Show Notes: linuxunplugged.com/469

The post Tough Linux Love | LINUX Unplugged 469 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/423

The post What Makes a Linux User? | LINUX Unplugged 423 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/402

The post Payment Required | Coder Radio 402 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/306

The post Comparing Hammers | BSD Now 306 first appeared on Jupiter Broadcasting.

Show Notes: error.show/62

The post Emergency Condiments | User Error 62 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How I tricked Symantec with a Fake Private Key

• If true, not very good.

• The Baseline Requirements – a set of rules that browsers and certificate authorities agreed upon – regulate this and say that in such a case a certificate authority shall revoke the key within 24 hours (Section 4.9.1.1 in the current Baseline Requirements 1.4.8).

• I registered two test domains at a provider that would allow me to hide my identity and not show up in the whois information. I then ordered test certificates from Symantec (via their brand RapidSSL) and Comodo.

• Comodo didn’t fall for it. They answered me that there is something wrong with this key. Symantec however answered me that they revoked all certificates – including the one with the fake private key

Alert, backup, whatever on DNS NOTIFY with nsnotifyd

• Fair warning: blog post is from 2015, but with Let’s Encrypt all around us, I think this is relevant now.

• “Tony Finch has created a gem of a utility called nsnotifyd. It’s a teeny-tiny DNS “server” which sits around and listens for DNS NOTIFY messages which are sent by authority servers when they instruct their slaves that the zone has been updated and they should re-transfer (AXFR / IXFR) them. As soon as nsnotifyd receives a NOTIFY, it executes a shell script you provide.

• offical repo

• nsnotifyd on GitHub

• man 1 nsnotifyd

• man 1 nsnotify

• man 4 metazone

New details emerge on Fruitfly, highly-invasive Mac malware

• Mysterious Mac Malware Has Infected Victims for Years

• The recently discovered Fruitfly malware is a stealthy, but highly-invasive, malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, keyboard and mouse.

• Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.

• Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

Feedback

• Tell me more on XML vs JSON
• JSON – data format
• XML – language
• Stop Comparing JSON and XML
• Extensible Data Notation
• https://www.compoundtheory.com/clojure-edn-walkthrough/
• Transit is a format and set of libraries for conveying values between applications written in different programming languages.

• https://github.com/cognitect/transit-js

• Thanks for Dan’s recommendations
  +Lee Valley Divider boxes

• Duluth Fire Hose Pants

Round Up:

• Vulnerabilities discovered in Windows security protocols

• With Patch Tuesday imminent, make sure you have Automatic Update turned off + From Matthew Garrett‏ – YOU ARE EVERYTHING WRONG WITH SOCIETY
  

• Post mortums from NASA: flight test & Avionics cooling

• Interesting analysis by Bitdefender suggests Petya/Goldeneye/NotPetya gave Kaspersky AV users a pass

• Adobe to pull plug on Flash, ending an era

• Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

• How the coffee-machine took down a factory control room

The post Teeny Weeny DNS Server | TechSNAP 329 first appeared on Jupiter Broadcasting.

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

PREDICTIONS!!

• Chris’ Predictions:

• Big year for media production on Linux. Linux is damn near perfect for audio podcasting already.

• Microsoft makes a deal with Canonical to run a product on Ubuntu blessed Kernel
• A great year for Elementary OS / Solus – For different reasons, that appeal to a large and not yet discovered base.
• Plasma Desktop’s best year in ages. They’ve hit a stride and the Neon project is showing everyone the results as fast as they can ship it.

• Gnome will likely be the biggest receiver of Macs exodus.

• Dell expands its Linux line to the point that I start taking them seriously as a Linux vendor.

• Valve pulls back on Steam Machines for 2017, doubles down on Steam Link.
• Valve Brings early VR to Linux.

• By the end of 2017, OSS File Sync is mostly a finished discussion.

• Noah’s Predictions:

• IOT pisses me off more than in any year past

• USB3 available on every laptop sold
• A fall in macbook purchases
• Chris mispronounces a project name
• JB Moves to a internet based server arch
• Intensive application such as audio/video avail on linux via cloud
• Linux based self driving car as a service

— PICKS —

Runs Linux

Smart Watch RUNS LINUX

• Here’s the sad thing; on my laptop, I still am running the bloated, legacy X11 display server. I had to because I was involved in maintaining an X11 desktop environment. But Asteroid OS is 100% Wayland only. And it works like a charm:

Desktop App Pick

FSlint – Duplicate file finder for linux

FSlint is a utility to find and clean various forms of lint on a filesystem.
I.E. unwanted or problematic cruft in your files or file names.
For example, one form of lint it finds is duplicate files.
It has both GUI and command line modes.
For more info please see the FAQ.

Thunderbird

• Thunderbird replicates the new look and feel of Mozilla Firefox in an effort to provide a similar user experience across all Mozilla software desktop or mobile and all platforms.

• Tabbed email lets you load emails in separate tabs so you can quickly jump between them. Tabs appear on the top of the menu bar providing a powerful visual experience and allowing the toolbars to be much more contextual.

• Tabbed email lets you keep multiple emails open for easy reference. Double-clicking or hitting Enter on a mail message will open that message in a new tab.

• When quitting Thunderbird, visible tabs will be saved and will be restored when you open Thunderbird the next time. There is also a Tab menu on the Tab toolbar to help you switch between tabs.

Spotlight

Commercial DAW VST Plugins on Linux

• Unleash your creativity with this collection of inspiring, contemporary DSP effects. Compatible with all major DAW’s, your signature sound is no longer limited to a single host.

• Introducing a collection of 16 contemporary FX plugins for use with any DAW. Utilizing the very latest algorithms and coding techniques, the plugins feature extraordinary sound quality in an extremely efficient package, allowing the plugins to be used liberally across a wide range of native computer systems. Empower your creativity with the DAW Essentials Collection.

— NEWS —

Canonical Clarifies Ubuntu Phone State: Nothing Really Until Snap-Based Image Ready

Pat shares that the Click-based Ubuntu Phone images are indeed on the way out, there will be no new Ubuntu Phone models until there is a “Snap image”, and they don’t plan to do an OTA-15 feature release. Canonical doesn’t plan to land any new features to the current stable PPA, but they will be providing security updates for important components.

• Is Ubuntu Touch Dead?

Endless introduces Linux mini desktop PCs for American market

• For the past few years Endless Computers has been making inexpensive Linux-based computers designed for use in emerging markets. Last summer the company also started working with PC makers to load its Endless OS software on some computers.

• Now Endless is launching its first products designed specifically for the United States.
  The Endless Mission One and Mission Mini are small, low power computers that sell for $249 or less. They should both be available for pre-order starting January 16th.

• Home | Endless Computers

KDE Neon Now Available as Docker Image

• I’m announcing a beta of KDE neon on Docker. Docker containers are a lightweight way to create a virtual system running on top of your normal Linux install but with its own filesystem and other rules to stop it getting in the way of your OS. They are insanely popular now for server deployment but I think they work just as well for checking out desktop and other UI setups.

• To give it a try first setup docker as you would for your distro. For Ubuntu distros that means running:

NVidia New ShieldTV

• Nvidia’s Shield set-top streaming device got an update at this year’s CES, and it was a big one: The new hardware is 40 percent smaller than the original, with a new Android 7.0 Nougat-based operating system and a redesigned UI that groups games together and just generally organizes things a bit more logically. It also handles 4K HDR content streaming, and boasts the most sources available for such content of any set-top streaming device currently available.

Pornhub 2016 – Linux up by 3%

• When it comes to porn, we usually ask if you’re more into ass or tits, though the increasingly more important question when it comes to porn consumption is Apple or Android? And Pornhub never misses a chance to report on the different behavior between different OS users. So looking back at 2016, we (of course) dug into the difference in traffic and tastes by operating systems. Let’s start with desktop. While Windows continues to dominate when it comes to which operating system users count on to watch Pornhub (about 80% of desktop users), Mac OS and Linux are on the rise, with Mac OS up 8% in traffic share and Linux up an impressive 14%.

Feedback:

Mail Bag

• Name: frodo wiz

• Subject: Solus Feedback

• Message: I tried this out a few times throughout this year and was happy with it until i found out it will never support ZFS. solus os has some bells and whistles as far as steam goes. except for data integrity. simple question for Ike: Do you expect me to amass 500 gig of games over a cell phone connection and trust that data wont get bit rot with any other file system than ZFS? wanna re-download 10 of them over cell connection? i didn’t think so. ike has done a great job with solus os but it falls short if it leaves out ZFS. kinda like building a car by hand and equipping it with bicycle tires. you can still drive it on some roads maybe, under some circumstances. handicapped

ive been entrusting my data to a 2 TB ZFS mirror for 2 years now and i cringe thinking about anything else.when you dont have the time or resources, you use the best.

if solus had zfs, it would be a no-brainer, especially for a game machine.

• Name: Jason

• Subject: Getting into a Linux Career

• Message:

I have been listening to several of the shows that Jupiter Broadcasting has, and religiously tune in to LAS and Linux Unplugged every week. You guys are doing a great job!

Would studying with Linux Academy and getting my RHCA and RHCE be enough to get into a job making a decent wage? I know there is the Catch 22 of certs are worthless without experience. However, but if I am correct, RHCA and RHCE are performance based exams. Wouldn’t that be enough to get your foot in the door?

I have taken several Linux, Windows and Cisco courses back in 2005, 2006, however I know a lot has changed since then.

Any advice would be greatly appreciated. Thank you for everything you guys do at Jupiter Broadcasting and I want to wish you all a belated Happy New Year!

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux
• Altispeed Technologies
• System76 – system76

The post Mac's Exodus of 2017 | LAS 451 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI Arrests Two Alleged Members of Group That Hacked the CIA Director

• “Two young men from North Carolina have been charged with their alleged connection to the hacking group “Crackas With Attitude.” The group gained notoriety when it hacked into the personal email account of CIA Director John Brennan last year and in the following weeks claimed responsibility for hacking the Department of Justice, email accounts of several senior officials, and other US government systems.”
• “Andrew Otto Boggs, 22, who allegedly used the handle Incursio, or IncursioSubter, and Justin Gray Liverman, who is suspected of using the moniker D3f4ult, were arrested on Thursday, according to a press release by the US State’s Attorney’s Office in the Eastern District of Virginia.”
• “Crackas With Attitude, or CWA, first sprung on the hacking scene when they broke into Brennan’s AOL email account in October 2015. The group distinguished itself for openly bragging about their exploits and for making fun of their victims online. After hacking into Brennan’s account, one of the members of the group, known as “Cubed,” said it was so easy “a 5 year old could do it.” After Brennan, the group targeted and hacked the accounts of Director Of National Intelligence James Clapper, a White House official, and others.”
• “Much of the time, the group would use social engineering to gain access to accounts. In February, one member of the group explained to Motherboard how they broke into a Department of Justice system, by calling up the relevant help desk and pretending to be a new employee. That hack led in the exposure of contact information for 20,000 FBI and 9,000 DHS employees.”
• “The group made heavy use of social media, and in particular Twitter, to spread news of the dumps and mock victims. However, according to the affidavit, Boggs allegedly connected to one of the implicated Twitter accounts (@GenuinelySpooky) from an IP address registered to his father, with whom Boggs lived. Much the same mistake led to Liverman’s identification: an IP address used to access the Twitter handle @_D3F4ULT and another account during the relevant time period was registered to an Edith Liverman. According to the affidavit, publicly available information revealed that Justin Liverman lived with Edith at the time.”
• “The affidavit also includes several sets of Twitter direct messages between members of the group.”
• Which suggests Twitter may have provided the government with that data, probably under a subpoena
• “Liverman seemingly logged his conversations: according to the affidavit, law enforcement found copies of chats on his hard drive, including one where Liverman encouraged Cracka to publish the social security number of a senior US government official. These logs make up a large chunk of the affidavit, laying out the groups alleged crimes in detail, and investigators found other forensics data on Liverman’s computer too.”
• It really goes to show how unsophisticated these attackers were

Discovering how Dropbox hacks your mac

• “If you have Dropbox installed, take a look at System Preferences > Security & Privacy > Accessibility tab (see screenshot above). Notice something? Ever wondered how it got in there? Do you think you might have put that in there yourself after Dropbox asked you for permission to control the computer? No, I can assure you that your memory isn’t faulty. You don’t remember doing that because Dropbox never presented this dialog to you, as it should have”
• “That’s the only officially supported way that apps are allowed to appear in that list, but Dropbox never asked you for that permission. I’ll get to why that’s important in a moment, but if you have the time, try this fascinating experiment: try and remove it.”
• “That leaves a couple of questions. First, why does it matter, and second, is there any way to keep using Dropbox but stop it having access to control your computer?”
• “There’s at least three reasons why it matters. It matters first and foremost because Dropbox didn’t ask for permission to take control of your computer. What does ‘take control’ mean here? It means to literally do what you can do in the desktop: click buttons, menus, launch apps, delete files… . There’s a reason why apps in that list have to ask for permission and why it takes a password and explicit user permission to get in there: it’s a security risk.”
• “The list of authorization “rights” used by the system to manage this “policy based system” is held in /var/db/auth.db database, and a backup or default copy is retained in /System/Library/Security/authorization.plist.”
• “The allow-root property specifies whether a right should be allowed automatically if the requesting process is running with uid == 0. This defaults to false if not specified.”
• “In other words, if allow-root isn’t explicitly set, the default is that even a process with root user privileges does not have the right to perform that operation. Since that’s not specified in the default shown above, then even root couldn’t add Dropbox to the list of apps in Accessibility preferences. Is it possible then, that Dropbox had overridden this setting in the auth.db? Let’s go and check!””
• Basically, by using sqlite directly, rather than the OS X tcc utility, you can override the policy, and add any apps you want to the whitelist. Or worse, any app running as root can do this without you even knowing
• “I tested this with several of my own apps and found it worked reliably. It’ll even work while System Preferences is open, which is exactly the behaviour I saw with Dropbox. It remained to prove, though, that this was indeed the hack that Dropbox was using, and so I started to look at what exactly Dropbox did after being given an admin password on installation or launch. Using DetectX, I was able to see that Dropbox added a new folder to my /Library folder after the password was entered”
• “As can be seen, instead of adding something to the PrivilegedHelperTools folder as is standard behaviour for apps on the mac that need elevated privileges for one or two specialist operations, Dropbox installs its own folder containing these interesting items”
• “the deliciously named dbaccessperm file, we finally hit gold and the exact proof I was looking for that Dropbox was using a sql attack on the tcc database to circumvent Apple’s authorization policy”
• “What I do suspect, especially in light of the fact that there just doesn’t seem to be any need for Dropbox to have Accessibility permissions, is that it’s in there just in case they want that access in the future. If that’s right, it suggests that Dropbox simply want to have access to anything and everything on your mac, whether it’s needed or not.”
• “The upshot for me was that I learned a few things about how security and authorisation work on the mac that I didn’t know before investigating what Dropbox was up to. But most of all, I learned that I don’t trust Dropbox at all. Unnecessary privileges and backdooring are what I call untrustworthy behaviour and a clear breach of user trust. With Apple’s recent stance against the FBI and their commitment to privacy in general, I feel moving over to iCloud and dropping Dropbox is a far more sensible way to go for me.”
• “For those of you who are stuck with Dropbox but don’t want to allow it access to Accessibility features, you can thwart Dropbox’s hack by following my procedure here”
• Previous Article

Proprietors of vDoS, the DDoS for hire service, arrested

• “Two young Israeli men alleged to be the co-owners of a popular online attack-for-hire service were reportedly arrested in Israel on Thursday. The pair were arrested around the same time that KrebsOnSecurity published a story naming them as the masterminds behind a service that can be hired to knock Web sites and Internet users offline with powerful blasts of junk data.”
• “The pair were reportedly questioned and released Friday on the equivalent of about USD $10,000 bond each. Israeli authorities also seized their passports, placed them under house arrest for 10 days, and forbade them from using the Internet or telecommunications equipment of any kind for 30 days.”
• “Huri and Bidani are suspected of running an attack service called vDOS. As I described in this week’s story, vDOS is a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline.”
• “The two men’s identities were exposed because vDOS got massively hacked, spilling secrets about tens of thousands of paying customers and their targets. A copy of that database was obtained by KrebsOnSecurity.”
• “For most of Friday, KrebsOnSecurity came under a heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps. A single message was buried in each attack packet: “godiefaggot.” For a brief time the site was unavailable, but thankfully it is guarded by DDoS protection firm Prolexic. The attacks against this site are ongoing.”
• “At the end of August 2016, the two authored a technical paper (PDF) on DDoS attack methods which was published in the Israeli security e-zine Digital Whisper. In it, Huri signs his real name and says he is 18 years old and about to be drafted into the Israel Defense Forces. Bidani co-authored the paper under the alias “Raziel.b7@gmail.com,” an email address that I pointed out in my previous reporting was assigned to one of the administrators of vDOS.”
• “Sometime on Friday, vDOS went offline. It is currently unreachable. According to several automated Twitter feeds that track suspicious large-scale changes to the global Internet routing tables, sometime in the last 24 hours vDOS was apparently the victim of what’s known as a BGP hijack.”
• “Reached by phone, Bryant Townsend, founder and CEO of BackConnect Security, confirmed that his company did in fact hijack Verdina/vDOS’s Internet address space. Townsend said the company took the extreme measure in an effort to get out from under a massive attack launched on the company’s network Thursday, and that the company received an email directly from vDOS claiming credit for the attack.”
• ““For about six hours, we were seeing attacks of more than 200 Gbps hitting us,” Townsend explained. “What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities.””
• Krebs also got access to a large log file from the vdos site
• “The file lists the vDOS username that ordered and paid for the attack; the target Internet address; the method of attack; the Internet address of the vDOS user at the time; the date and time the attack was executed; and the browser user agent string of the vDOS user.”

Feedback:

• Site-to-Site VPN Options

• pfSense HA pair upgrading question

• Copying data in ZFS world

• ZFS with USB Hard Drives

• Is TRIM needed for large SSD hardware raid setups?

Round Up:

• Desktop apps make their way into the Windows Store
• Stanford Engineers propose a technology solution to break the net neutrality deadlock
• This Laptop Is Two Computers In One Thanks to Swappable Modules
• A graphics study of Doom 2016 — How a Frame is Rendered
• SwiftKey for Android is now powered by a neural network
• Song made out of only Windows 98 and XP system sound effects
• Why Some Dark Web Dealers Post Photos of Their Drug Labs
• How a 17 year old got free unlimited data from T-Mobile
• Google removing web browsing from free WiFi kiosks in New York, because too many people were hogging them to watch porn

The post OpSec for Script Kiddies | TechSNAP 285 first appeared on Jupiter Broadcasting.

Mike shares his recent Linux switch experience & why he thinks it might stick this time. We chew on Verizon buying Yahoo & the grief Marissa Mayer is getting.

Plus we congratulate the winner of last week’s challenge & announce the next one!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Hoopla:

Verizon to acquire Yahoo’s operating business

Dear Yahoos,

Moments ago, we announced an agreement with Verizon to acquire Yahoo’s operating business.

• Sad Yahoo Sale Confirms That Marissa Mayer Failed

Whatever her future role, the Verizon sale is a blunt admission that Mayer’s grand resuscitation plan for Yahoo failed. She tried valiantly to inject some life into the company—with acquisitions, layoffs, splashy hires, and a way-too-late emphasis on mobile, among other strategies—but ultimately, it wasn’t enough.

Bad press from just the last few months:

• Yahoo CEO Marissa Mayer Thoroughly Failed on Promise to Not Screw Up Tumblr – Breitbart
• Marissa Mayer: A Case Study In Poor Leadership – Forbes
• As Marissa Mayer fails, Yahoo goes on the block – Deduced Reckoning
• Faith in Yahoo shaken as CEO Marissa Mayer’s turnaround plan fails – Times of India
• Marissa Mayer Has Become A Symbol Of Silicon Valley’s Disastrous Tokenism – Breitbart
• Failed Yahoo CEO Marissa Mayer Could Get $55M Parachute
• Marissa Mayer Yahoo CEO Under Attack
• Is Yahoo’s Mayer still ‘amazing’ or simply ‘failed’? – MarketWatch

Coding Challenge

Going through #CoderRadio coding contest submissions @ChrisLAS @Xaccary pic.twitter.com/qTgO85SdgM

— Michael Dominick (@dominucco) July 23, 2016

• Kyle’s Python Solution

Episode 215 Katy Perry Coding Challenge

I have a Pery colorful coding challenge for #CoderRadio fans this week @ChrisLAS

— Michael Dominick (@dominucco) July 25, 2016

• Make Mike an app that creates a Youtube playlist of or otherwise allows him to play his favorite Katy Perry music videos: Dark Horse, Roar, This is How We Do, Teenage Dream, Last Friday Night, International + + Smile and Unconditionally.
• The app must take advantage of the browser having his Youtube Red account cached for commercial viewing or he must be able to auth with his Youtube Red account to achieve the same.
• All solutions must be tablet friendly

Rocking the Ratel

The post Real Life on the Ratel | CR 215 first appeared on Jupiter Broadcasting.

The guys admit there is a growing amount of evidence pointing to going your own way, regardless of the design vision of the platform. What the Linux desktop has finally gotten right, why Mike is ready to can his wearable project.

Plus a Android BuildConfig pro tip, feedback & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Thin Design or Branded

• Is it best to just follow the OS design principles or go your own way?
• Material or not Material?
• What are the disadvantages of Material Design?

A photo posted by Chris Fisher (@tophfisher) on Oct 26, 2015 at 12:24pm PDT

Wear Are You Wear?

• Struggling with viability of Android Wear in the wider market
• vs the dev resources required to make it happen

Tip Of The Week

• Pro Tip: Android BuildConfig

Feedback:

• Coder Radio Follow Up
• Slack and Trello FOSS alternatives
• Applying for first developer job

The post Material Matters | CR 176 first appeared on Jupiter Broadcasting.

Angela is the Operations Manager of “ALL THE THINGS” at Jupiter Broadcasting but also a mother of three. She discusses her journey in tech as well as her kids’.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Tools:

• Telegram
• Freshbooks
• Quickbooks
• Pixelmator
• 99Designs
• Patreon
• ScaleEngine
• LibSyn
• Dropbox
• Archive.org
• Textual
• Markdown

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: So, today, everybody, we put Angela on the hotseat, ask her a whole bunch of questions about Jupiter Broadcasting, about being a mom, about how technology has improved her life or changed her life, and a lot about sharing and connecting with other people. It’s a really good interview.
ANGELA: Well, I have to agree, if I say so myself. But, before we get into this interview about me, I’d like to mention that you can support the network and Women’s Tech Radio by going to Patreon.com/today. That is the Jupiter Broadcasting bucket. The main bucket where you can support pretty much any show on the network. And when you go there, specifically, you are supporting Women’s Tech Radio. Patreon.com//today.
PAIGE: And we get started with today’s interview by just chitchatting with Angela.
So, Angela, thank you for joining us on Women’s Tech Radio. It’s really fun to finally put you on the mic since you put me on the mic a while ago.
ANGELA: i know, like two months ago, at least.
PAIGE: Yeah, much longer, actually.
ANGELA: Really?
PAIGE: Yeah, it’s been quite a time.
ANGELA: Wow, time flies.
PAIGE: It does.
ANGELA: Oh my gosh, is it going to be a year in November?
PAIGE: I don’t know. We need-
ANGELA: I think we started in November.
PAIGE: We need what, eight more episodes after this to do 52.
ANGELA: Well, that’s if you count by episodes. But I mean, like time.
PAIGE: Well, yeah, time. It’s about November, yeah. That’s crazy.
ANGELA: Wow. Yay.
PAIGE: I love it. So, what people want to know, what I want to know, is kind of like what this journey has been like for you. And I think that we’ve heard some about how you got started in tech. How you, through the different interviews, and I guess I would like to know some of your story of like what it’s been like to really be immersed in tech, especially in this broadcasting end of things. Where we’re in this age of no gatekeepers, you know, you can just put things out on the interwebs, like we do with this show. What has that done to your life? How has it been interesting? How has it be, like kind of coming from a semi-technical background into this media that’s so richly technical on both sides; where the topics of Jupiter Broadcasting are technical and the work itself is technical. Talk to me about that.
ANGELA: Okay. So I think from that, I would like to talk about I have always been one that has wanted to help others and educate others, and that is kind of the foundation of anything I do. And the technology that has developed over the last 10 years just magnificently supports it. It just is. It’s completely natural and even in middle school when we first started using technology, you know, I have the LiveJournal account. You know, I was dabbling in the small parts of the internet, but then, well being with somebody that always wanted the latest technology really helped, you know. I started on a Mac and I really, for some reason, I guess it could have been anything. Actually, you know what, i didn’t start on a Mac, but once I started on a Mac, I guess is what I mean. I feel like it really opened up my opportunities. I started using Soundtrack. That was specifically the thing that I moved to Mac for.
PAIGE: So, for people who don’t know, what’s Soundtrack?
ANGELA: Soundtrack is recording and music compilation software and it, it was like some crazy amount of money, like $300 or $400 at the time. This would have been like 2002. I was writing songs and I was using software that ran on Linux before switching to Soundtrack. But when I went into that Apple store and they had Soundtrack on demo, I grabbed a couple tracks and I put something together and it was amazing. And then a couple weeks later I bought it and I tried it. And I assembled those same tracks and now I have a song that I made. It was really cool. So I am a very creative person and that is another way that the creativity and the educational or desire to educate aspect really do goh hand in hand. I was a mommy blogger. That’s kind of been on hiatus for a little while. I do the Fauxshow, which is really a show that is whatever I want to talk about, but I always to grab things that–like if I told you that I was going to do a show on a certain topic, you might be like eh, yeah. But once you were there, you would be interested in it, because it would be a lot of different sources. And whether they be right or not, that’s debatable, but it’s not a real show, you know.
PAIGE: Yeah, right. It’s a fake show, a faux show.
ANGELA: Yeah, so in terms of Jupiter Broadcasting, I was a lot of the backend behind the scene operational side. You know, the accounting, the, you know, all that behind the scenes stuff. But once we put up the green screen in our third bay garage and started doing show there, I started getting more interested in the chat room and would hang out after Jupiter At Night. And that’s kind of where the Fauxshow started. I started just talking to the audience and the audience talked back and it gave them a personal touch and also involvement. And I really think that it solidified a whole new community aspect of Jupiter Broadcasting. And just from there, I just started getting to know the community and being more active in the IRC, which automatically got me more involved with the technology stuff and then now here I am doing Women’s Tech Radio.
PAIGE: Right. Awesome. Yeah, I mean, I”ve always been really impressed by your ability to share across a lot of different platforms.
ANGELA: I think people would call me an oversharer.
PAIGE: Yeah. Well, I don’t know. I think that you have a great way, like in person you connect with people really well, and I get to witness that. But I think that you, and I feel like that’s kind of a feature for me as well. But you also have this awesome way of bridging that to a digital audience. Like to people, like, even before I met you, I kind of felt like I knew you, because I had seen the Fauxshow and I had seen your Twitter. I had been following you on Google+ for a couple years. And then I showed up and I met you and I’m like, this is totally the Angela that I expect. You have a great ability to bring yourself across. How do you do that? Is that natural?
ANGELA: I guess it must be.
PAIGE: Yeah.
ANGELA: Yeah.
PAIGE: Does it just like occur to you, hey this is a moment that I should share or do you have to actively think about it?
ANGELA: Well, a lot of things, when I, when I make the decision to share something, it’s because I think that it will, likely it will help somebody else. That’s why I started MomVault, my mommy blog. Because there are things–it’s kind of like, it’s not that I want to share the hard sides of parenting or anything, because there’s a lot of harder articles in there, like getting allergy testing and cosmetic surgery for Dylan and things that people don’t want to relive or share or whatever, but there are so many moms and dads out there that kind of rely on knowing that they aren’t the only person that has to hold down their son while their ear is sewn back on.
PAIGE: I mean, it’s it’s the reason we do this show.
ANGELA: Yeah.
PAIGE: It’s just to know that you’re not alone.
ANGELA: Yeah.
PAIGE: That this is possible. You can get through it. You’re not alone.
ANGELA: Yeah.
PAIGE: I think that’s a really important, that’s a really fascinating way. I’ve always struggled with sharing. Some of my friends have been like, you really shout tweet, and I’m like, I don’t know how to tweet. Well, I know physically how to tweet.
ANGELA: No, she doesn’t. I know her in person, she doesn’t.
PAIGE: It’s so true. I’ve had people, I’m as bad with Facebook too. Somebody was like, you need to change your profile picture on Facebook. It’s been there for a long time.
ANGELA: I was going to tell you that earlier.
PAIGE: Oh man, okay.
ANGELA: Oh my gosh.
PAIGE: I have to sit down and really, really dig around every time, because I just don’t do it. I’m just not a natural sharer. But I think, thinking about it as helping people, I like that.
ANGELA: Yeah, and I feel that due to my creativity and my directness, bluntness-
PAIGE: I like directness, that works.
ANGELA: And conciseness, or being concise, my articles aren’t, there’s not a lot of fluff and I’m not trying to make money. You know, like on MomVault, but it just, I just can, I don’t know. I do like helping people and I know that MomVault has helped a lot of people. I think Fauxshow has helped a lot of people.
PAIGE: Yeah. I think even your Instagram is helpful. I love seeing your Instagram stuff. It kind of, I’ll be like rolling along and then I’ll see this, you’re, they’re always so positive. You just have so much positivity in your photography.
ANGELA: Well, I try. There’s some negatives, but yeah.
PAIGE: Okay. Well they are by in large.
ANGELA: Yeah. The thing is, this is weird to say, but in the past somebody has asked me, oh my gosh, that’s a great picture, what camera did you use? And I kind of laugh. It’s not the camera, it’s the person.
PAIGE: Yeah.
ANGELA: It’s me. Like, yes, it took a good picture, but I framed it. I worked with the depth. I worked with the colors and the lighting and figured out how to capture the moment. And I choose only to share those pictures, because I do take a lot more pictures than I share.
PAIGE: Yeah, well.
ANGELA: As would anybody. I don’t keep all those pictures. You know, there’s a lot of photo 101 things that I think I could probably do a whole show about.
PAIGE: Could you do a Fauxshow about it?
ANGELA: Probably. I have done quite a few Fauxshows about the photos, but anybody can take pictures of their kids. But what really–who cares about my kids? You know? Like who cares. There are people that care and they care because of the thought and the time and effort behind the picture.
PAIGE: Yeah, you put intention into it.
ANGELA: Yeah.
PAIGE: Yeah.
ANGELA: And it’s not just, oh here they’re smiling again.
PAIGE: You made me care about a snail the other day. You had this picture of a snail and I was like, that is totally true.
ANGELA: Right. It was about the little things in life.
PAIGE: Yeah.
ANGELA: Yeah. And I just– I didn’t step on him on the way to or from the bus stop. On the way to the bus stop I thought, I’m going to take a picture of that snail on the way back. And I did. I got down on the sidewalk and I took a picture of the snail. I took one where it had just the pavement as the background, and then I took another one, because I was like, oh the sun is shining over there. Maybe I can get a glow on the snail. So I took two pictures and I chose that second one that you ended up seeing on Instagram.com/MomVault.
PAIGE: Nice plug.
ANGELA: I know, right? So, I think everything I do has meaning and I hope that it would help other people in any way. I know that there are a lot of viewers, listeners of Jupiter Broadcasting that see my pictures on G+, Twitter, Instagram, or Facebook that, not rely on it, but it’s very, very welcome.
PAIGE: It’s a value add to my day.
ANGELA: Yeah. Unlike maybe other people in their life that add pictures that don’t necessarily have the charm, the quality, or the focus. Which, I’m not trying to put people down, at all. I”m just-
PAIGE: No, you have a skill for that. It’s definitely there. And the intention, it means a lot. Like art without intention is just craft.
ANGELA: Yes. Yes.
PAIGE: I think.
ANGELA: Yes.
PAIGE: I think that’s the big differentiator between craft and art. Craft is something you can do; art is something with intention.
ANGELA: Yes.
PAIGE: And I realize that may be a really over simplification and some of my art major friends are going to be upset with me for saying that.
ANGELA: Right.
PAIGE: But that’s my take. And I love that about your work. It’s part of working with you. You always intention, which is great.
ANGELA: And attention to detail. That’s for sure.
PAIGE: Yeah. Yeah. Which is a nice add to me.
ANGELA: But I really like the social networking. I love the fact that people from around the world watch my show or listen or see my pictures and comment on it.
PAIGE: Yeah. The way technology has changed that is mind blowing.
ANGELA: Uh-huh.
PAIGE: I just can’t even really actually wrap my head around that.
ANGELA: Yeah. And honestly, it took me so long to get on instagram, and I was such a snob about it. I’m like, man, who wants all their pictures to be square. And now, like even though my phone has the square option, I still them full, but I, I’m like, okay, will that fit in a square.
PAIGE: You eye is automatically looking for a square.
ANGELA: Yeah, it kind of changes, it kind of changes how I take pictures.
PAIGE: I am going to call you out on something thought.
ANGELA: Okay.
PAIGE: You’ve got to fix the video thing. The portrait video has got to go, man.
ANGELA: Oh, that wasn’t me.
PAIGE: That wasn’t you? Okay. Good.
ANGELA: Yeah, that was, that was Jenny, yeah.
PAIGE: Okay. Good.
ANGELA: But yes, I am guilty of that though. And I am guilty of taking more portraits than landscape. I need to do more landscape.
PAIGE: Yeah. I’m a landscape junky, but that’s because I grew up–when I worked as a photographer for a while I was doing landscape photography and architecture photography, so it’s always landscape, especially for architecture.
ANGELA: Is landscape for landscape?
PAIGE: I know, shocking. Shocking.
ANGELA: It’s a lot easier to frame something square using portrait, to me. Even though, regardless, either way you know that-
PAIGE: How do you–so do you like still apply photography basics, like two thirds to square? Does that work?
ANGELA: I don’t know.
PAIGE: Do you know the two-thirds rule?
ANGELA: I don’t think so.
PAIGE: Oh, awesome.
ANGELA: I know, right?
PAIGE: The rule of thirds. So the idea is that if you break things up into three sections; one section, two sections, three sections. I’m using hand gestures which is super helpful for the radio. But that the, if you break a rectangle into three sections the focus of your photography should land on the separation between either section one and two or section two and three.
ANGELA: Oh, no. No. I don’t, I don’t use that. But, I’m not–okay, so a lot of people think a good picture is a centered picture.
PAIGE: No, that’s exactly what that’s fighting against.
ANGELA: No, I know. I know. And I do that. I do do centered sometimes. But there was a picture recently of Abby with a quote, and I intentionally had her off to the side so that I could put the quote there. So I don’t necessarily follow that rule, but I don’t stick to centering.
PAIGE: It’s internal, yeah.
ANGELA: Yes, correct.
PAIGE: Cool.
ANGELA: I have variety.
PAIGE: I believe that. I’ve seen it. So, a little talk, big switch here. I”m going to use some insider info. You’ve got three kids.
ANGELA: Oh man, now everybody knows.
PAIGE: No, that’s not the insider info.
ANGELA: Oh.
PAIGE: I know that they all use computers.
ANGELA: Yes.
PAIGE: And what do you think, like as a mom, how do you approach that? There’s a lot of information out there about-
ANGELA: Yes.
PAIGE: It’s good, it’s bad. How do you–and I know that because we’ve just talked about the fact that you’re always acting with intention, how do you do that intentionally with your kids.
ANGELA: Okay. That is a great question, Paige. So i–my first born is a son and I imagined him holding a mouse and keyboard at like a year.
PAIGE: Yeah, well with the house that he’s growing up in, right?
ANGELA: Right.
PAIGE: Yeah.
ANGELA: But was actually not until his fifth birthday, right? No, sixth birthday, just before his sixth birthday that I introduced him to the keyboard and mouse.
PAIGE: Oh wow.
ANGELA: On my computer.
PAIGE: So before that, was he still using tablets or something?
ANGELA: Yes. He was using iPads, yes.
PAIGE: Okay.
ANGELA: And he understands them freakishly well. All three of my kids do. But there was a little bit if a curveball with Dylan with the keyboard and mouse, but Minecraft is a good motivation.
PAIGE: He’s determined because of Minecraft. It’s a good motivator.
ANGELA: Yes. Yes. Perfect.
PAIGE: Had he done Minecraft, so jumping in, had he done it on the iPad first?
ANGELA: Yes. Pocket edition.
PAIGE: Okay.
ANGELA: Yeah. And I honestly cannot do it on the iPad, because it’s weird.
PAIGE: I haven’t tried.
ANGELA: You have to use both hands. Which, I know, it sounds like a really–it’s just so weird on a touch screen.
PAIGE: You’re old now.
ANGELA: I know. Yeah, he reminds me of that every day when he’s like, oh mom ,did you know about this in Minecraft. I’m like, yeah, I’m been playing Minecraft for four years, but no, I never knew that. Or that’s new. That’s an update since I’ve played. Just all three of the kids have done really well with learning on Ipads. Once Dylan started on his laptop, Abby expressed interest as well. And I wanted them to be able to play Minecraft together. So she actually started just after she turned four, or I guess, yeah, ish. She is four right now and she is playing Minecraft on the computer. I made it fun. I did L and R for left and right on her mouse. I did different stickers so she could learn WASD. And then also added stickers for esc and one other one that I can’t remember. But basically, it made it a lot easier for her to learn it.
PAIGE: Wow.
ANGELA: Yeah.
PAIGE: Full disclosure. I was hanging out with Abby and she was obsessed and asking all night last night if she could show me how to play Minecraft.
ANGELA: I know, yeah.
PAIGE: Which is hilarious, because she would actually have to show me how to play Minecraft, because I have not ever played. Well, I played for literally five minutes on a Raspberry Pie once, because it’s the one thing they include on the Raspberry Pie.
ANGELA: Oh, that’s funny.
PAIGE: Yeah, that’s it. At some point she will have to teach me how to play Minecraft.
ANGELA: Well, I ran into an issue where her iPad can no longer play Minecraft, because the OS is no longer updatabalbe.
PAIGE: Is iit a 2 or?
ANGELA: Yes. And I accidently did a Minecraft update just broke it. So she plays on her computer now. But that freed up her iPad so that Bella could play on it. And so there’s educational games on there. Learning her ABCs, learning how to count, just learning the whole touchscreen interface. And I rely on that heavily.
PAIGE: How old is Bella?
ANGELA: She’s two. She just turned two. I rely on that heavily in the morning when she gets up between 4:30 and 6:00. I leave the iPad on the beanbag in my room and she comes in on her own and sits down and plays it.
PAIGE: I’m really impressed. I have a nephew, he’s three, and he loves the iPad. It’s definitely a reward for him. It’s very careful, like when he can use the iPad and when he can’t. Especially because he’s a bit jack smash, so he likes to smash things. So, the iPad, of course, being a very expensive piece–and he hates the case–like we got one of the kid case things and that was good when he was two, but now it’s no, he won’t touch that one. He has to have the real iPad. But the amount that he has learned on the iPad is really impressive. I think the educational games have really stepped up their game from when I first looked at them. Do you think it’s like–do you worry about them spending too much time on these devices?
ANGELA: Yes and no. There’s something that I have done very right, and I can’t pinpoint what it is. But I can say that my kids have a really good balance of outdoor play, social play. And by social play I just mean like when we’re at parks they play with other kids. When we’re at the children’s museum they play with other kids. We’ve done a lot of play dates. I literally at one point would drive the kids to the park, let them out, let them play for two minutes, and then say okay let’s get in the car. Just to get them used to it. Because parks are fun and they want to stay there, but I needed them to get over the, I want to stay here. Why can’t-
PAIGE: This is going to sound terrible, especially to all the moms out there, but you worked on recall with your kids.
ANGELA: Yeah.
PAIGE: Yeah, that’s what we call it with dogs.
ANGELA: Okay. Yeah.
PAIGE: They’ll come when you call.
ANGELA: Same thing with technology.
PAIGE: Oh, okay.
ANGELA: They don’t freak out when I say no to TV. They don’t freak out when I turn off the TV.
PAIGE: I have noticed that.
ANGELA: Yeah, they know that it will still be there tomorrow or later, or whatever and that I’m redirecting them, or that I’m redirecting them to something that could be equally or more fun. Or feed themselves.
PAIGE: So did you do the same sort of thing where you kind of set small time limits for a while so they got used to that or was it just kind of more natural on that?
ANGELA: It was very organic. There’s never really been a time limit. There was a slight concern when Dylan developed a tick where he was squinting his eyes a lot and I thought, oh gosh, maybe it’s because he’s sitting too close to his iPad.
PAIGE: Yeah.
ANGELA: So I did limit it for two days as a temporary thing, but then he just got over it.
PAIGE: Okay.
ANGELA: I have never really done hard fast, but if in a pinch and I need to get work done and they can be–the older kids can be playing Minecraft and Bella can be on the iPad, yeah, we’ll do it.
PAIGE: And do you guys use the parental features on the iPad-
ANGELA: Yes.
PAIGE: Where you can lock down certain apps?
ANGELA: Absolutely. I also use it on Abby’s computer, though I recently had to take it off, because Minecraft runs a lot of websites in the background.
PAIGE: Huh.
ANGELA: Yeah, I don’t know what that is about, but every five seconds it was popping up with a parental control. You can’t access this website. Allow once or always. And then I’d have to type in my password. Then it would happen again next time. So it was really–in fact, I guess OS 10 switched away from using, well I don’t know if it was OS 10 of Mojang, but the Minecraft launcher no longer uses Java and so when I got the new launcher it couldn’t fully download the executable, because the websites websites were blocked.
PAIGE: Interesting.
ANGELA: I couldn’t figure out why the launcher wasn’t working and so I signed out and then, or signed in as an administrator.
PAIGE: I have to say, for as big a market as kids are, I used to work professionally as an in-home technician and I would go places. And one of the most requested things was parental setups, because it’s so confusing. It’s so not supported by so many things.
ANGELA: Have you looked in OS 10 parental controls? It’s fantastic.
PAIGE: No, they’re really good, but they’re complicated for non-technical people.
ANGELA: Well, maybe.
PAIGE: Maybe.
ANGELA: Because the default is, you can strap down, no websites for these educational ones, and they’re actually meant for kids. It’s perfect.
PAIGE: Right.
ANGELA: Then you can add websites that are okay. Which, obviously, there are a lot of websites so you would run into the constantly being limited.
PAIGE: Yeah.
ANGELA: But it has only allow the computer to be signed in during these times and after an hour, that was all very user friendly.
PAIGE: Oh, okay.
ANGELA: I haven’t used it yet, because Abby doesn’t really need it. They play Minecraft every once in awhile, but I was so impressed with that when I saw it. It would be, you could set it by day.
PAIGE: I actually used a parental control account when I first started working remotely to limit myself to only my work sites.
ANGELA: Ah, good for you.
PAIGE: Because I was having focus problems.
ANGELA: An you locked your phone, right?
PAIGE: I would log in-
ANGELA: You locked your phone away.
PAIGE: Well, at the time the phone was not great for that sort of thing. It was tiny. It was like iPhone 3 or whatever so it was a tiny, tiny screen. Not cool like they are now, but it’s really cool. So, you’ve kind of had this journey. You’re a mom, you’re working in a small business, it’s all in tech. Have you found that it just kind of flow together with your life? Do you feel like having a career that is technology based and kind of some of the, the freedom that we get because of that has worked well with being a mom? Has it been bad, because you can kind of–because you can work anywhere, do you work more? Like-
ANGELA: Right. Well, that is a very loaded question, because it’s not like working for a company remote, right? Like a different company.
PAIGE: Right.
ANGELA: When you work for yourself there, it’s really hard to limit yourself to 8:00 to 5:00 or whatever. I think it’s definitely been a struggle, because I had to adjust my perspective and expectations of working while having three kids. You know, getting mad at them because I can’t get a task done is just–it’s just not okay.
PAIGE: That’s just bad for everybody.
ANGELA: Yeah, and so, and because of that I decided that I needed solid blocks of time where I could focus and so about two years ago I hired a nanny that would come into the house a couple days a week, give me that ability to focus, and then the kids–I mean, I wasn’t neglecting the kids, but obviously, I can’t focus on them and the company at the same time.
PAIGE: Yeah, I mean, it’s not neglect. You’re setting up quality time for both, because it means that when your’e with the kids-
ANGELA: Exactly.
PAIGE: You’re with the kids. And when you’re with the company you’re with the company.
ANGELA: Right. Yes. Yeah. So it’s definitely a struggle and adjustment and I think it just varies, really from person to person and situation to situation, but you just have to–I’m of the mind–and this happened really early on when Dylan was an infant, or almost almost a year old, that really they are my life. They are the priority. They are the focus. And they will pretty much always come first.
PAIGE: Yeah.
ANGELA: And that’s pretty well, I think, relayed in, in my photography.
PAIGE: Yeah, i think in the way that you share.
ANGELA: Yeah.
PAIGE: Also in the way that you kind of–the way you move through life it’s very obvious that your kids are that level of importance to you. But it seems so healthy. I’ve very impressed by that.
ANGELA: Yeah.
PAIGE: I’m not going to lie. You really impress me as a mom and as a not mom. That’s kind of hard to do, because I don’t know a lot about momming.
ANGELA: Sure.
PAIGE: Is that a word? Momming.
ANGELA: Yeah, coined right here, Women’s Tech Radio.
PAIGE: There you go. I think mothering is the appropriate term.
ANGELA: Mothering, yep.
PAIGE: Yes. Which sounds like, I don’t know.
ANGELA: Don’t add an S, it’s not smothering.
PAIGE: Oh, that’s terrible. I love it. You’re so funny.
ANGELA: I know. No.
PAIGE: So what has been the hardest part about tech for you? Because I know we’ve talked some and you’ve been–like some of interviews that we’ve done-
ANGELA: Yes. Right.
PAIGE: You kind of get this glassy look where you’re like, I wish I understood. And it’s not just a glassy look. It’s like a look of, I wish I understood more of what you guys were talking about.
ANGELA: Yeah, well, you know, the inferior complex or whatever.
PAIGE: Imposter Syndrome?
ANGELA: That is exactly what I meant, yes. That definitely happens, but not like–I feel like if I just, if I just learned a little bit it would give me enough in to have a better perspective, but because I haven’t been able to take a class or a course or learn one language or any kind of programing or whatever. I know a little bit of HTML, but I just, yeah. I feel like if I learned one language it would help me kind of better understand other languages.
PAIGE: Yeah.
ANGELA: And other things.
PAIGE: Honestly, it’s the fundamentals help you, it’s vocabulary.
ANGELA: Exactly.
PAIGE: Most of learning programming is vocabulary.
ANGELA: Yes. Yes.
PAIGE: At the beginning at least. I mean later on there’s all sorts of other things.
ANGELA: Right. Right. And I haven’t exactly had the time to focus or–I’d really like to do Linux Academy.
PAIGE: Yeah.
ANGELA: Or some other kind of-
PAIGE: Codecademy or whatever.
ANGELA: Yeah. To get to learn stuff. But I don’t know. I mean, I don’t know, because I don’t know it. I don’t know if that’s a direction. I know that I like database. But I don’t know if I could do that on a daily basis. You know? Or if that would my passion or career. Right now, I’m pretty satisfied with the business operational side of things.
PAIGE: ANd you are very good at it.
ANGELA: And social networking. But I’m not opposed to learning more.
PAIGE: You know, I don’t even think necessarily I’m going to look at you and say, well you should be a programer, it’s an excellent career. Well, of course it’s an excellent career. I like it. I love it. But I think that, you know, I’m not quite on the everybody should learn to code train. I think anybody who has interest should try it. You know, like anything else. How do you know if you like ice cream if you don’t try it.
ANGELA: Right.
PAIGE: Trust me, you’ll probably like ice cream.
ANGELA: Right. Unless you’re my kids and you ask if it can be warm. Yeah.
PAIGE: Wow.
ANGELA: Yeah.
PAIGE: That’s a thing. So do they like bread pudding?
ANGELA: I’ve never fed them bread pudding.
PAIGE: It’s like warm ice cream. You should try.
ANGELA: Gross.
PAIGE: It’s an English thing.
ANGELA: Okay.
PAIGE: I’m super English. It happens. Well, I think that I would totally be happy to commit to, we should do a lesson on air.
ANGELA: I think so too.
PAIGE: Okay. We’ll look up some stuff. We’ll talk about some options. We could either do a stack talk where we talk about what actually makes all the stuff function or we could talk about a specific language or maybe both.
ANGELA: Now, keep in mind that I’m very, very direct. So, and I’m going to ask stupid questions.
PAIGE: There is no stupid questions.
ANGELA: Well, okay. I’m going to ask questions that will probably make you giggle.
PAIGE: You’d be surprised. I’ve taught hundreds of beginners at this point.
ANGELA: Okay. Okay.
PAIGE: So, I’m not worried about it.
ANGELA: Okay.
PAIGE: Yeah, I think that, as long as people are asking questions it means they’re engaging.
ANGELA: Right.
PAIGE: If you sit there and don’t ask question, that’s when I’m like, are you stupid or something son?
ANGELA: Wow.
PAIGE: Yeah, no, not quite.
ANGELA: Judgement.
PAIGE: Yeah, super judge. No, you know, I’m going to call you out. You should engage. Ask questions. Anybody who is out there trying to learn to code, don’t feel like it’s a stupid question. At some point somebody had to figure it out. And, you know, maybe you’re working with one of the savants who started coding when they were six, but the likelihood of that is rare.
ANGELA: Right.
PAIGE: I remember, I spent almost six months trying to just understand the very, very basic concept of object oriented programing. Just understanding what it was. I just couldn’t even get my head around like waht is this? Not even just how to do it. That was a whole separate journey. It was like, I don’t get it. I don’t get it. And it look going to four or five different meetups, asking a whole bunch of questions, finally finding a book that kind of filled in those gaps. If I hadn’t asked those questions, I’d still be stuck. And they felt like, of course they felt like dumb questions. I was years into my programming journey and I don’t get this really fundamental concept, like what the heck.
ANGELA: Yeah. I took an environmental class in college where I was the only person to ever ask questions.
PAIGE: Oh my goodness, that’s terrible.
ANGELA: Yeah.
PAIGE: I hope the rest of the class failed.
ANGELA: Well, I don’t know, but nobody really had very high grades. But I was complemented by other students about how I was able to ask questions regardless, you know, just because I wanted to know.
PAIGE: If you’ve got a question, especially if you’re sitting in a room full of people, likelihood is someone else has that same question.
ANGELA: I know.
PAIGE: And they’re just not willing to ask it.
ANGELA: Yep.
PAIGE: Yep. And it sucks. I’m totally that person. I step up and I ask questions, because I know that I can. I know that people need it, but I hope other people will do it too. The pivotal question, what are you the most excited about about technology?
ANGELA: I knew. I knew you were going to say that.
PAIGE: Well, then I’m going to ask you the stack question too, so.
ANGELA: Uh, I don’t know what that is.
PAIGE: That’s okay.
ANGELA: Okay. So, um, I don’t know anybody at st-, no that’s slack. Okay. Technology. I am really excited about user experience. Essentially one of the interviews that we did today. The Cornbread app has my mind blow. I really hope that we see more companies that provide something that creates an almost all inclusive personal touch experience built on a community. I’m really like the community oriented everything. That is just so cool to me.
PAIGE: What I said, technology for connection, not consumption.
ANGELA: Yes. Yes. Exactly. We can all be on the internet for hours consuming, but, well, I was going to say what is the value, but there is value in that. But I really like the connection.
PAIGE: Yeah. I do think that we’ve–you know, and I rail against this and a lot of my friends know I’m fairly anti-Facebook and even Twitter, I’m much more picky about things. Because I think that there’s a lot of this mindlessness that goes on now.
ANGELA: Yeah.
PAIGE: You know, it’s the same with where TV is or was. You know, at the same time, you can just kind of sit there and you aren’t getting anything out of it except distraction.
ANGELA: Right.
PAIGE: And distraction and escape can be really valuable. Like I don’t deny that. I definitely have my moments where I’m like, I’m just going to go look at Facebook for half an hour, because I just need to zone out. But that’s what I’m doing, I’m zoning out. I’m not adding to myself. I’m not adding to my community. And I think that being able to separate that and find the ways where we are providing value to ourselves and to each other is really important. I think that tech is, we’re on the verge of some of those breakthroughs again.
ANGELA: Yeah.
PAIGE: Like with Cornbread.
ANGELA: Also, i did a recent–well, I guess it’s probably been over a year now, but I did a Fauxshow on the Buy Nothing pay groups. The Buy Nothing groups on Facebook. It’s so amazing. In our city it was split into five different groups, because we’re big enough. And I am getting to know all of my neighbors. And so I posted on the Buy Nothing, where you can either give stuff away or accept things. You know, ask, hey I need this. I had put, you know, I am looking for anything owl related for my daughter’s birthday. She’s going to be two soon. You know, this was like in July. And one gal, she had an owl shirt that I could wear. And it was perfect. IT was one size too big, but, which is actually flattering, because, you know, so it was good. and it was black, which is perfect, with silver, and I love silver. It was just so perfect. And then as I was picking it up and meeting her she said, oh, do you have a cake being made yet? And I was like, well no. And she said, let me do her cake. And, you know, honestly the skeptic in me was like, I don’t know. I mean, I could see her living condition. It wasn’t horrible, but I’m like, I don’t know if I really want her, like can she ever make a cake. Is this one of those people that thinks they can do something.
PAIGE: You just never know.
ANGELA: But I’m not going to burst the bubble. I was like, yeah, sure.
PAIGE: Good. Yeah, step out in faith.
ANGELA: I’ll pick up and maybe, maybe it will go in the garbage and maybe it will be amazing. It was amazing. I was amazing.
PAIGE: I think it’s really, it’s sad awesome to me that we have to go out-
ANGELA: Yeah, I know.
PAIGE: We essentially have to send things into space and let them come back to connect us to the people right next to us. So, it’s sad and awesome. It’s like, oh man, I wish I could just go knock on my neighbor’s door, but at the same time-
ANGELA: Yeah, but we used to have to use horses.
PAIGE: Yeah. Yeah.
ANGELA: It’s not much different.
PAIGE: No, it’s not. And we’re definitely-
ANGELA: Like, there’s even more connectivity than back then.
PAIGE: Yeah. I agree with you. I love, as excited as I am about like wearables and internet of things and all these other interesting parts and smart homes, and some day I will build Jarvis. This is on my to-do list. The fact that I can start to use technology to connect with the people who are physically around me is so valuable to me. And especially someone who, I work remotely. I work by myself. Without things like meetup, I would be a really miserable person.
ANGELA: Yeah.
PAIGE: Meetup.com has changed my life.
ANGELA: Yeah, and really, the IRC changed my life. I’m like, wow there’s a whole community out there. There’s a lot of people. I don’t know. It really opens up possibilities. And then, since she made that cake–and she didn’t make it. She actually didn’t make it. She has a friend that works at a local grocery store that made it. She has since, she bought Bella and owl sweatshirt.
PAIGE: Aww.
ANGELA: Yeah, and it was so crazy. Yeah, I mean, it was just so cool that people can be so selfless. And that’s what I like to do. I like to give away things to the community. But I also buy, I also sell. I also use the buy/sell pages, which are also awesome.
PAIGE: No, there’s still value there. Like, I’m getting something cheaper than it would be in the store, for sure.
ANGELA: Right. Or getting rid of something.
PAIGE: Yeah, both sides of it are important. Yeah. I had this kind of pivotal experience, which I say a lot, but I traveled for two years in an RV all across the US and I loved it. It was really fascinating. But the thing that really impressed me, because I kind of always believed this, but didn’t really have proof, but people are good people. I think by in large anywhere you go, people want to do good things. We all, I think we’re wired for it. We get a lot of value out of providing for others. Out of helping out. It’s biogeochemical at this point.
ANGELA: Yeah.
PAIGE: You know, we get dopamine when we do good things for people.
ANGELA: Right. Yeah.
PAIGE: It’s legit. I don’t know if I believed it until I did this journey and it was, like I really do. Like random things, like you know coming up to Chris at OSCON for the first time and being like, hey. And then meeting you guys. And you’re like, yeah, let’s do this thing. There’s no–we’re not getting anything.
ANGELA: This thing being Women’s Tech Radio.
PAIGE: Women’s Tech Radio, yeah. We’re not–I don’t sound like Women’s Tech Radio is paying my bills or making me a fortune or anything-
ANGELA: Right.
PAIGE: I want to give back to the community and you wanted to too. And getting together and doing that is even more valuable.
ANGELA: Yep.
PAIGE: So, very cool. And I love that technology gives us space to do that.
ANGELA: Uh-huh. What’s your stack?
PAIGE: Okay. Stack question. So what are the tools that you use on a daily basis?
ANGELA: Oh, right. Yes.
PAIGE: What’s your stack is what we developers call it.
ANGELA: Whew, okay.
PAIGE: You got all like, flustered, possibly.
ANGELA: Yes. Here I go. Here I go. Um, wow. Okay. There’s a lot. So, Telegram for internal communication. We use Freshbooks for invoicing. Quickbooks for accounting. I use Google Docs. I use Excel. I use Pixelmator to do promotional artwork.
PAIGE: I love Pixelmator.
ANGELA: I use 99Designs, which I know isn’t an app you can go get.
PAIGE: No, it’s still something in your stack.
ANGELA: Yeah. I use 99Designs, in fact, one person in particular has designed all of our logo refresh that I started back in 2013, I think, ‘14. Yeah, the end of 2013. Let’s see, what else?
PAIGE: Instagram.
ANGELA: Yeah. Patreon, Instagram, Twitter, G+, Facebook, all of those. I’m trying to think. Reddit.
PAIGE: You really are like a social maven.
ANGELA: Yeah. I do a lot of social things here. Let me pull up my thing.
PAIGE: You mom frequent tabs?
ANGELA: Or just my Jupiter Broadcasting dropdown. So, I guess more Jupiter Broadcasting related, we have a lot of different subscriptions. A lot of people think I just start up a podcast. No, there’s a lot of backend subscriptions. We use Scale Engine. I’m not sure if BlipTV is still running. I don’t think it is. But we use Archive.org, Libsyn. There’s, we used to use Roku TV.
PAIGE: You guys use Dropbox too, right?
ANGELA: We definitely use Dropbox at the, where you have to pay a buttload now.
PAIGE: Yeah.
ANGELA: Yeah.
PAIGE: I pay for Dropbox, even personally.
ANGELA: Yeah.
PAIGE: It’s so good.
ANGELA: And we also rebranded email. And, of course, Colloquy for IRC.
PAIGE: Oh yeah.
ANGELA: I use Colloquy.. And sometimes LimeChat, but eh.
PAIGE: Yeah. I think the really impressive part about this stack is, like, barring a couple standouts, most of that is web apps.
ANGELA: Yes.
PAIGE: You can run almost your entire business from the browser.
ANGELA: Yes.
PAIGE: That’s very cool.
ANGELA: It is cool. It is.
PAIGE: That is a huge change in the world. If you think about business in the past couple years. It’s really been even in the past five years that can be true.
ANGELA: Yeah. I do very much dislike Google Docs.
PAIGE: Yeah.
ANGELA: A lot.
PAIGE: It’s getting better.
ANGELA: Specifically spreadsheets.
PAIGE: Google Sheets is weird, because they went with their formula setup instead of using Excel so a lot of people have trouble translating.
ANGELA: Yeah.
PAIGE: And then some of the major features that you’re used to in Excel-
ANGELA: Yeah.
PAIGE: Aren’t there or are really hidden.
ANGELA: Yes.
PAIGE: And I think Google Docs is going to have the same experience that Microsoft had going from Office 2003 to Office 2007, which the thing was that they did this interview where they were like, okay people want in the next version of office. And they did hundreds and hundreds of interviews and 99 percent of the request were features that were already in Office.
ANGELA: Yes. Right.
PAIGE: And they were just, people didn’t know how to get to them.
ANGELA: Sure.
PAIGE: So that’s why we had the huge facelift between 2003 and 2007.
ANGELA: Yeah. Well, the thing is, the reason why I use Google Sheets is because you just can’t beat accessing it anywhere online.
PAIGE: Yeah. And the share.
ANGELA: Yeah. And sharing is very easy. Yes. Right. Yeah, I do not like–I had a bad experience using Dropbox and people editing, multiple people editing the same doc. It just does not work. The collaboration was not there. I’m sure there’s collaboration tools out there that would be better, but I haven’t used them.
PAIGE: Yeah, well, I don’t know. i really think that, honestly, as picky as I am, Google kind of has the market on the collaboration. Although, EverNote is picking up.
ANGELA: I haven’t used it yet.
PAIGE: I love it. It’s my second brain.
ANGELA: Yeah.
PAIGE: Maybe it’s my first brain at this point.
ANGELA: And, and of course we use Bitly.
PAIGE: Bitly, yep.
ANGELA: Yeah, to shorten links.
PAIGE: Very cool.
ANGELA: Oh, and some Markdown. Markdown browser add-ons.
PAIGE: Yeah. I’m still trying to get my head around the Markdown thing.
ANGELA: Yeah?
PAIGE: Yeah.
ANGELA: I did a Fauxshow on it.
PAIGE: Really? Oh, I should check that one out.
ANGELA: I did.
PAIGE: I will admit, I don’t watch all of them.
ANGELA: But, honestly, I’ve pretty much forgotten everything. I just use the add-ons now. It’s so easy. I’ll show you after the show.
PAIGE: Cool.
ANGELA: It’s really cool.
PAIGE: Yeah, at this point I just write things and then edit it later. I just write in plain text and then make it fancy later.
ANGELA: Uh-huh. Okay.
PAIGE: We’ll figure it out. Well, this has been super fun. We’ll have to do some more later.
ANGELA: Uh-huh.
PAIGE: If you guys have questions for either of us, feel free to send them in. We are always listening to you on Twitter and we’re always interested in new guests that you’re like to hear about. Cool.
ANGELA: Yeah. Thanks for listening to this episode of Women’s Tech Radio.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Sharing with Intent | WTR 45 first appeared on Jupiter Broadcasting.

Red Hat highlights how leaky many open source RSA implementations are, Netflix releases Sleepy Puppy & the Mac is definitely under attack.

Plus some quick feedback, a rockin’ roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

NetFlix releases new open source security tool, Sleepy Puppy

• Sleepy Puppy is a delayed XSS (Cross-Site Scripting) vulnerability scanner
• In a typical XSS scan, and attacker (or the scanner program) attempts to send a script as part of some user input (the comment on a blog or something like that, or via a URL variable). This content is then shown to that user, and often times, other users. If I can make a bit of my javascript run on your computer, when you visit someone else’s site, I have achieved XSS
• There are a number of scanners out there, and they “fuzz test” all of the inputs and variables they can find, and attempt to get some code they submit to be returned to them
• This new tool from NetFlix addresses second level vulnerabilities, and beyond
• What if an attacker injects the code on the website, and the website mitigates this, but some other application, internal or public facing, also uses the data from the database, and it then ends up being vulnerable to the XSS
• Sleepy Puppy is a “XSS payload management framework”, it generates unique code snippets for each injection, so that when a successful XSS happens, it can be tracked back to its source, even if that is outside of the application where the exploit took place
• “Delayed XSS testing is a variant of stored XSS testing that can be used to extend the scope of coverage beyond the immediate application being tested. With delayed XSS testing, security engineers inject an XSS payload on one application that may get reflected back in a separate application with a different origin.”
  • Show Diagram
• “Here we see a security engineer inject an XSS payload into the assessment target (App #1 Server) that does not result in an XSS vulnerability. However, that payload was stored in a database (DB) and reflected back in a second application not accessible to the tester. Even though the tester can’t access the vulnerable application, the vulnerability could still be used to take advantage of the user. In fact, these types of vulnerabilities can be even more dangerous than standard XSS since the potential victims are likely to be privileged types of users (employees, administrators, etc.)”
• SleepyPuppy ships with a default set of assessments includes, so is ready to use out of the box

Researchers announce new iOS vulnerability: brokenchain

• The vulnerability allows a piece of malware to access the keychain in iOS, and copy your saved passwords and other secret keys
• These keys can then be exfiltrated via SMS or HTTP etc
• When the malware attempts to access the keychain, iOS presents a dialog asking them user to allow or deny the action, but the malware can simulate a tap on the screen and accept the dialog
• Further, some malware seems to be able to cause the popup to appear off screen, so the user never even sees it
• “Special-crafted commands can be triggered by malware — or even an image or video — which causes OS X to display a prompt to click an Allow button. But rather than relying on users clicking on a button that appears unexpectedly, the button is displayed very briefly off the edge of the screen or behind the dock, and is automatically pressed using a further command. It is then possible to intercept a user’s password and send it to the attacker via SMS or any other means.”
• “Apple has been told about the vulnerability. The company has not only failed to issue a fix yet, but has not even responded to Jebara and Rahbani.”
• Ars Technica found that parts of the vulnerability have existed since 2011, and have been used actively
• “DevilRobber, the then new threat caught the attention of security researchers because it commandeered a Mac’s graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber’s use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.”
• “The same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that’s protected inside the Mac Keychain.”
• The same day, another group of researchers independently found the same vulnerability
• Windows UAC has a bunch of defenses against apps users accidentally accepting or malware auto-clicking the authorization popups. Maybe we need the same in mobile OSes
• “Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don’t require social engineering and end-user interaction. Still, the weakness is unsettling, because it allows the same app requesting access to the keychain to unilaterally approve it and to do so quickly enough for many users to have no idea what has happened. And by default, OS X will grant the access without requiring the user to enter a password. The Mac keychain is the protected place storing account passwords and cryptographic keys.”
• Maybe the solution is to require the unlock code or password in order to authorize access to sensitive areas like the keychain
• “I think that Apple needs to isolate that particular window,” Reed told Ars on Wednesday. “They need to pull that particular window out of the window list … in a way that an app can’t tell it’s on the screen and get its location.”

Factoring RSA keys with TLS Forward Secrecy

• “Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures.”
• “This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.”
• “We evaluated the source code of several free software TLS implementations to see if they implement hardening against this particular side-channel attack, and discovered that it is missing in some of these implementations. In addition, we used a TLS crawler to perform TLS handshakes with servers on the Internet, and collected evidence that this kind of hardening is still needed, and missing in some of the server implementations: We saw several RSA-CRT key leaks, where we should not have observed any at all.”
• “An observer of the private key leak can use this information to cryptographically impersonate the server, after redirecting network traffic, conducting a man-in-the-middle attack. Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic. The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack. However, forward secrecy must be enabled in the server for this kind of key leak to happen in the first place, and with such a server configuration, most clients will use forward secrecy, so an active attack will be required for configurations which can theoretically lead to RSA-CRT key leaks.”
• “Does this break RSA? No. Lenstra’s attack is a so-called side-channel attack, which means that it does not attack RSA directly. Rather, it exploits unexpected implementation behavior. RSA, and the RSA-CRT optimization with appropriate hardening, is still considered secure.“
• While it appears that OpenSSL and NSS properly implement the hardening, some other products do not
• It seems RedHat discovered this issue some time ago, and reported it to a number of vendors
• Oracle patched OpenJDK back in April
• “None of the key leaks we observed in the wild could be attributed to these open-source projects, and no key leaks showed up in our lab testing, which is why this additional hardening, while certainly desirable to have, does not seem critical at this time.”
• “Once the necessary data is collected, the actual computation is marginally more complicated than a regular RSA signature verification. In short, it is quite cheap in terms of computing cost, particularly in comparison to other cryptographic attacks.”
• Then the most important question came up
• “Does this vulnerability have an name? We think that “RSA-CRT hardening” (for the countermeasure) and “RSA-CRT key leaks” (for a successful side-channel attack) is sufficiently short and descriptive, and no branding is appropriate. We expect that several CVE IDs will be assigned for the underlying vulnerabilities leading to RSA-CRT key leaks. Some vendors may also assign CVE IDs for RSA-CRT hardening, although no key leaks have been seen in practice so far.”
• Crypto Rundown, Hardened:
  • GnuPG
  • NSS
  • OpenSSL 1.0.1l
  • OpenJDK8 (after the April patch)
  • cryptlib (hardening disabled by default)
• Unhardened:
  • GNUTLS (via libgcrypt and Nettle)
  • Go 1.4.1
  • libgcrypt (1.6.2)
  • Nettle (3.0.0)
  • ocaml-nocrypto (0.5.1)
  • OpenSwan (2.6.44)
  • PolarSSL (1.3.9)
• Technical Record [PDF]

Feedback

• Reply to the pfSense question from episode 229
• Where to get news on vulnerabilities and urgent patches

Round Up:

• China and Russia cross-referencing OPM data, other hacks to out US spies
• The Zero Trust Initiative, making it possible to trust your vendors
• Hackers Stole the Biggest Number of Apple Accounts Ever with iOS Malware Researcher Post
• The police body camera business is not about camera, but overpriced cloud storage. 300 Cameras: $180,000. 5 year contract for storage: $889,000
• Pre-Installed Android Malware Raises Security Risks in Supply Chain
• AppLock, a popular Android app that claims to securely store photos, videos, and other content, turns out to just hide the files in a non-default location. It also has a weak pin reset feature, meaning it provides basically no security to its 100 million users
• Android ransomware uses XMPP chat to call home, claims it’s from NSA
• The Government should pay bug bounties and not attack security researchers
• Department of Justice being sued by Reuters for not fulfilling FoIA requests re: fake news stories with embedded malware used in 2007
• If documents are not for public release, try not posting them on the public Internet

The post Leaky RSA Keys | TechSNAP 231 first appeared on Jupiter Broadcasting.

The real fallout from the Ashley Madison hack gets personal. The Android StageFright patch that doesn’t cover all of the holes, and turning a KVM into a spying appliance.

Plus a great batch of questions, our answers, and a rocking round up.

All that and a heck of a lot more on this week’s TechSNAP!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Ashley Madison Fallout

• According to security firms and to a review of several emails shared with this author, extortionists already see easy pickings in the leaked AshleyMadison user database.
• Earlier today Krebs heard from Rick Romero, the information technology manager at VF IT Services, an email provider based in Milwaukee. Romero said he’s been building spam filters to block outgoing extortion attempts against others from rogue users of his email service.
• The individual “Mac” who received that extortion attempt — an AshleyMadison user who agreed to speak about the attack on condition that only his first name be used — said he’s “loosely concerned” about future extortion attacks, but not especially this one in particular.
• Mac says he’s more worried about targeted extortion attacks. A few years ago, he met a woman via AshleyMadison and connected both physically and emotionally with the woman, who is married and has children. A father of several children who’s been married for more than 10 years, Mac said his life would be “incredibly disrupted” if extortionists made good on their threats.
• Mac said he used a prepaid card to pay for his subscription at AshleyMadison.com, but that the billing address for the prepaid ties back to his home address.
• Unfortunately, the extortion attempts like the one against Mac are likely to increase in number, sophistication and targeting, says Tom Kellerman, chief cybersecurity officer at Trend Micro.
• The leaked AshleyMadison data could also be useful for extorting U.S. military personnel and potentially stealing U.S. government secrets, experts fear. Some 15,000 email addresses ending in dot-mil (the top-level domain for the U.S. military) were included in the leaked AshleyMadison database, and this has top military officials just a tad concerned.
• According to The Hill, the U.S. Defense Secretary Ash Carter said in his daily briefing Thursday that the DoD is investigating the leak.
• Almost None of the Women in the Ashley Madison Database Ever Used the Site
• A light-weight forensic analysis of the AshleyMadison Hack
• City employees among emails listed in Ashley Madison hack
  
• John McAfee thinks he knows who hacked Ashley Madison
• Leaked AshleyMadison Emails Suggest Execs Hacked Competitors
• The only thing potentially interesting or useful in AshMad CEO’s inbox…

Android StageFright patch doesn’t cover all of the holes

• Google released to the open source Android project a new patch for the Stagefright vulnerability found in 950 million Android devices after researchers at Exodus Intelligence discovered the original patch was incomplete and Android devices remain exposed to attack.
• “We’ve already sent the fix to our partners to protect users, and Nexus 4/5/6/7/9/10 and Nexus Player will get the OTA update in the September monthly security update,” a Google spokesperson told Threatpost. Last week at Black Hat, Google announced that it would begin
• The original four-line code fix for CVE-2015-3824, one of several patches submitted by researcher Joshua Drake of Zimperium Mobile Security’s zLabs who discovered the flaw in Stagefright, still leads to a crash and device takeover. Jordan Gruskovnjak, a security researcher at Exodus, found the problem with the patch, and Exodus founder Aaron Portnoy today hinted that there could be similar problems in all the patches.
• “They failed to account for an integer discrepancy between 32- and 64 bit,” Portnoy told Threatpost this morning. “They’re not accounting for specific integer types, and [Gruskovnjak] was able to bypass the patch with specific values that cause a heap buffer allocated to overflow.”
• “According to public sources, many more issues have been discovered since they reported the bugs in MPEG4 processing on Android. I expect we will see continuing fixes to the Stagefright code base for the coming months,” Drake said in an email to Threatpost. “The story is long from over.”
• Exodus Intelligence notified Google on Aug. 7, the first day of DEF CON in Las Vegas and two days after Drake’s Stagefright presentation at the Black Hat conference. Google has assigned CVE-2015-3864 to the issue.
• In addition to Nexus devices, Google said it sent the original patches to other mobile providers, including: Samsung for its Galaxy and Note devices; HTC for the HTC One; LG for the G2, G3 and G4; Sony for its Xperia devices; and Android One.
• The vulnerabilities affect Android devices going back to version 2.2; newer versions of Android have built-in mitigations such as ASLR that lessen the effects of Stagefright exploits. Google said last week that 90 percent of Android devices have ASLR enabled, and that the next release of its Messenger SMS app also contains a mitigation requiring users to click on videos in order to play them.
• Additional Coverage: Forbes
• The news is compounded by yet more Android vulnerabilities
• Checkpoint Security: Certifigate
• Major Android remote-access vulnerability is now being exploited

Turning a KVM into a spying appliance

• Researchers presented their work at BlackHat on how to teach a keyboard switch to spy on its users
• “When it comes to large systems, there are a lot more computers than there are people maintaining them. That’s not a big deal since you can simply use a KVM to connect one Keyboard/Video/Mouse terminal up to all of them, switching between each box simply and seamlessly. The side effect is that now the KVM has just as much access to all of those systems as the human who caresses the keyboard. [Yaniv Balmas] and [Lior Oppenheim] spent some time reverse engineering the firmware for one of these devices and demonstrated how shady firmware can pwn these systems, even when some of the systems themselves are air-gapped from the Internet.”
• Early KVM switches were just physical hardware switches that allowed more than one computer to be controlled by a single Keyboard, Video (Monitor), and Mouse
• By the year 2000, we had Matrix KVMs that could be chained together and used to control more than 1000 computers from a single keyboard
• USB Stacks, Video Transcoding, Virtual Media (mount an ISO from your workstation as if it was a usb cdrom drive) drove KVMs towards being entire computers in and of themselves, with an operating system, that could be hacked
• The firmware shipped with the device was obfuscated, and at the start, the researchers were unable to find anything useful. Not a single string in the firmware
• By comparing a number of different firmware versions, they were able to figure out which part of the firmware image was the version number. This gave them a starting point
• Looking at the circuit board of the KVM they found some common ASICs, which provided more clues
• Once they cracked the obfuscation, they now had code they could analyze
• “Of course reading the firmware is only the first step, you need to show that something useful (insidious) can be done with it. During the talk the pair demonstrated their custom firmware switching to a different system, “typing” in the password (which would have been logged earlier when a human typed it in), and echoing out a binary file which was then executed to load malware onto the system.”
• “Yes, you need physical access to perform this attack with the KVM used during the talk. But some KVMs allow firmware updates over IP, and many of them have web interfaces for configuration. There are many vectors available here and knowing that, the discussion turns to prevention. Keystroke statistics are one way to prevent this kind of attack. By logging how fast characters are being typed, how tight the cadence is, and other human traits like use of backspace, the effectiveness of this type of attack can be greatly reduced.”
• This is interesting research, and makes me even more suspicious of the 16 port, 2 user, IP-KVM I use to manage some of my servers.

Feedback

• Get your BSDNow 2 year anniversary t-shirt before time runs out

• Corporate email being hacked?

• PfSense vs cheap off-the-shelf router for home network

• Self-Hosted RMM Software

• Allan and Chris: Your personal SSH key management methodologies?
  • Allow storage of SSH private keys in LastPass, and use lpass CLI to retrieve and load into ssh-agent. The general idea is to store the private key armored ASCII in an “SSH Key” Secure Note, in a specific folder (i.e.: “Secure Notes\SSH” ). · GitHub
  • SSH Authentication with YubiKey | LAS 373 | Jupiter Broadcasting
• FUDO

Round Up:

• Microsoft has no plans to tell us what’s in Windows patches
• DNSSEC – Fighting the FUD
• Researcher catches AT&T injecting ads on free airport Wi-Fi hotspot
• OpenSSH privilege separation accidently disabled on pkgsrc platforms, for the last 9 years
• A data center of liquid cooled servers
• GitHub attacked again as Chinese developers forced by police to pull code
• UK Police investigate first instance of “Cyber Flashing”, iOS AirDrop
• The security content of the latest OS X update

The post Extortion Startups | TechSNAP 229 first appeared on Jupiter Broadcasting.

Mac security is having a really bad week, two bugs without patches are getting a lot of attention. We’ll share the dirty details. Plus Chris reviews the high-tech Cinch Pop-Up Tent.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• 0-day bug in fully patched OS X comes under active exploit to hijack Macs

• First Firmware Worm Able to Infect Macs Created by Researchers

Cinch Pop-Up tent Review

• Meet Cinch!– The ultimate pop-up tent with solar power & LED by Jake Jackson

• Cinch! Pop Up Tents, The Ultimate Pop Up Tent, UK

• Cinch 4 Person Pop-up Tent

The post Pitching a Tent | TTT 201 first appeared on Jupiter Broadcasting.

Thunderbolt 3 promise to unify the connector and usher in peace and tranquility. But when will we see it ship? Microsoft has prices & ship dates for Windows 10, Apple has a major Mac Flaw & Google wants to kinda give you better privacy controls.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Intel Announces Thunderbolt 3 With USB-C, Single-Cable Support for Dual 4K Displays at 60Hz – Mac Rumors
• Thunderbolt 3 embraces USB Type-C connector, doubles bandwidth to 40Gbps | Ars Technica UK
• Apple, Feeling Heat From Spotify, to Offer Streaming Music Service – WSJ
• New exploit leaves most Macs vulnerable to permanent backdooring | Ars Technica
• Google Centralizes Privacy And Security Controls On New Web Dashboard | TechCrunch
• Hello World: Windows 10 Available on July 29
• Microsoft: Windows 10 Home costs $119, Pro costs $199
• Blocks Wearables will start taking orders for its modular smartwatch this summer | The Verge

The post Google's Creepiness Controls | Tech Talk Today 177 first appeared on Jupiter Broadcasting.

We get an update on our resident Mac users switch to Linux & the challenges she’s run into. Ubuntu makes a deal with Microsoft and promises to ship snappy on the Internet of Things, but what the heck is a Snap package? And is it truly a transactional system?

Plus hints on how Debian PPAs might work, the world’s first $9 Linux rig & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• PlayOnLinux 5

Catch Up:

• New Debian Project Leader Talks Open Source Careers, PPAs, and More | Linux.com

• Wayland sucks (more)

• After years of work KWin’s master branch just became a proper Wayland…

Linux Academy

• Linux Academy | Linux and AWS Online Training

• Angela – Antergos or Not?

• Install iPod/iPhone support on Arch

pacman -S libmtp libusbmuxd usbmuxd libimobiledevice exfat-utils fuse-extaf

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Ubuntu jumps into Internet of Things with Acer, GE, and Microsoft

That wasn’t a typo. Canonical and Microsoft, which were already working together on bringing Canonical’s Juju DevOps tools to Windows and bringing Windows Server to OpenStack, are working with DataArt on an IoT industrial predictive maintenance solution. It will combine the three companies’ IoT, cloud, big data, machine learning, and Docker efforts. To integrate all of this they’ll be using “Snappy” Ubuntu apps, DeviceHive, and Juju Charms. Microsoft will also use an Azure service to manage and capture machine data.

TING

• Ting – mobile that makes sense

CHIP – The World’s First Nine Dollar Computer by Next Thing Co. — Kickstarter

C.H.I.P. is a computer. It’s tiny and easy to use.

C.H.I.P. does computer things. Work in LibreOffice and save your documents to C.H.I.P.’s onboard storage. Surf the web and check your email over wifi. Play games with a bluetooth controller. With dozens of applications and tools preinstalled, C.H.I.P. is ready to do computer things the moment you power it on.

C.H.I.P. is a computer for students, teachers, grandparents, children, artists, makers, hackers, and inventors. Everyone really. C.H.I.P. is a great way to add a computer to your life and the perfect way to power your computer based projects.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post Linux Wife, Happy Life. | LINUX Unplugged 92 first appeared on Jupiter Broadcasting.

Chris shares what’s prevented him from getting started with development & shares the three languages that are at the top of his list to try.

Plus we get passionate after some feedback to the Mac Exodus topic & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

• Mac Exdus

Dev Hoopla:

• Is there any shame in being a casual developer? From the outside it feels like you’ve got to go all in deep, or bust.

• Three controversial choices Chris is faced with.

The post Ruby is not Perl | CR 136 first appeared on Jupiter Broadcasting.

Is the quality of Apple’s desktop and mobile software causing a slow bleeding of developers? Chris & Mike debate what developers will do over 2015.

Plus we read some great follow up, feature a community project & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Feedback / Follow Up:

• What to do….

• Paid vs Unpaid Internships

OpenYourMouth UPDATE

• OpenYourMouth Web GUI

• OpenYourMouth Web Interface Now Public – 19kestier

• tadcan – Ok I’m going to provide a dissenting voice here

• Women’s Tech Radio

Dev Hoopla:

Apple has lost the functional high ground – Marco.org

Apple’s hardware today is amazing — it has never been better. But the software quality has taken such a nosedive in the last few years that I’m deeply concerned for its future. I’m typing this on a computer whose existence I didn’t even think would be possible yet, but it runs an OS riddled with embarrassing bugs and fundamental regressions. Just a few years ago, we would have relentlessly made fun of Windows users for these same bugs on their inferior OS, but we can’t talk anymore.

CNBC video is up: https://t.co/BG03O6LfWk (thanks @_DavidSmith) Not as bad as I feared. The web rewrites are mostly worse.

— Marco Arment (@marcoarment) January 5, 2015

Microsoft is building a new browser as part of its Windows 10 push

Spartan is still going to use Microsoft’s Chakra JavaScript engine and Microsoft’s Trident rendering engine (not WebKit), sources say. As Neowin’s Brad Sams reported back in September, the coming browser will look and feel more like Chrome and Firefox and will support extensions.

Sams also reported on December 29 that Microsoft has two different versions of Trident in the works, which also seemingly supports the claim that the company has two different Trident-based browsers.

However, if my sources are right, Spartan is not IE 12. Instead, Spartan is a new, light-weight browser Microsoft is building.

The post Macs Exodus | CR 135 first appeared on Jupiter Broadcasting.

One of the worlds most prolific spammers gets profiled & the technical details are fascinating. New Apple malware is getting everyones attention, but why iOS trusts the code is really the more fascinating story, we’ll explain.

Plus a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

MeetBSD

• MeetBSD2014 – UCL all of the things

Spammers are always developing new tactics

• Prolific spammer Michael Persaud has been caught sending spam yet again
• The 37-year-old from San Diego was the first spammer to have been criminally prosecuted, 13 years ago
• By following a string of clues in the details used to register 1100 new domains used to send spam, researcher Ron Guilmette was able to track the source of the spam back to Persuad
• What makes this case specially interesting was the technique used to send the spam
• The chain of events starts with a block of IP addresses getting added to a blacklist, and the owner of those IP addresses being notified of the fact
• The owner of the IP addresses was adamant that the spam was not coming from their network, as they do not host any spammers
• When Cisco provided evidence that the spam was in fact coming from their IP addresses, further investigation revealed that that block of addresses was not actually in use
• The block of IPs was not being announced via BGP by the owner of the IP space, thus the IPs were dormant (unannounced)
• The spammers had looked around the internet, found ranges of dormant IP addresses, and announced those themselves, in effect moving the hosting for that IP range to their hosting provider, instead of that of the owner
• This allowed the spammers to send spam from ‘clean’ IP addresses, that had never been used to send spam before
• The spammer in question claims he did not know the IP addresses were hijacked, that the ISP he was using was selling him ‘stolen’ IPs without his knowledge
• Persuad made this seem like a common occurrence, but it isn’t, and the researchers are not buying it

• “In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers. In 2000, Persaud admitted to one felony count (PDF) of stealing from the U.S. government, after being prosecuted for fraud related to some asbestos removal work that he did for the U.S. Navy”

• Spam Nation: The Inside Story of Organized Cybercrime – from Global Epidemic to Your Front Door Audiobook | Brian Krebs | Audible.com

Google launches new network security testing tool: nogotofail

• SSL/TLS has seen a number of major vulnerabilities lately, including Heartbleed, Apple’s goto fail, GNUTLS and NSS both having certificate verification flaws, and most recently the POODLE vulnerability
• To help researchers and administrators test for these vulnerabilities, Google has released nogotofail, a new testing tool
• “allows developers to set up an infrastructure through which they can run known attacks against the target application. It has the ability to execute various attacks that require man-in-the-middle position, which is one of the key components of many of the known attacks on SSL/TLS, including POODLE, BEAST and others“
• “The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS“
• The tool can be deployed on Clients, Routers, and VPNs to automatically detect connections between clients and servers that are vulnerable to any of the known flaws
• Project on GitHub

Feedback:

• Homeserver / SSH / Permissions or SPOUSAL APPROVAL

• Printers with public IPs?

• 10Gb NIC query

• ZFS on Linux and ECC RAM?

• Healthcare vendor negligent of POODLE

• Daniel Blair on Twitter: “Hey @ChrisLAS I am wearing my #TechSNAP 100th episode shirt while getting interviewed after #innovateordiedays https://t.co/4UwbBTJ0sl #rep”

Round-Up:

• WireLurker Mac OS X Malware Found, Shut Down
• New, harder to detect version of the Backoff Point-of-Sales malware found in the wild. Old version still infecting more than 1000 point of sales systems
• FBI Holds Secret Meeting To Scare Congress Into Backdooring Phone Encryption
• Linksys patches more routers for flaw found in July. Flaws Include allowing attackers to steal password database
• Secure Messaging Scorecard | Electronic Frontier Foundation
• Next weeks Microsoft Patch Tuesday will be a big one, 16 patches covering IE, Windows, Exchange, Office and more
• Swedish hacker finds ‘serious’ vulnerability in OS X Yosemite
• American Express proposes new tokenized payment cards, unique code for each merchant, transaction type, or device.

The post Apple Approved Malware | TechSNAP 187 first appeared on Jupiter Broadcasting.

We have a bunch of great feedback that keeps getting interrupted by Chris and Mike jumping into deep discussion about vendor lock in, Apple’s new hardware, balancing work and life & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Feedback / Follow Up:

• Some feedback to PTDave

• Mike was wondering what kind of work Linux is better at… oh! oh! I know! I know!

• Switching to a Mac: Update

• Confused curiosity

Dev Hoopla:

Soon to be dad

iMac with Retina 5K display

Does Size matter? Is the Nexus 6 too big?

• Do we really want phones this big?
• Are developers being led around by the nose with the trend hook?
• Android L

The post Underwhelming Apple | CR 124 first appeared on Jupiter Broadcasting.