – ABC News
• The Russia-linked election hack is a sign of things to come | The Verge
• Hillary Clinton Hires Debbie Wasserman Schultz – Christine Rousselle
• WikiLeaks – Search the DNC email database
• DNC Planned To Reward Big Donors With Federal Appointments | The Daily Caller
• All Signs Point to Russia Being Behind the DNC Hack | Motherboard
• A Look At Donald Trump’s Ties To Russia : NPR One
• Twelve DNC Emails Released by WikiLeaks That Stand Out – Washington Wire – WSJ
• FBI is investigating the DNC email hack – CBS News
• Russia denies it was behind the hacking of DNC emails | Daily Mail Online
• France church attack: Priest killed by two ‘IS soldiers’ – BBC News
• Everything’s Not Good
• Clinton makes history, wins Democratic presidential nomination | Fox News
• Bernie Sanders gets emotional at DNC roll call
• ISIS warn London ‘next to be attacked’ as UK churches put on terror alert after French priest murder – Mirror Online
• Hillary Clinton sets internet on fire with DNC appearance that was something out of the ‘1984’ ad – AOL
• Trump invites Russia to meddle in the U.S. presidential race with Clinton’s emails – The Washington Post
• How DNC, Clinton campaign attacks fit into Russia’s cyber-war strategy | Ars Technica
• EXCLUSIVE: IRS Investigates Clinton Foundation’s ‘Pay-to-Play’ Operations | The Daily Caller
• Los Angeles Times on Twitter: “”Russia, if you’re listening…” Donald Trump encourages Russia to hack Hillary Clinton’s emails: https://t.co/UDkOVwN1UA”
• Edward Snowden, the brand – The Washington Post
• The Truth About Marijuana-Contaminated Drinking Water
• Hugo’s town well was breached, but there’s no THC in the H2O | Food Safety News
• False alarm. No THC in Colorado town’s public water supply, officials say. – The Washington Post
• UPDATE: Hugo, Colorado Does NOT Have THC In Their Water | The Daily Caller
• After Hugo water found THC-free, officials say it was better to be safe – The Denver Post
• Exclusive: Suspected Russian hack of DNC widens — includes personal email of staffer researching Manafort
• French media to stop publishing photos and names of terrorists | Media | The Guardian
• DNC Night 2 Ratings: CNN Remains No. 1, NBC Grows Total Audience | TVNewser
• George Soros rises again – POLITICO
• Russia beefs up military on southwestern flank as NATO approaches
• CNN, ABC cut ties with Donna Brazile, freeing her up for DNC job – POLITICO
• DNC Advertises for Actors to Fill Empty Seats at DNC Convention
• Donna Brazile – Wikipedia, the free encyclopedia
• Rita Katz on Twitter: “1)Exclusive vid of #Normandy attackers by #ISIS” Amaq show attackers were in contact w/ individual(s) within #ISIS https://t.co/gpm3JGHSpD”
• Wolf Blitzer on Twitter: “Thanks to these guys and all their colleagues for keeping #DemsInPhilly convention safe. I start anchoring 5PM ET https://t.co/rRoXNWI8pW”
• Rita Katz on Twitter: “3) The problem of #ISIS inspired attacks in the West is increasing due to #ISIS’ outreach on social media. Western govs must adapt quickly”
• Rita Katz on Twitter: “Breaking: #ISIS’ Amaq claims church attack #Normandy #France executed by #ISIS soldiers”,based on”insider source” https://t.co/IeNUWDFwGZ”
• Statement from Jake Sullivan on Donald Trump’s Press Conference Today
• Trump’s comments on Russia denounced as ‘shocking and dangerous’ | US news | The Guardian
• Fox News on Twitter: “Secret Service Code Names. #SpecialReport #DemsInPhilly #DemConvention https://t.co/E5dMOKNpfd”

The post DNC Frenzy | Unfilter 197 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

A Critical OpenSSH flaw can expose your private keys, a new WiFi spec for IoT devices, that has all the classic issues & Intel’s SkyLake bug.

Plus your feedback, our answers, a rockin’ round up & so much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Critical OpenSSH flaw can expose your private keys and other client memory

• Two major issues have been identified in OpenSSH
• CVE-2016-0777: An information leak (memory disclosure) can be exploited by a rogue SSH server to trick a client into leaking sensitive data from the client memory, including for example private keys.
• Vendor contributed code for a feature called Roaming, was added in OpenSSH 5.4, that allowed broken SSH sessions to be resumed. The server side code for this was never activated, only the commercial SSH server supported it.
• However, the Roaming feature is on by default, and due to a but a malicious server can exploit the bug to read memory from the client when it tries to connect to the server
• This includes the ability to steal your SSH private keys
• “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”
• Because OpenSSH checks the host key of the remote server, if you are connecting to trusted servers, there is no risk
• You can disable the feature by adding the following line to your /etc/ssh/ssh_config: UseRoaming no
• The feature can also be disabled on a per-user basis using: ~/.ssh/config
• The patch just disabled this feature by default
• CVE-2016-0778
• A buffer overflow (leading to file descriptor leak), can also be exploited by a rogue SSH server, but due to another bug in the code is possibly not exploitable, and only under certain conditions (not the default configuration), when using ProxyCommand, ForwardAgent or ForwardX11.
• Both of these vulnerabilities are fixed in OpenSSH 7.1p2
• It is not clear if the roaming support will be removed entirely
• Researcher Post

Bug in Intel Skylake CPUs means complex workloads can hang the machine

• Intel has confirmed that its Skylake processors suffer from a bug that can cause a system to freeze when performing complex workloads.
• The bug was reportedly discovered and tested by the the community at hardwareluxx.de and passed onto GIMPS (Great Internet Mersenne Prime Search), which conducted further testing. Both groups passed their findings onto Intel.
• Intel states:

“Intel has identified an issue that potentially affects the 6th Gen Intel Core family of products. This issue only occurs under certain complex workload conditions, like those that may be encountered when running applications like Prime95. In those cases, the processor may hang or cause unpredictable system behaviour.”

• Intel has developed a fix, and is working with hardware partners to distribute it via a BIOS update.
• No reason has been given as to why the bug occurs, but it’s confirmed to affect both Linux and Windows-based systems.
• While the bug was discovered using Prime95, it could affect other industries that rely on complex computational workloads, such as scientific and financial institutions.
• Recently, Intel’s Haswell and early Broadwell processors suffered from a TSX (Transactional Synchronization Extensions) bug. Rather than recall the parts, Intel disabled the TSX instructions via a microcode update delivered via new motherboard firmware.
• Additional Coverage

New WiFi spec for IoT devices, WiFi HaLow likely has all the classic issues

• “The new protocol is based on the 802.11ah standard from the IEEE and is being billed as Wi-Fi HaLow by the Wi-Fi Alliance. Wi-Fi HaLow differs from the wireless signal that most current devices uses in a couple of key ways. First, it’s designed as a low-powered protocol and will operate in the range below one gigahertz. Second, the protocol will have a much longer range than traditional Wi-Fi, a feature that will make it attractive for use in applications such as connecting traffic lights and cameras in smart cities.”
• There is also talk of using it for wearables, I suppose as a replacement for bluetooth
• “Wi-Fi HaLow is well suited to meet the unique needs of the Smart Home, Smart City, and industrial markets because of its ability to operate using very low power, penetrate through walls, and operate at significantly longer ranges than Wi-Fi today,” said Edgar Figueroa, president and CEO of Wi-Fi Alliance.
• “But, as with any new protocol or system, Wi-Fi HaLow will carry with it new security considerations to face. And one of the main challenges will be securing all of the various implementations of the protocol. Device manufacturers all implement things in their own way and in their own time, a practice that has led to untold security vulnerabilities and innumerable billable hours for security consultants. Security experts don’t expect Wi-Fi HaLow to be the exception.”
• “While the standard could be good and secure, implementations by different vendors can have weaknesses and security issues. This is common to all protocols,” said Cesar Cerrudo, CTO of IOActive Labs, who has done extensive research on the security of a wide range of smart devices and smart city environments
• Who could possibly be worse at implementing security, than the vendors and government contractors that would be used for a “smart city”
• “Many of the devices that may use the new protocol–which isn’t due for release for a couple of years–are being manufactured by companies that aren’t necessarily accustomed to thinking about threat modeling, potential attacks, and other issues that computer hardware and software makers have had to face for decades. That could lead to simple implementation problems that attackers can take advantage of.”
• This seems to call for a nice clean BSD licensed implementation, although even then, everyone using the same implementation could be just as risky
• Plus, as we have seen, most vendors will ship an old insecure version, rather than the latest, and won’t update the implementation as they iterate their product
• The extended range of HaLow also means that attackers can come from much further away, making it harder to physically protect devices
• “Each new iteration in technology brings with it fresh security and privacy considerations, and the proliferation of connected non-computing devices is no different. The concept of a voice-enabled hub that controls your home’s climate, entertainment, and other systems is now a reality, as is the ability to send an email from your refrigerator. That’s all well and good, until these smart devices start doing really dumb things.”

Feedback:

• Will ZFS work for me?
• HTTP/2 Thoughts?
• UK Government Web Portal Hijacked by Russian Casino Spammers – (I just discovered this)

Round Up:

• US Intelligence director’s personal e-mail, phone hacked
• Seagate announces 10TB helium hard drive, 7 platters, 14 heads
• Why Is Comcast Interrupting My Web-Browsing To Upsell Me On A New Modem?
• Police say they can decrypted Blackberry PGP encrypted emails
• Cisco patches more hard-coded passwords
• Ontario court rules that police “Tower Dumps” violate the Canadian Charter of Rights and Freedoms
• Fixstars Releases 13 TB SSD for Specific Application Workloads
• Apple OS X memory management bug means your porn lives in your video card
• Daily Telegraph Installs Workplace Monitors On Journalists’ Desks

The post Internet of Threats | TechSNAP 249 first appeared on Jupiter Broadcasting.

Spending time on the open road taught us a lot of lessons, really fast. We share some of our favorites with you, thank some who helped with gear for the trip…

And then discuss our rather nasty leak.

The Rover has been parked (mostly) since the trip, and there is a bit of wear. We’ll probably spend the next couple of videos tackling these challanes. We start with one of our most pressing.

Plus check out the Hyperlapses of Chris at work recording a bunch of shows this weekend!

The post Lessons, Thanks, and a Water Leak | Rover Log 13 first appeared on Jupiter Broadcasting.

From hacking to hacked, hacking team gets owned & what gets leaked is the best part, we’ll share the details.

Plus, a new OpenSSL vulnerability revealed, Apple tweaks their two factor authentication.. Your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Italian intrusion software vendor Hacking Team Breached, Data Released

• Hacking Team, a vendor known for selling spyware to governments, suffered a serious data breach
• The incident came to light Sunday evening when unnamed attackers released a torrent with roughly 400 GB of data purported to be taken from Hacking Team’s network.
• Among the more potentially damaging documents made public are invoices showing that Hacking Team has sold its intrusion software to government agencies in countries known to have oppressive regimes, including Sudan, Ethiopia, and Egypt.
• Researchers at Trend Micro have analyzed the leaked data and uncovered several exploits, including a zero-day for Adobe Flash Player.
• A readme document found alongside proof-of-concept (PoC) code for the Flash Player zero-day describes the vulnerability as “the most beautiful Flash bug for the last four years since CVE-2010-2161.”
• Adobe released a patch on July 7th 2015
• Researches also have found that the Adobe Flash zero-day has already been used in the wild.
• “In late June, we learned that a user in Korea was the attempted target of various exploits, including CVE-2014-0497, a Flash vulnerability discovered last year,” threat analyst Weimin Wu explains.
• The exploit was used to download a Trojan on the target’s computer, which then proceeds to download several other malicious payloads and create malicious processes.
• In addition to the Flash Player exploit, Trend Micro said it also spotted an exploit for a Windows kernel zero-day vulnerability in the Hacking Team leak.
• Did the “Hacking Team” find these zero days themselves? With the intent to sell them? Or did they discover them being used by others, and then added them to their own arsenal? Why were they not reported to the vendors?
• Additional Coverage: Hacking Team’s Flash 0-day exploit used against Korean targets before it was leaked
• Additional Coverage: Security Week
• Additional Coverage: CSO Online
• Additional Coverage: Net Security
• Additional Coverage: Daily Dot
• Additional Coverage: Threat Post — Update: Hacking Team to continue operations
• Hacking Team bought Flash 0-days from Russian hacker

iOS 9 will drop the recovery key from two-factor authentication

• After a hacker used social engineering against Apple Support to take over the Apple ID of Mat Honan, a Wired.com reporter, in order to take over his coveted 3 letter twitter handle, everyone raced to setup Two Factor Authentication for their Apple ID
• The hacker was able to remotely erase Honan’s iPhone and iPad, destroying personal data, family photos, and all other content.
• The hacker was able to reset the password for the Apple ID account by socially engineering the operation at Apple by using stolen information from public data, and from a hacked Amazon account
• In the aftermath, Apple promised to increase training of its support operators and improve security
• As part of this, when you enable two factor authentication, Apple issues you a recovery key. A short text string that you should print and store in a safe place
• Without it, you cannot recover your account if you lose the password
• This system is far more secure, but it has its drawbacks
• Journalist loses recovery key, and Apple ID
• If you, like Owen from the link above, lose your recovery ID, and your account is compromised or you lose your password, you have no way to get it back
• Apple has drawn a hard line in the sand, for the sake of security, they can’t recovery an account without that recovery key. You specifically asked to be protected from impersonation etc.
• In the wake of scandals such as “the fappening”, this strong stance on security makes sense
• However, Apple has decided to abandon it, because, as always, they are more focused on customer satisfaction than security.
• But, can you blame them?
• “Apple said at WWDC it would build a more integrated and comprehensive two-factor security system into its next OS releases”
• “Among other changes, the Recovery Key option that has tripped up users in the past, and led in some cases to users having to abandon an Apple ID as permanently unavailable, has been removed, an Apple spokesperson confirmed. With the new system, Apple customer support will work through a detailed recovery process with users who lose access to all their trusted devices and phone numbers.”
• Apple has posted more details about the new system on their Developer site

OpenSSL vuln revealed, while critical, not wide spread. All that hype for nothing

• “During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate. This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL).”
• Impact: “An attacker could cause certain checks on untrusted certificates, such as the
  CA (certificate authority) flag, to be bypassed, which would enable them to
  use a valid leaf certificate to act as a CA and issue an invalid certificate.”
• If you installed the OpenSSL update from June 11th, which blocks DH parameters shorter than 768 bits, your system is affected
• This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
  • OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
  • OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p
• Older versions of OpenSSL (1.0.0 and 0.9.8) are not affected, but reminder: support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015
• This suggests further than OpenSSL needs to separate new features from bug and security fix releases
• Why are any new features being added to OpenSSL 1.0.1?
• Shouldn’t all new development happen only in the bleeding edge version?
• Why has a sane release model not been adopted yet?

Feedback:

• SSDs and ZFS

• storing your salty password hashes

• hp-ux, owncloud investigation?

Round Up:

• FBI’s James Comey: I Know All The Experts Insist Backdooring Encryption Is A Bad Idea, But Maybe It’s Because They Haven’t Really Tried
• 14 world renowned security experts including: Whitfield Diffie, Ronald L. Rivest, and Bruce Schneier have write a paper to the US and UK governments informing them that their ask for crypto backdoors are impossible and unsafe. Keys Under Doormats: Mandating insecurity by requiring government access to all data and communications
• The FBI Spent $775K on Hacking Team’s Spy Tools Since 2011
• Click-Fraud trojan helpfully updates your flash player so you don’t get exploited by ads
• All US United Airlines Flights Are Grounded Due to “Automation Issues”
• The story of a company changing their proprietary code to an open source license
• NPR and Panoply on the economics of podcasting
• Bitcoin miners running outdated software are generating invalid blocks. However the hashing power of the invalid miners is high enough that the block chain is building on those blocks
• Windows Server 2003 end of support
• Data centers dropped into war zones

The post ZFS does not prevent Stupidity | TechSNAP 222 first appeared on Jupiter Broadcasting.

The Apple rumor mill is in full swing with claims that Apple’s Netflix killer is in the works. We’re a bit skeptical. Twitter & Google patch things up & now it’s time to blame the Russians for the Sony hack!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Twitter Reaches Deal to Show Tweets in Google Search Results – Bloomberg Business

In the first half of this year, tweets will start to be
visible in Google’s search results as soon as they’re posted,
thanks to a deal giving the Web company access to Twitter’s
firehose, the stream of data generated by the microblogging
service’s 284 million users, people with knowledge of the matter
said Wednesday. Google previously had to crawl Twitter’s site
for the information, which will now be visible automatically.

Apple Talks to TV Programmers About Web TV Service | Re/code

Industry executives say Apple is in talks with TV programmers about deals that would allow Apple to offer an “over the top” pay-TV service, like the one Dish has started selling with its Sling TV product, and the one Sony is getting ready to launch.

The theory is that Apple would put together bundles of programming — but not the entire TV lineup that pay-TV providers generally offer — and sell it directly to consumers, over the Web. That means Apple wouldn’t be reinventing the way TV works today, but offering its own version of it, with its own interface and user experience.

Forget North Korea – Russian Hackers Are Selling Access To Sony Pictures, Claims US Security Firm – Forbes

The firm claimed it has evidence Russian hackers have been silently siphoning off information from Sony’s network for the last few months and may even be the ones responsible for the catastrophic attacks in November, which the US blamed on North Korea. The Russians may have just been working unwittingly alongside the Guardians of Peace hackers, however, who were thought to have shut down Sony for its role in the production of The Interview, a film that depicted the assassination of North Korea leader Kim Jong-Un.

Millions hit by health company hack attack

The attackers stole names, addresses, birthdays and social security numbers of customers from every one of Anthem’s business units.

So far, Anthem has not said how many records were lost or how many people have been affected.

Celebrate TechSNAP 200 with a new look! | Teespring

After 200 episodes of TechSNAP we’d like to introduce the official logo to represent the best systems network and administration podcast around!

The post Apple Trolls Netflix Again | Tech Talk Today 128 first appeared on Jupiter Broadcasting.

The Chaos Computer Club gets blocked by UK “porn filters” & YouTube is ramping up the heat with secret exclusive deals to content creators.

Then its a full round-up in the Sony Pictures trainwreck of a hack, Fedora 21 is released, emails & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Chaos Computer Club website in blocked by UK “porn filter”

A significant portion of British citizens are currently blocked from accessing the Chaos Computer Club’s (CCC) website. On top of that, Vodafone customers are blocked from accessing the ticket sale to this year’s Chaos Communication Congress (31C3).

Since July 2013, a government-backed so-called opt out list censors the open internet. These internet filters, authorized by Prime Minister David Cameron, are implemented by UK’s major internet service providers (ISPs). Dubbed as the “Great Firewall of Britain”, the lists block adult content as well as material related to alcohol, drugs, smoking, and even opinions deemed “extremist”.

Users can opt-out of censorship, or bypass it by technical means, but only a minority of users know how to bypass those filters.

YouTube Offering Its Stars Bonuses – WSJ

Facebook Inc. and video startup Vessel, among others, have tried to lure YouTube creators to their services in recent months, according to people familiar with the discussions.

In response, Google is offering some of its top video makers bonuses to sign multiyear deals in which they agree to post content exclusively on YouTube for a time before putting it on a rival service. The bonuses can be tied to how well videos perform, but YouTube is making a wide range of offers to counter rivals, according to people involved in the discussions. For several months, YouTube also has been offering to fund additional programming by some of its video makers.

These people say YouTube executives are particularly concerned about Vessel, though the startup has yet to disclose any details about its service or video makers it has signed.

In recent weeks “YouTube has been in a fire drill” led by Robert Kyncl, global head of business, trying to hold on to its stars, according to a person close to the company.

It’s Here! Announcing Fedora 21!

Fedora 21 Release Announcement

The Fedora Project is pleased to announce Fedora 21, the final release, ready to run on your desktops, servers, and in the cloud. Fedora 21 is a game-changer for the Fedora Project, and we think you’re going to be very pleased with the results.

TL;DR?

Impatient? Go straight to https://getfedora.org/ and get started. Otherwise, read on!

Sony Pictures hack was a long time coming, say former employees — Fusion

“Sony’s ‘information security’ team is a complete joke,” one former employee tells us. “We’d report security violations to them and our repeated reports were ignored. For example, one of our Central European website managers hired a company to run a contest, put it up on the TV network’s website and was collecting personally identifying information without encrypting it. A hack of our file server about a year ago turned out to be another employee in Europe who left himself logged into the network (and our file server) in a cafe.”

The information security team is a relatively tiny one. On a company roster in the leaked files that lists nearly 7,000 employees at Sony Pictures Entertainment, there are just 11 people assigned to a top-heavy information security team. Three information security analysts are overseen by three managers, three directors, one executive director and one senior-vice president.

Another former employee says the company did risk assessments to identify vulnerabilities but then failed to act on advice that came out of them. “The real problem lies in the fact that there was no real investment in or real understanding of what information security is,” said the former employee. One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected.

Sony Pictures has said little about its security failures since the hack, but seven years ago, its information security director was very chatty about “good-enough security.” Back in 2007, Jason Spaltro, then the executive director of information security at Sony Pictures Entertainment, was shockingly cavalier about security in an interview with CIO Magazine. He said it was a “valid business decision to accept the risk” of a security breach, and that he wouldn’t invest $10 million to avoid a possible $1 million loss.

Seven years later, Spaltro is still overseeing data security. Now senior vice president of information security, his salary is over $300,000 this year according to one of the leaked salary documents — and will get bumped over $400,000 if he gets his bonus.

• Sony Describes Hack Attack as ‘Unprecedented’ | Re/code

In his comments, Mandia described the malicious software used in the attack against Sony as “undetectable by industry standard antivirus software.” He also said that the scope of the attack is unlike any other previously seen, primarily because its perpetrators sought to both destroy information and to release it to the public. The attack is one “for which neither SPE nor other companies could have been fully prepared,” Mandia said.

• Expat Newswire | Sony Pictures Hack Traced to Bangkok Hotel

The hacks were traced to the St. Regis Bangkok, a 4.5 star resort where basic rooms cost over $400 per night. It remains unclear whether the hacks were done from a room or a public area, but investigations into the breach have traced the attack to the hotel on December 2nd at 12:25 am, local time.

• Sony saved thousands of passwords in a folder named ‘Password’ – Telegraph

It appears that the leaked files include the Social
Security numbers of 47,000 employees and actors, including Sylvester
Stallone, Judd Apatow and Rebel Wilson.

They also include a file directory entitled ‘Password’, which includes 139
Word documents, Excel spreadsheets, zip files, and PDFs containing thousands
of passwords to Sony Pictures’ internal computers, social media accounts,
and web services accounts.

• DOJ Launches New Cybercrime Unit, Claims Privacy Top Priority – Slashdot

Leslie Caldwell, assistant attorney general in the criminal division of the Department of Justice, announced on Thursday the creation of a new Cybercrime Unit, tasked with enhancing public-private security efforts. A large part of the Cybersecurity Unit’s mission will be to quell the growing distrust many Americans have toward law enforcement’s high-tech investigative techniques. (Even if that lack of trust, as Caldwell claimed, is based largely on misinformation about the technical abilities of the law enforcement tools and the manners in which they are used.) “In fact, almost every decision we make during an investigation requires us to weigh the effect on privacy and civil liberties, and we take that responsibility seriously,” Caldwell said. “Privacy concerns are not just tacked onto our investigations, they are baked in.”

Feedback:

• dyslexic pc readers

The post Sony Security Café | Tech Talk Today 102 first appeared on Jupiter Broadcasting.

A batch of Dropbox usernames and passwords hit the web, Court document reveal Apple’s $50 Million for product leak fine & Newsweek comes under fire.

Plus our thoughts on the return of PC market growth & much more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Change Your Password: Hackers Are Leaking Dropbox User Info

After first surfacing Reddit, several Pastebin files have been found to contain hundreds of Dropbox users’ usernames and passwords—and the anonymous poster claims that there are millions more to come.

• According to the Next Web, the leaked lists are meant to entice users to donate Bitcoin, at which point the purported hacker will release more users’ info. The message atop the list reads:
  

  Here is another batch of Hacked Dropbox accounts from the massive hack of 7,000,000 accounts

  To see plenty more, just search on [redacted] for the term Dropbox hack.

  More to come, keep showing your support

• To put it another way: You need to change your password. Now. And then make sure that two-factor authentication is turned on.

Update 11:29pm:

• A spokesperson from Dropbox has provided us with the following statement:
  

  Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

• DROPBOX.COM HACKED First Teaser – Pastebin.com

• Two Factor Auth List

Court document reveals that Apple could fine sapphire glass manufacturer $50 Million for product leaks

GT Advanced Technologies filed for Chapter 11 bankruptcy protection last week and the court documents have revealed an interesting agreement with Apple. GT Advanced, who was contracted to make sapphire glass displays for Apple, stated that there was a clause in its contract that would see them fined upward of a $50 million (USD) penalty for any leaked products.

Man Pegged By Newsweek as Satoshi Nakamoto Plans Legal Action | NEWSBTC

Dorian Prentice Satoshi Nakamoto’s name became public — very public — in a highly sensationalized exposé entitled The Face Behind Bitcoin _written by journalist Leah McGrath Goodman, employed by _Newsweek.

Legal defense fund

Nakamoto, along with the Kirschner & Associates law firm, have started a website at NewsweekLied.com to ask for donations to help establish a defense fund in an ultimate lawsuit against Newsweek.

Yes. Bitcoin accepted.

You can read all the reasons that Dorian is angry here on the site’s background page, and it’s perfectly understandable where he’s coming from.

“Newsweek must be held accountable for its reckless reporting,” the site reads.

• Background — The Dorian Nakamoto Legal Defense Fund

With This Tiny Box, You Can Anonymize Everything You Do Online | WIRED

Today a group of privacy-focused developers plans to launch a Kickstarter campaign for Anonabox. The $45 open-source router automatically directs all data that connects to it by ethernet or Wifi through the Tor network, hiding the user’s IP address and skirting censorship. It’s also small enough to hide two in a pack of cigarettes.

Decline in PC Sales Starts to Slow; Largest Makers See Growth – NYTimes.com

IDC and Gartner on Wednesday released numbers on the worldwide demand for PCs that showed only a slight drop in demand, a distinct contrast to the trend of the last three years. This likely means, analysts said, that consumers may not be choosing tablets and smartphones over PCs to the same degree they had in the past. Soon, they said, the industry might see growth again.

It has come already for the biggest manufacturers. Companies like Lenovo, Hewlett- Packard and Dell all had good growth, particularly in a strong U.S. market.

In the United States, IDC said 17.3 million PCs were shipped, an increase of 4.3 percent from a year ago. Gartner put the number at 16.9 million, a rise of 4.2 percent. The top five companies were HP, Dell, Apple, Lenovo and Toshiba, both IDC and Gartner said.

• Stocks Benefiting From Increasing PC Sales Include Hewlett-Packard (NYSE: HPQ), Seagate Technology (NASDAQ: STX) – 24/7 Wall St.

The post Dropbox Those Passwords | Tech Talk Today 75 first appeared on Jupiter Broadcasting.

13 gigabytes of stolen images from Snapchat but Snapchat themselves are not to blame. The Linux Foundation is working on open source drones. Apple Pay is facing headwinds & our Kickstarter of the week sparks quite the debate!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Snapchat images stolen from third-party Web app using hacked API [Updated] | Ars Technica

An alleged cache of about 13 gigabytes of stolen images from Snapchat—some of them apparently of nude, underage users of the “ephemeral” messaging platform—was posted online Thursday night, many of them to the image-sharing site 4chan’s /b/ discussion board. However, the threads linking to the images have largely been shut down by 4Chan over concerns of trafficking in what could be considered child pornography. Over 100,000 user images and videos were in the cache, according to 4chan discussions.

According to 4Chan posters, the files were moved by the operator of the site SnapSaved.com—a site that was operating as a web-based SnapChat viewer—from the original server to a non-indexed site, where they were discovered. The original poster on the leak has said he will not be sharing the contents in both a comment on 4Chan and in a “release” posted on Pastebin.

The leak was apparently caused by SnapSaved.com (which has apparently been offline for several months; the link is to the developers’ Facebook page). SnapSaved was a Web-based client built for Snapchat that allowed users to access “snaps” from a Web browser. However, the service, which according to DNS records ran on a server at the hosting company HostGator, apparently kept all images received or sent by its users without their knowledge.

Snapchat does not publish its API for third-party developers, but it has been reverse-engineered.

Linux Foundation Launches Open Source Dronecode Project

“The Linux Foundation, the nonprofit organization dedicated to accelerating the growth of Linux and collaborative development, today announced the founding of the Dronecode Project. The Project will bring together existing open source drone projects and assets under a nonprofit structure governed by The Linux Foundation. The result will be a common, shared open source platform for Unmanned Aerial Vehicles (UAVs). Founding members include 3D Robotics, Baidu, Box, DroneDeploy, Intel, jDrones, Laser Navigation, Qualcomm, SkyWard, Squadrone System, Walkera and Yuneec. Dronecode includes the APM UAV software platform and associated code, which until now has been hosted by 3D Robotics, a world leader in advanced UAV autopilot and autonomous vehicle control. The company was co-founded by Chris Anderson, formerly editor-in-chief of Wired”

Many Retailers Hesitant About Offering Support for Apple Pay

Though Apple is launching Apple Pay with a number of high-profile retail partners including Macy’s, Disney, Whole Foods, Sephora, Walgreens, and Staples, among others, there’s a long list of retailers who have decided not to offer Apple Pay in their stores.

Walmart and Best Buy, for example, have been two high-profile companies that have vocally opted out, and The Daily Dot has compiled a list of several other retail outlets that have no current plans to support Apple Pay. Clothing store H&M said that it has no plans to accept Apple Pay at this time, as did high-end retailer Coach.

A Bed, Bath & Beyond spokesperson said the company was “unable to participate,” while a spokesperson for retailer Belk also said “we don’t have the capability to accept Apple Pay right now,” suggesting the store has not adopted payment systems with NFC capabilities.

Sears, Kmart, and Publix have also said they won’t be accepting Apple Pay, as has gas company BP, though BP stations may be able to accept Apple Pay in 2016.

Some fast food restaurants aren’t on board yet either, including Pizza Hut and Chipotle, while others, like KFC, are “looking into the prospect of accepting Apple Pay” but have no timetable for support.

The list of merchants not on board with Apple Pay is considerable, but contactless payments are growing in popularity and with the help of Apple Pay, the adoption of NFC systems may accelerate even faster. According to Apple, more than 220,000 retail stores across the United States will be able to accept Apple Pay.

Apple Pay is expected to roll out in October as an update to iOS 8. iOS 8.1, with hidden Apple Pay settings, has already been seeded to developers for testing.

Wells Fargo employee emails CEO asking for a raise — copies 200,000 other employees

Tyrel Oates, a 30-year-old Portland, Oregon-based employee of Wells Fargo, shot to Internet fame after emailing the company’s CEO John Stumpf (and cc’ing 200,000 other employees) to ask for a $10,000 raise… for everyone at the company.

The Charlotte Observer reports:

Oates proposed that Wells Fargo give each of its roughly 263,500 employees a $10,000 raise. That, he wrote, would “show the rest of the United States, if not the world, that, yes, big corporations can have a heart other than philanthropic endeavors.”

In an interview Tuesday, Oates…said he has no regrets and that he has received many thank-yous from co-workers who told him they shared his views.

And, at least as of Tuesday afternoon, he said he’s still employed by the company, where he processes requests from Wells Fargo customers seeking to stop debt-collection calls.

“I’m not worried about losing my job over this,” Oates said.

Kickstarter of the Week: Boxie: A speaker with a built-in LED light-show by Michael K.

An elegant, synchronized light-show built into a great sounding speaker. Place Boxie on your desk or in a bookshelf and see the music.

The post SnatchedChat | Tech Talk Today 74 first appeared on Jupiter Broadcasting.

Google leverages Chrome’s marketshare to push web security forward. Are we about to see zero day exploits reclassified as weapons & ZFS gets the green light on Linux for production.

Then it’s a great batch of your questions, our answers & much, much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Killing off SHA-1 in SSL certificates

• “The SHA-1 cryptographic hash algorithm has been known to be considerably weaker than it was designed to be since at least 2005 — 9 years ago”
• “That’s why Chrome will start the process of sunsetting SHA-1 (as used in certificate signatures for HTTPS) with Chrome 39 in November. HTTPS sites whose certificate chains use SHA-1 and are valid past 1 January 2017 will no longer appear to be fully trustworthy in Chrome’s user interface.”
• The CA/Browser forum, the group made up of Google, Mozilla, Microsoft, Apple, Opera, and most of the Certificate Authorities, and sets the policies for the group
• The forum is how the browsers decide which CAs to include in their trust store
• Part of the problem was that older browsers and devices only supported SHA-1, and none of the SHA-2 (SHA256, SHA512) algorithms
• The CA/Browser Forum officially deprecated SHA-1 in 2011, no new certificates can be issued that use SHA-1
• Google is proposing to add increasingly severe warning messages for visitors to site using SHA-1 certificates that have an expiration date after the end of 2016
• Upgrades may still be complicated. Windows Server 2003 and Windows XP SP2 does not support SHA-256, only SHA-1. Servers would need to be upgraded, and Windows XP clients would need to install SP3. Android before 2.3 only supports SHA-1, 2.2 is still quite popular
• Support for running 2 certificates, an upgraded one for clients that support it, and a legacy certificates for ones that do not, is being worked on. Apache supports it now, and work is underway to add support to NGINX and Apache Traffic Server.
• GlobalSign’s SHA-256 compatibility matrix
• It is nice to see the steps being taken with plenty of time for everyone to update gracefully. In the past, the move away from MD5 was much less smooth, only finally spurred on by the real danger of rogue certificates via MD5 collisions
• The CA/Browser forum similarly disallowed new 1024 bit certificates in 2010, with no certificate to have an expiration date later than Dec 31st 2013. Mozilla recently pulled the plug on 1024 bit certificates, leaving 107,000 “valid” certificates no longer trusted
• SSL Labs breaks down what you need to know
• Additional Coverage: Why Google is Hurrying to kill SHA-1

Will selling 0-day exploits soon be considered “Arms Dealing” and be illegal?

• VUPEN and others are now following the Wassenaar Arrangement that classifies their 0-days and exploits as regulated and export-controlled “dual-use” technologies. Going forward they will only sell to approved government agencies in approved countries.
• The latest version of the agreement included 0-days, exploits, and backdoors as regulated and export-controlled “dual-use” technologies. Previously, the US wasn’t recognizing these most recent additions but that is all changing come later this month according to a recent Federal Register notice (pdf). The notice states that the US will be adopting changes made to the list of dual-use items made in December 2013 as of August 4th.
• The big question is where the government will draw the line in terms of defining “dual-use.” Will day-to-day security tools (e.g., Nessus and Nmap) fit into this category? What about a quick bash script you write up to bruteforce web application session ids?

The state of ZFS on Linux

• ZFS on Linux is now “officially” production ready
• Key ZFS data integrity features work on Linux like they do on other platforms
• ZFS runtime stability on Linux is comparable to other filesystems, with certain exceptions
• ZoL is at near feature parity with ZFS on other platforms.
• ZoL does not lose data
• changes to the disk format are forward compatible
• Updates are always flawless
• Up until now, it was mostly the “on Linux” part that was at question, OpenZFS (the open source fork used in IllumOS, FreeBSD, SmartOS, and elsewhere) has been stable for many years
• “Data loss can be defined as the occurrence of either of two events. The first is failing to store some information. The second is attempting to retrieve information that was successfully stored and getting either something else or nothing at all”
• “The ZFS on Linux kernel driver performs the same block device operations as its counterparts on other platforms. As a consequence, its ability to ensure data integrity is equivalent to its counterparts on other platforms and this ability far exceeds that of any other Linux filesystem for direct attached storage”
• ZoL is missing 9 of the newest features in OpenZFS, including LZ4 compression, Spacemap histographs (speed improvements under heavy fragmentation), Feature Flag enabled TXG (support for rolling back and upgrade), Hole Birth (improved replication performance) and ZFS Bookmarks (resumable zfs send/recv)
• Also, there are 9 other features missing from ZoL, including integration for iSCSI (also missing on FreeBSD, as until recently FreeBSD did not have a kernel iSCSI target daemon), Integration with Containers (Linux doesn’t really have a feature similar to Solaris Zones or FreeBSD Jails), Boot Loader integration, etc.
• “The current release is 0.6.3 and the next release will be 0.6.4 later this year. The plan is to continue performing 0.6.x releases with distribution maintainers doing backports until the /dev/zfs ioctl interface is stabilized. At that point, the project will release 1.0. New releases will be 1.x while 1.x.y maintenance releases will be done to back port fixes like is done by the Linux kernel stable maintainers”

Feedback:

• Hall of Shame: Enigmail

• Untrusted mail servers

• Creating a backup system for my mom with NAS using Linux but for windows

• I’m not sure how to tell a gym about a miss configuration in there systems

• xp pos systems

Round Up:

• Dread Pirate Sunk By Leaky CAPTCHA — Krebs on Security
• Intel Announces new 18 core Xeon E5 dual-socket processors. DDR4 and all the other goodies too
• FBI reveals how they found Silk Road, security experts claim unlikely
• Using the iPhone thermal camera to steal PIN codes PDF: Heat of the Moment: Characterizing the Efficacy of Thermal Camera-Based Attacks
• Dropbox Transparency Report update: fighting for your right to know
• 5 Million google usernames and passwords from large Russian dump. Likely from other databases that were compromised, and these 5 million people happened to use the same password Download .txt file of just usernames
• Microsoft agrees to contempt order so e-mail privacy case can be appealed
• Secretive Bitcoin creator’s email address may have been compromised
• Malware found at Healthcare.gov, no personal data was at risk
• Allan’s Musings while depositing a cheque
• Switching ISPS is too hard. FCC says it might think about possibly maybe doing something to help a little, kind of, maybe

The post It's not a Bug, It's a Weapon | TechSNAP 179 first appeared on Jupiter Broadcasting.

Gmail passwords may have been leaked, but there is some debate as to how bad the damage is. Google Voice gets rolled into Hangouts & we take a look at the results from “Internet Slowdown Day”.

Plus our thoughts on mobile payments, a great deal for Linux users & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

5 Million Gmail Usernames and Passwords Leaked

In what appears to be an unknown attack, hackers have dumped over 5,000,000 valid gmail username and passwords on the Internet early Wednesday morning.

Unknown hackers have leaked over five million valid credentials pertaining to Google Mail logins early this morning. The random dump of passwords first appeared on reddit’s netsec section linking to the another website hosting the leaked gmail accounts.

The .txt file of all leaked gmail usernames was found on BitCoin security (forum in Russian), where the leak is believed to be first offloaded. The file of leaked emails does not contain any passwords or other sensitive information, only full gmail email addresses.

As the leak was posted only hours ago, Reddit users are warning each other not to enter any email username or password combinations into any websites “to check if your password is secure.” It appears scams are already appearing or Reddit users are getting ready for the scams to come.

• Google Says No Compromise

“The security of our users’ information is a top priority for us,” a Google spokesperson told TNW. “We have no evidence that our systems have been compromised, but whenever we become aware that accounts may have been, we take steps to help those users secure their accounts.”

Next, since the posting, the forum administrators have purged the passwords from the text file in question, leaving only the logins. Furthermore, tvskit, the forum user who published the file, claimed that some 60 percent of the passwords were valid.

Google Voice Integration Is Currently Rolling Out In Hangouts

Google Voice is finally being integrated into Hangouts, because God knows Hangouts needed to be even more confusing. You can enable Voice SMS and voicemail via a popup in the conversation list, so check the app. If you still don’t see it, hang on. It’s still rolling out.

“Internet Slowdown Day” sends over 111,000* new comments on net neutrality to FCC

The effort appears to have made a difference: According to the FCC*, by 6 PM ET the agency saw 111,449 new public comments added to the already record-setting total, with some 41,173 filed into the 14-28 docket of the FCC’s website since and another 70,286 sent to the openinternet@fcc.gov inbox, setting a new high water mark of some 1,515,144 to date, with more yet to come. As reported by Mike Masnick, citing ThinkProgress, the Internet slowdown generated 1000 calls per minute to Congress. *Update: Fight for the Future claims that more than 500,000 comments have been submitted through Battleforthenet.com and that the FCC hasn’t caught up. According to the nonprofit, “this happened during our last big push too when their site crashed. We are storing comments and will deliver all.”

IDG shutters Macworld Magazine, much of the editorial staff let go | 9to5Mac

International Data Group (IDG) is shutting down Macworld Magazine, the long time Apple periodical according to tweets by staff and conversations I’ve had with personnel.

The Macworld.com website will remain open [although as a shell of its former self -ed] with a reduced staff according to Dan Miller (editor), who himself is leaving in a month.

Why pay with your phone? : techtalktoday

Floppy-Bacon Writes

Is payment the stores in the US really as bad as Apple’s presentation made it look? When I pay with my debit card (or credit card), I don’t hand it to the cashier. I insert it into a small device and enter my 4-digit PIN code; fast and secure. I do not need to identify my self, I do not any detail about my card and I do not have 15 cards in my wallet or however many cards she had in the video. I know that I hate technology, but do you really want to pay with your phone rather than just fix the payment system to how it works elsewhere? For the time being you still need to have your wallet with your for all the other stuff. (And taking my phone with me with just be extra cumbersome.)

Crossover Linux 50% off : linux_gaming

I received an e-mail this morning from CodeWeavers that CrossOver Linux + 12 months of support is 50% off for the next 48 hours.

Promotional Code: FLASHME

For more information: https://www.codeweavers.com/products/crossover-linux

The post The New Payphone | Tech Talk Today 57 first appeared on Jupiter Broadcasting.

The debate over whose responsibility it is to protect your cloud data heats up, we discuss how to get your confidence back & some Vala feedback.

Plus the recent Markdown drama, the systemd hater club & much more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• Confidence /

• Developer’s Security Obligations

• Moral responsibility of developers

• Vala Feedback

Dev Hoopla:

• You have your Windows in my Linux | Data Center – InfoWorld

Ultimately, the schism over systemd could lead to a separation of desktop and server distros, or Linux server admins moving to FreeBSD

• Systemd rampages through the Linux community like Godzilla through Tokyo | ITworld

Systemd has turned into the Godzilla of Linux controversies. Everywhere you look it’s stomping through blogs, rampaging through online discussion threads, and causing white-hot flames that resemble Godzilla’s own breath of death. TechNewsWorld has a roundup of the systemd hostilities in case you missed any of it and want to savor some of the drama.

• It’s time to split Linux in two | Data Center – InfoWorld

Maybe it’s time Linux is split in two. I suggested this possibility last week when discussing systemd (or that FreeBSD could see higher server adoption), but it’s more than systemd coming into play here. It’s from the bootloader all the way up. The more we see Linux distributions trying to offer chimera-like operating systems that can be a server or a desktop at a whim, the more we tend to see the dilution of both. You can run stock Debian Jessie on your laptop or on a 64-way server. Does it not make sense to concentrate all efforts on one or the other?

Standard Markdown aka Common Markdown aka CommonMark

• Standard Markdown

• Standard Markdown is now Common Markdown

• CommonMark

The post Privacy is a Myth | CR 118 first appeared on Jupiter Broadcasting.

Apple outlines the immediate improvements to iCloud security they’ll be making but the core issues are still rotting. Facebook is killing your cell & why we can’t wait to buy our NSA Nanny Cam!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tim Cook: Apple to Add Security Alerts for iCloud Users, Broaden Two-Factor Authentication – Mac Rumors

Apple will add security alerts for iCloud users, broaden two-factor authentication and make a more aggressive effort to alert users about protecting their accounts, Apple CEO Tim Cook told the Wall Street Journal in his first interview since the recent hacking incident involving celebrities’ iCloud accounts.

To make such leaks less likely, Mr. Cook said Apple will alert users via email and push notifications when someone tries to change an account password, restore iCloud data to a new device, or when a device logs into an account for the first time. Until now, users got an email when someone tried to change a password or log in for the first time from an unknown Apple device; there were no notifications for or restoring iCloud data.

Cook said the new notifications will begin in two weeks and will allow users to take action on potential hacking immediately, allowing them to either change the password to retake the account or alerting Apple’s security team. Cook echoed Apple’s previous press release on the hackings, stressing that the best prevention for future incidents are more human than technological.

Exclusive aerial footage of Apple’s mysterious white box next to ‘iPhone 6’ event site

The large white structure is being erected next to the Flint Center for the Performing Arts in Cupertino, Calif.

The included photos and video were captured by a DJI Phantom 2 Vision+ drone, offering a unique perspective on the mystery building.

Apple hasn’t used the Cupertino Flint Center venue for introducing new products since the late 1990s. The space is notable in Apple’s history for serving as the first public introduction of the Macintosh in 1984.

[DARPA Develops Implants that Treat Diseases and Depression Without Medication

](https://www.extremetech.com/extreme/188908-darpas-tiny-implants-will-hook-directly-into-your-nervous-system-treat-diseases-and-depression-without-medication)

DARPA, on the back of the US government’s BRAIN program, has begun the development of tiny electronic implants that interface directly with your nervous system and can directly control and regulate many different diseases and chronic conditions, such as arthritis, PTSD, inflammatory bowel diseases (Crohn’s disease), and depression. The program, called ElectRx (pronounced ‘electrics’), ultimately aims to replace medication with “closed-loop” neural implants, which constantly assess the state of your health, and then provide the necessary nerve stimulation to keep your various organs and biological systems functioning properly.

The ElectRx program will focus on a fairly new area of medical therapies called neuromodulation. As the name implies, neuromodulation is all about modulating your nervous system, to improve or fix an underlying problem. Notable examples of neuromodulation are cochlear implants, which restore hearing by directly modulating your brain’s auditory nerve system, and deep brain stimulation (DBS), which appears to be capable of curing/regulating various conditions (depression, Parkinson’s) by overriding erroneous neural spikes with regulated, healthy stimulation.

Facebook’s autoplay video feature is destroying cell phone bills – Sep. 3, 2014

Smartphone users could be at risk of maxing out their data plans if they don’t change this default setting in the Facebook app, which otherwise will automatically start streaming videos in the News Feed window.

The issue was flagged by consumer finance site MoneySavingExpert.com, which said it had “seen many complaints from people who have been stung with data bills after exceeding their monthly allowance and who believe it to be because of Facebook autoplaying videos.”

A Smart Nanny Cam With Facial Recognition and Air Pollution Sensors

It’s a nanny cam with upgraded intelligence: Not only can it send images to your phone via an app, it can also serve as a autonomous sentry, alerting you to strange activity in the house thanks to facial recognition and air-quality sensors.

It supplies users with a live, high-definition video feed of their house. The white-and-wood device—it almost looks like a little candle for your mantel—has a 135-degree viewing angle on the room it’s in, night vision, and two-way audio.

Likewise, for audio, Withings has programmed the device to discern between, say, a baby crying and a motorcycle engine. Whenever something is a awry, users get a push notification on their phone. If the user chooses to view the notification later, it gets saved in a timeline. (How far back the timeline goes will be based on a pay-for-space subscription model.)

These clever systems for detecting abnormalities also work with the Home’s air quality sensors. These pick up on volatile organic compounds, or harmful gases often released by cleaning products or building materials. When the Home alerts users about harmful chemicals, it also points out the likely culprit.

This allows you to isolate a problem area of the house.

Borderlands 2 Also Looks Like It’s Coming To Linux, UPDATE: Confirmed | GamingOnLinux

Michael Blair, Aspyr Media: Yes! BL2 Linux is absolutely real! We’ve been working hard on it for months and will talk about a release date as soon as possible.

• Borderlands 2 · AppID: 49520 · Steam Database

The post Facebook Lobotomy | Tech Talk Today 53 first appeared on Jupiter Broadcasting.

A leak reveals the specs, price, and other details about the new Moto 360 smartwatch & is Xiaomi’s new MIUI 6 OS release a iOS rip off?

Plus the market share numbers you won’t believe, and if Linux distros were superheroes, which hero would they be? We debate!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Moto 360 Shows Up at Best Buy for $249, Outs List of Features | Droid Life

We are expecting to get official Moto 360 launch details when Motorola hosts press at a September 4 event in Chicago, but Best Buy may have gone ahead and let us in on all sorts of details early. According to a listing on Best Buy’s site for the Moto 360, we could end up paying $249.

MIUI 6 Full Review: Visually Stunning, Stunningly Simple – Xiaomi Mi 4 – MIUI Official Community

MIUI 6

I’m not sure who should be more upset. Apple, because this is such a preposterously shameless ripoff of iOS. Or Samsung, because Xiaomi is so much better at ripping off Apple than they are.

Update: Keep in mind, too, that Xiaomi VP Hugo Barra keeps insisting they don’t copy designs from Apple. Even Thom Holwerda agrees that this is just shameless.

Android, iOS gobble up even more global smartphone share | PCWorld

According to IDC, the total combined market share of Android and iOS swelled to 96.4 percent during the second quarter, up from 92.6 percent a year ago. That left just 2.5 percent of the market to Windows Phone, down from 3.4 percent in a year’s time.

Unfortunately for Microsoft’s Windows Phone, Apple’s iOS devices dominated the high end of the market, while Android—with 84.7-percent global share in smartphone operating systems—tended to dominate the low-end, sub-$200 market. That left precious little room for Windows Phone, even though recent efforts to lower the platform’s licensing costs should have helped propel it in the market.

“With many of its OEM partners focusing on the sub-$200 segments, Android has been reaping huge gains within emerging markets,” said Ramon Llamas, a research manager with IDC’s mobile phone team, in a statement. “During the second quarter, 58.6 percent of all Android smartphone shipments worldwide cost less than $200 off contract, making them very attractive compared to other devices. With the recent introduction of Android One, in which Google offers reference designs below $100 to Android OEMs, the proportion of sub-$200 volumes will climb even higher.”

If Linux Distros Were Superheroes Ubuntu Would Be Superman

If Ubuntu-based Linux distributions were comic book superheroes, who would be what and why? That’s the question I’ve been mulling over for the last half hour.

The post China's new Apple | Tech Talk Today 44 first appeared on Jupiter Broadcasting.