Show Notes: linuxactionnews.com/162

The post Linux Action News 162 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/428

The post RAID Reality Check | TechSNAP 428 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/422

The post Multipath Musings | TechSNAP 422 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/407

The post Old School Outages | TechSNAP 407 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/397

The post Quality Tools | TechSNAP 397 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/340

The post The Optional Option | Coder Radio 340 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/388

The post The One About eBPF | TechSNAP 388 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Internet privacy

• The House just voted to wipe out the FCC’s landmark Internet privacy protections

• Vote Summary

• Who represents You in the U.S. Congress

• Five Ways Cybersecurity Will Suffer If Congress Repeals the FCC Privacy Rules

• A VPN can stop internet companies from selling your data — but it’s not a magic bullet

• How ISPs can sell your Web history—and how to stop them

Alleged vDOS Owners Poised to Stand Trial

• Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

• On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

• According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.

• Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

ZFS is what you want, even though you may not know – Dan talks about why he likes ZFS

• The following is an ugly generalization and must not be read in isolation
• Listen to the podcast for the following to make sense
• Makes sysadmin life easier
• treats the disks as a bucket source for filesystem
• different file system attributes for different purposes, all on the same set of disks
• Interesting things you didn’t know you could do with ZFS

Feedback

• Dealing with waste heat

• PostgreSQL vs MySQL

The following were referenced during the above Feedback segments:

• Dan has bought custom & standard size air filters for computers from these folks

• Dan’s first MySQL post from January 2000

• 17-Year-Old Corrects NASA Mistake In Data From The ISS

• Dan’s first PostgreSQL post from September 2000

Round Up:

• Setting the Record Straight: containers vs. Zones vs. Jails vs. VMs

• Dishwasher has directory traversal bug

• Apple Says It Fixed CIA Vulnerabilities Years Ago

• Data breach disclosure 101: How to succeed after you’ve failed

• LastPass releases fix browser extension security flaws

• Google takes Symantec to the woodshed for mis-issuing 30,000 HTTPS certs

• 17-Year-Old Corrects NASA Mistake In Data From The ISS

• That Time I Trolled the Entire Internet

• Dan’s external Nagios instance

The post Privacy is Dead | TechSNAP 312 first appeared on Jupiter Broadcasting.

We take you to LinuxCon like never before. The container trend goes big and community leaders are taking bold stands & the quiet debate that’s brewing.

Plus a super thin Linux laptop, Google’s Linux router the OnHub, Munich to ditch Linux for Windows & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

• Web Hosting, Cloud and Dedicated Servers – OVH

Discover our Web, Dedicated and Cloud solutions.

LinuxCon’s surprise keynote speaker ​Linus Torvalds muses about open-source software | ZDNet

In a broad-ranging question and answer session, Linus Torvalds, Linux’s founder, shared his thoughts on the current state of open source and Linux.

Linus Torvalds: Security is never going to be perfect

Linus seemed as excited about containers as a fish would be about a bicycle. “I am so happy that the kernel tends to be fairly far removed from all these issues, all the buzzwords and all the new technologies,” he said. “We end up being in a situation where we only care about us working on and how people use the kernel. I am so focused on the kernel that I don’t even care very much. We see when people need technologies from us to implement all of this, obviously there is c-groups and virtualization, if you do it that way. So we see that side of it. But at the same time, I don’t get involved in politics between all the different groups and all the stuff that goes on top of the kernel. And I am really happy I don’t have to.”

Torvalds: Don’t talk to me about containers and other buzzwords

“I am a very plodding, pedestrian kind of person,” Torvalds said during a Q&A session with Linux Foundation boss Jim Zemlin at LinuxCon in Seattle on Wednesday. “I look six months ahead. I look ahead at this release and I know what’s coming up in the next one.

“I don’t think planning 10 years ahead is necessarily very sane. Because if you think about Linux ten years back and where Linux was ten years ago, trying to plan for where we are now would have been completely insane.”

Mark Shuttleworth says Snappy was born long before CoreOS and the Atomic Project | ITworld

Mark Shuttleworth, founder of Canonical and Ubuntu, made a surprise visit at LinuxCon. I sat down with him for a video interview and talked about Ubuntu on IBM’s new LinuxONE systems, Canonical’s plans for containers, open source in the enterprise space and much more.

LinuxCon: Core Infrastructure Initiative Boosts Security Efforts

The Linux Foundation announced the new badging effort in a press conference with media and analysts. She said the program is akin to the badges used on the popular Github code-development and -sharing site.

— PICKS —

Runs Linux

Museum of Science and Industry in Chicago – RUNS LINUX

Sent in By: Anton C

I visited the Museum of Science and Industry in Chicago recently and one of the exhibits was about robotics. I spotted one robot that recognizes faces and appears to be controlled by a Linux box.

I would also like to share my recent first experience with System76. I purchased a Meerkat to replace my HTPC that just died. The day after I made the purchase, the Meerkat went on sale. System76 called to notify me that because of the sale, I could either get my money back for the amount of the sale, or I could get a free memory upgrade and still get some money back!
Frankly, I’m astounded at that level of customer service. I’ve never experienced anything like it before and I thought it deserved a mention.

Desktop App Pick

FileZilla 3.13.0 released

FileZilla is a free and open source FTP client. It’s available for all major operating systems including Windows, Mac and obviously Linux. The latest version includes couple of new features and few bug fixes that make it more stable.

*
There are couple of new features and bug fixes in this release.
*

• Display home directory instead of root directory if the last used directory does not exist
• Larger initial size of main window if there is no stored size
• Slightly increased size of page selection box in settings dialog

Bugfixes and minor changes:

• Fix assertion in directory listing parser
• Fix drag&drop of remote files which broke in 3.13.0-rc1

Weekly Spotlight

GitLab Mattermost, an open source on-premises Slack alternative | GitLab

We’re very excited to announce that we’ll ship GitLab Mattermost, an open source, on-premises messaging app (like Slack) along with GitLab.

GitLab Mattermost will first be included with the Omnibus packages of GitLab 7.14 (due August 22nd).
We think GitLab Mattermost will be a great addition for GitLab users that need all software on-premises.

— NEWS —

Super Thin Asus Zenbook

• 13.3-Inch FHD (1920×1080) anti-glare matte display with an ultra-wide 170-degree viewing angle
• Latest Intel Core M-5Y10 (turbo up to 2GHz) processor
• Fanless design that is quiet, clean, and energy efficient
• 8GB RAM
• 256GB Solid State Drive
• 10-Hours Battery Life (vendor claim)
• Dual-band 802.11AGN Wi-Fi
• Bluetooth 4.0
• 3 USB 3.0 ports
• HDMI port

ZenBook UX305 is even slimmer than the new Macbook. It's also about half the price. #Incredible pic.twitter.com/ATSENGVMIi

— ASUS North America (@ASUSUSA) March 11, 2015

Google’s Linux Router

Google and TP-Link unveiled a Gentoo Linux based “OnHub” WiFi-ac router for consumers with 13 antennas, Bluetooth, and ZigBee, controlled by a mobile app.

Google’s embedded and IoT horizons appear to be expanding beyond its own Nest subsidiary. The company, which is now technically just another company in the new Alphabet umbrella organization, has partnered with router-maker TP-Link to launch a $200 WiFi router, and potentially, a home automation router. Later this year, Google says it will announce other OnHub branded devices, including an Asus-made device.

The OnHub is available for pre-order at $200 at a variety of locations including the Google Store. Retail availability is set for Aug. 31. More information may be found in the Google OnHub announcement, the Google OnHub page, and the TP-Link OnHub page.

Specifications listed for the OnHub include:

• Processor — Qualcomm Atheros IPQ8064 (2x ARM/Krait cores @ 1.4GHz)
• Memory:
  • 1GB DDR3L RAM
  • 4GB eMMC flash
  • 8MB NOR flash
• Wireless networking:
  • 6x 2.4GHz 802.11b/g/n 3×3 antennas
  • 6x 5GHz 802.11b/g/n /ac 3×3 antennas
  • AUX 802.11a/b/g/n/ac 1×1 antenna
  • Bluetooth 4.0 with Smart Ready
  • 802.15.4 (ZigBee and Thread)
  • WPA2-PSK security
• Wired networking:
  • Gigabit Ethernet LAN port
  • Gigabit Ethernet WAN port
  • QCA8337 gigabit switch
  • Other I/O — USB 3.0 port
• Other features — 3W speaker; ambient light sensor; 6x tri-color LED arrays; TPN (Infineon SLB 961); built-in diagnostics; removable outer shell; blue and black colors
• Power — <12V/3A DC in; 100~240V 50~60Hz AC in
• Operating temperature — 0 to 40°C
• Weight — 1.9 lb
• Dimensions — 10.8 x 5.0 x 5.0 in.
• Operating system — Gentoo Linux

Germany to Ditch Linux for Windows

Two influential politicians in a German city that ditched Microsoft in favour of Linux are agitating for a switch back to Windows.

The councillors from Munich’s conservative CSU party have called the custom version of Ubuntu installed on their laptops “cumbersome to use” and “of very limited use”.

The letter from the two senior members of the city’s IT committee asks mayor Dieter Reiter to consider removing the Linux-based OS and to install Windows with Microsoft Office.

The city spent years migrating about 15,000 staff to Limux, a custom-version of Ubuntu, and other open source software – a move the city said had saved it more than €10m ($11m).

GOG Now Has Nice and Friendly Linux Installer – Softpedia

The GOG distribution platform started to release Linux games less than a year ago, but it’s made great progress in the meantime. Now, the developers are working on a new installation for Linux games that should be much easier to use.

• Linux Installer for GOG Games

Jolla Tablet available for PreOrder

Secure your Jolla Tablet from the next limited production batch. The Jolla Tablet pre-ordered now will start shipping in the end of October. Act fast, availability is limited. Pre-orders are open for everyone in EU, Norway, Switzerland, United States, Canada, Australia, India and Hong Kong.

Feedback:

• https://slexy.org/view/s202pu2wrV
• https://slexy.org/view/s20aht44WU

• https://slexy.org/view/s212Vt3oTh

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post Experience LinuxCon 2015 | LAS 379 first appeared on Jupiter Broadcasting.

Why a stolen healthcare record is harder to track than you might think, Security pros name their must have tools & blame as a service, the new Cybersecurity hot product.

Plus great questions, a huge Round Up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

A day in the life of a stolen healthcare record

• “When your credit card gets stolen because a merchant you did business with got hacked, it’s often quite easy for investigators to figure out which company was victimized. The process of divining the provenance of stolen healthcare records, however, is far trickier because these records typically are processed or handled by a gauntlet of third party firms, most of which have no direct relationship with the patient or customer ultimately harmed by the breach.”
• “I was reminded of this last month, after receiving a tip from a source at a cyber intelligence firm based in California who asked to remain anonymous. My source had discovered a seller on the darknet marketplace AlphaBay who was posting stolen healthcare data into a subsection of the market called “Random DB ripoffs,”
• “Eventually, this same fraudster leaked a large text file titled, “Tenet Health Hilton Medical Center,” which contained the name, address, Social Security number and other sensitive information on dozens of physicians across the country.”
• “Contacted by KrebsOnSecurity, Tenet Health officials said the data was not stolen from its databases, but rather from a company called InCompass Healthcare. Turns out, InCompass disclosed a breach in August 2014, which reportedly occurred after a subcontractor of one of the company’s service providers failed to secure a computer server containing account information. The affected company was 24 ON Physicians, an affiliate of InCompass Healthcare.”
• “The breach affected approximately 10,000 patients treated at 29 facilities throughout the U.S. and approximately 40 employed physicians,” wrote Rebecca Kirkham, a spokeswoman for InCompass.
• So who was the subcontractor that leaked the data? According to PHIprivacy.net (and now confirmed by InCompass), the subcontractor responsible was PST Services, a McKesson subsidiary providing medical billing services, which left more than 10,000 patients’ information exposed via Google search for over four months.
• Think about that for a minute. The information must have just been laying around on their website for it to be able to be found by Google search
• “Still, not all breaches involving health information are difficult to backtrack to the source. In September 2014, I discovered a fraudster on the now-defunct Evolution Market dark web community who was selling life insurance records for less than $7 apiece. That breach was fairly easily tied back to Torchmark Corp., an insurance holding company based in Texas; the name of the company’s subsidiary was plastered all over stolen records listing applicants’ medical histories.”
• “Health records are huge targets for fraudsters because they typically contain all of the information thieves would need to conduct mischief in the victim’s name — from fraudulently opening new lines of credit to filing phony tax refund requests with the Internal Revenue Service. Last year, a great many physicians in multiple states came forward to say they’d been apparently targeted by tax refund fraudsters, but could not figure out the source of the leaked data. Chances are, the scammers stole it from hacked medical providers like PST Services and others.”
• As we have previously discussed, a stolen credit card may be worth a few dollars, even high end corporate cards rarely fetch more than $10 or $15 each. Health care records are worth upwards of $100 each.
• “Sensitive stolen data posted to cybercrime forums can rapidly spread to miscreants and ne’er-do-wells around the globe. In an experiment conducted earlier this month, security firm Bitglass synthesized 1,568 fake names, Social Security numbers, credit card numbers, addresses and phone numbers that were saved in an Excel spreadsheet. The spreadsheet was then transmitted through the company’s proxy, which automatically watermarked the file. The researchers set it up so that each time the file was opened, the persistent watermark (which Bitglass says survives copy, paste and other file manipulations), “called home” to record view information such as IP address, geographic location and device type.”
• “The company posted the spreadsheet of manufactured identities anonymously to cyber-crime marketplaces on the Dark Web. The result was that in less than two weeks, the file had traveled to 22 countries on five continents, was accessed more than 1,100 times. “Additionally, time, location, and IP address analysis uncovered a high rate of activity amongst two groups of similar viewers, indicating the possibility of two cyber crime syndicates, one operating within Nigeria and the other in Russia,” the report concluded.“

Security pros name their must have tools

• Network World asked some “security pros” from around the industry to name their must have tools
• Lawyers Without Borders uses Intralinks VIA to securely share files
• Yell.com (a yellow pages site) uses Distil Networks’ bot detection and mitigation service to prevent content theft and avoid excess load from web scraper bots
• SureScripts.com (online perscription service) uses Invincea FreeSpace Enterprise for endpoint security. “stops advanced end user attacks (spear phishing, drive-by downloads, etc.) via containment, and stops our machines from getting infected
• a biotechnology company uses EMC Syncplicity to secure and distribute content to mobile devices. “It is an amazing mobile app that offers a great user experience and also offers the security and control we need as a therapeutics company with lots of sensitive information”
• A private health insurance software application provider uses Forum Sentry API gateway to protect its API from malactors. “Forum Sentry enabled us to securely expose our APIs to our private health insurance funds, third parties and internal clients and has provided a policy-based platform that is easy to maintain and extend – all while reducing development time and resources”
• Firehouse Subs, a large restaurant chain uses Netsurion’s Managed PCI to manage their Payment Card Industry Data Security Standard compliance. “Netsurion simplifies PCI for myself, and our franchisees, allowing us to maintain focus on other portions of our business”
  • A software vendor that makes heavy uses of Software as a Service (SaaS) relies on Adallom for SaaS to monitor, provides visibility into, and protection of SaaS applications.
  • Iowa Vocational Rehabilitation Services, raved about the configurability and reliability of NCP’s enterprise VPN solution
• I am sorry, when I started writing this news item for TechSNAP, I thought the list was going to be useful
• These were not the kinds of tools I was expecting
• Instead it just shows a random reporter who knows nothing about Cyber Security, asking a bunch of random businesses who know nothing about Cyber Security and just buy magic software and services what they think
• If your approach to cyber security is: buy some magic software, then you’re in trouble
• Cyber Security is a mindset, and requires defense in depth. It is about doing as much as can be done, and more importantly, planning for when that turns out to not be enough.
• What you really need is a cyber security disaster kit, like the one you have in your house in the event of a nature disaster. All of the things you need to survive until the mess is cleaned up.
• What companies really need, is to do cyber security fire drills, and have better fire alarms
• Software can’t solve everything, but it can help automate the task of getting the attention of a human at the right time

Intel launches new line of E7 v3 Haswell-EX processors

• Intel has announced its new E7-8800 and E7-4800 line of processors, featuring:
• 20% more cores/threads
• 20% more Last-Level Cache
• Benchmarks show actual 15-20% gains over the E7-4890 v2
• Support for DDR3 or DDR4 memory (not at the same time). “Support for the two differing memory types comes by way of Intel’s C112 and C114 scalable memory buffers.”
• 1.5 TB of ram per socket, quad channel, 102 GB/s memory bandwidth
• This means a 4 socket motherboard can have 6TB of ram, and an 8 socket board can have 12TB of ram
• 32 PCI-E 3.0 lanes per socket
• The highest end versions also feature QPI links at 9.6 GT/s (the previous maximum was 8.0 GT/s)
• E7-4xxx models are designed for 4 socket motherboards, while the E7-8xxx models are for 8 socket motherboards
• Models include:
  • E7-4809 v3 – 8x 2.00 GHz + HT, 20MB LLC
  • E7-4820 v3 – 10x 1.90 GHz + HT, 25MB LLC
  • E7-4830 v3 – 12x 2.10 GHz (Turbo: 2.70 GHz) + HT, 30MB LLC
  • E7-4850 v3 – 14x 2.20 GHz (Turbo: 2.80 GHz) + HT, 35MB LLC
  • E7-8860 v3 – 16x 2.20 GHz (Turbo: 3.20 GHz) + HT, 40MB LLC
  • E7-8880 v3 – 18x 2.30 GHz (Turbo: 3.10 GHz) + HT, 45MB LLC
  • E7-8890 v3 – 18x 2.50 GHz (Turbo: 3.30 GHz) + HT, 45MB LLC
  • E7-8891 v3 – 10x 2.80 GHz (Turbo: 3.50 GHz) + HT, 45MB LLC
  • E7-8893 v3 – 4x 3.20 GHz (Turbo: 3.50 GHz) + HT, 45MB LLC
• “Want!”

Feedback:

• Looking for a better/different back-up solution.

• Question about NAS versus SAN

• A response to the docker criticism in Episode 212 “Dormant Docker Disasters”

• The concept of a Virtual/Logical DMZ?

Round Up:

• Actively exploited WordPress bug puts millions of sites at risk
• Learn about how Windows kernel exploits work with the “HackSys Extreme Vulnerable Driver”
• PillPack.com online pharmacy vulnerability could have allowed anyone to view your entire perscription history, with only your name a birthdate
• Network reconnaissance without actually probing the network, using DNS
• Hospira Lifecare PCA infusion pump has telnet enabled with no password, allows anyone to root it with a tcp connection
• Boeing 787 dreamliner generator control units contain software bug that causes them to fail after 248 days of uptime
• Microsoft bangs the cybersecurity drum with Advanced Threat Analytics
• How to make two C binaries with the same MD5 hash – Why you shouldn’t trust MD5
• Understanding Docker Security and Best Practices
• Netflix open sources FIDO – Fully Integrated Defense Operation
• Docker vs the container world: Techies rally around CoreOS-led spec
• Lab of a Pen Tester — Dumping Windows 8.1 passwords in plain text
• System Crash for Starbucks Leads to Free Coffee for Some
• L3 cache mapping on Sandy Bridge CPUs
• Google Can’t Ignore The Android Update Problem Any Longer
• Researcher finds another method of bypassing Google’s password alert feature
• Windows 10 to do away with Patch Tuesday
• “unnamed FreeBSD Developer: OMG!!! I found a place where an ex-employee went to the repo, checked out the distribution tarball of freeipmi… unpacked it… edited the Makefiles, re-tarred it up and checked it back in under same name…”

The post Blame as a Service | TechSNAP 213 first appeared on Jupiter Broadcasting.

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How to make secret phone calls

• “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
• “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
• The article sets out the steps required to conduct untraceable phone calls
• The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
• “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
• Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
• Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
• After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
• Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
• Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
• Wipe down and destroy handset.
• “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
• “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
• “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
• “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
• “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
• “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100”
• Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
• “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
• Guide to creating and using One-Time Pads
• John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

• “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
• “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
• “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
• “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
• Level 3 then worked to block the malicious traffic
• “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
• “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
• “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
• “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
• Remote root login should never be allowed anyway
• Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

• A question I often get is “how do I get into InfoSec”
• Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
• Luckily, someone who is in that space, finally wrote it all down
• “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
  • So, keep watching TechSNAP
• Basic Steps:
• Education (Sysadmin, Networking, Development)
• Building Your Lab (VMs, VPSs from Digital Ocean)
• You Are Your Projects (Build something)
• Have a Presence (Website, Blog, Twitter, etc)
• Certifications (“Things have the value that others place on them”)
• Networking With Others (Find a mentor, be an intern)
• Conferences (Go to Conferences. Speak at them)
• Mastering Professionalism (Dependability, Well Written, Good Speaker)
• Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
• Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
• Becoming Guru
• It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
• Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

• Data Delivery/Syncing over WAN

• TOR Question

• Upgrading password hash algorithm

Round Up:

• Announcing Git Large File Storage (LFS)
• Amazon EFS
• One in seven employees will self corporate passwords for $150 or less
• Hidden backdoor API to root privileges in Apple OS X
• Vulnerability in Firefox forced Mozilla to disable opportunistic encryption
• The FBI Has Its Own Secret Brand of Malware
• AT&T Call Center staff sold hundres of thousands of customer records to criminals
• Expired SSL certificate
• Google lets the Root CA certificate that issues the smtp.gmail.com certificate expire
• Congress must end mass NSA surveillance with next Patriot Act vote
• Greenwald criticized universities which open up their campuses to government agencies in exchange for funding
• 8 Ways You Didn’t Know Hackers Could Steal Your Identity
• Apple did not remove CNNIC Root CA from trust lists in latest security update
• Every Wi-Fi Router Should Look Like The USS Enterprise
• IT Security in a nutshell

The post Day-0 of an InfoSec Career | TechSNAP 209 first appeared on Jupiter Broadcasting.

Been putting off that patch? This week we’ll cover how an out of date Joomla install led to a massive breach, Microsoft and Google spar over patch disclosures & picking the right security question…

Plus a great batch of your feedback, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Data thieves target parking lots

• “Late last year, KrebsOnSecurity wrote that two huge swaths of credit card numbers put up for sale in the cybercrime underground had likely been stolen from Park ‘N Fly and from OneStopParking.com, competing airport parking services that lets customers reserve spots in advance of travel via Internet reservation systems. This week, both companies confirmed that they had indeed suffered a breach.”
• “When contacted by Krebs on Dec. 15, Atlanta-based Park ‘N Fly said while it had recently engaged multiple security firms to investigate breach claims, it had not found any proof of an intrusion. In a statement released Tuesday, however, the company acknowledged that its site was hacked and leaking credit card data, but stopped short of saying how long the breach persisted or how many customers may have been affected”
• “OneStopParking.com reached via phone this morning, the site’s manager Amer Ghanem said the company recently determined that hackers had broken in to its systems via a vulnerability in Joomla for which patches were made available in Sept. 2014. Unfortunately for OneStopParking.com and its customers, the company put off applying that Joomla update because it broke portions of the site.”
• “Unlike card data stolen from main street retailers — which can be encoded onto new plastic and used to buy stolen goods in physical retail stores — cards stolen from online transactions can only be used by thieves for fraudulent online purchases. However, most online carding shops that sell stolen card data in underground stores market both types of cards, known in thief-speak as “dumps” and “CVVs,” respectively.”
• “Interestingly, the disclosure timeline for both of these companies would have been consistent with a new data breach notification law that President Obama called for earlier this week. That proposal would require companies to notify consumers about a breach within 30 days of discovering their information has been hacked.”
• Krebs also appears to be having fun with the LizzardSquad

Microsoft pushes emergency fixes, blames Google

• Microsoft and Adobe both released critical patches this week
• “Leading the batch of Microsoft patches for 2015 is a drama-laden update to fix a vulnerability in Windows 8.1 that Google researchers disclosed just two days ago. Google has a relatively new policy of publicly disclosing flaws 90 days after they are reported to the responsible software vendor — whether or not that vendor has fixed the bug yet. That 90-day period elapsed over the weekend, causing Google to spill the beans and potentially help attackers develop an exploit in advance of Patch Tuesday.”
• Yahoo recently announced a similar new policy, to disclose all bugs after 90 days
• This is the result of too many vendors take far too long to resolve bugs after they are notified
• Researchers have found that need to straddle the line between responsible disclosure, and full disclosure, as it is irresponsible to not notify the public when it doesn’t appear as if the vendor is taking the vulnerability seriously.
• Microsoft also patched a critical telnet vulnerability
• “For its part, Microsoft issued a strongly-worded blog post chiding Google for what it called a “gotcha” policy that leaves Microsoft users in the lurch”
• There is also a new Adobe flash to address multiple issues
• Krebs notes: “Windows users who browse the Web with anything other than Internet Explorer may need to apply this patch twice, once with IE and again using the alternative browser (Firefox, Opera, e.g.).” because of the way Microsoft bundles flash
• Infact, if you use Chrome and Firefox on windows, you’ll need to make sure all 3 have properly updated.

What makes a good security question?

• Safe: cannot be guessed or researched
• Stable: does not change over time
• Memorable: you can remember it
• Simple: is precise, simple, consistent
• Many: has many possible answers
• It is important that the answer not be something that could easily be learned by friending you on facebook or twitter
• Some examples:
• What is the name of the first beach you visited?
• What is the last name of the teacher who gave you your first failing grade?
• What is the first name of the person you first kissed?
• What was the name of your first stuffed animal or doll or action figure?
• Too many of the more popular questions are too easy to research now
• Some examples of ones that might not be so good:
  • In what town was your first job? (Resume, LinkedIn, Facebook)
  • What school did you attend for sixth grade?
  • What is your oldest sibling’s birthday month and year? (e.g., January 1900) (Now it isn’t your facebook, but theirs that might be the leak, you can’t control what information other people expose)
• Sample question scoring

Feedback:

• FreeNAS Replication

• Ep 196 – Staples Hack

• Best at home router solution

• OpenWrt

• MyOpenRouter

• FQDN on LAN? Peace of mind on WAN?

• hardware upgrade

Round Up:

• Apache Spark: 100 terabytes (TB) of data sorted in 23 minutes
• Quick wins for cyber security
• The New CISPA Bill Is Literally Exactly the Same as the Last One
• Sony: Losses from hack will be covered by insurance
• Forget Wearable Tech. People Really Want Better Batteries.
• New data breach notification law not good enough
• Panasonic Arbitrator Back-End Server (BES) uses unencrypted communication
• US CENTCOM gets its twitter account hacked — Why no 2FA?
• Verizon Cloud system schedules 48 hour downtime
• Canadian Federal Police refuse to pay fees to telco for tracking suspects
• The path from beginner to expert
• Mac “bootkit” permanently backdoors macs

The post Patch and Notify | TechSNAP 197 first appeared on Jupiter Broadcasting.

Pre-crime becomes a reality in London, powered by technology. Andy Rubin, Creator Of Android, leaves Google & we speculate if we’ll see a merging of Chrome & Android.

Plus the first browser dedicated to developers is coming & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

BBC News – London police trial gang violence ‘predicting’ software

Police in London have tested software designed to identify which gang members are most likely to commit violent crimes.

The 20-week pilot study is thought to have been the first of its kind in the UK, although similar experiments have been carried out elsewhere.

It used five years worth of historic data, but the idea would be to analyse up-to-date details if it is deployed.

Civil liberty campaigners have voiced concerns.

But Accenture – the firm that developed the software – highlighted the potential benefit it offered.

“You’ve got limited police resources and you need to target them efficiently,” said Muz Janoowalla, head of public safety analytics at the company.

“What this does is tell you who are the highest risk individuals that you should target your limited resources against.”
Flagging threats

The software works by merging together data from existing systems already used by the Metropolitan Police and carrying out predictive calculations.

Types of information ranged from previous crimes to social media activity.

Australian Courts Will Be Able To See Your Browsing History

A series of slips by the nation’s top cop followed by communications minister Malcolm Turnbull has made Australia’s data retention bill even more of a potential horror than it seemed when it was introduced last week.” Writes Richard Chirgwin in an article about Australia’s new legislation.. “lawyers are already gathering, telling the ABC’s PM program that metadata could be demanded in family law cases and insurance cases” it continues, with the inevitable result that your internet browsing history will be used against people trying to resist demands during divorce. “What’s depressing is that Australians probably won’t take to the streets about this issue.

Andy Rubin, Creator Of Android, Leaves Google

According to the WSJ, Andy Rubin left Google after almost a decade of working for the company. He has been working at Google since 2005, when his company at the time, Android Inc., was acquired by the search giant. Rubin was in charge of Android until last year, when he was replaced as Android chief by Sundar Pichai, then the SVP of Chrome.

The First Browser Dedicated to Developers is Coming

We’ve redesigned the browser by looking at it through a completely new filter to put developers’ interests first. It’s built by developers for developers so you can debug the whole Web, allowing you to more easily build awesome Web experiences. It also integrates some powerful new tools like WebIDE and the Firefox Tools Adapter.

Soon, we’re going to bring you more, a lot more, in a package that you deserve as a builder for an independent Web.

Get ready to spread the word (#Fx10 #ChooseIndependent) or sign up for our Hacks newsletter here to be emailed as soon as the browser is available.

We can’t wait to share it with you on November 10th.

The post ChromeDroid Convergence | Tech Talk Today 84 first appeared on Jupiter Broadcasting.

We\’re back from BSDCan! This week on the show we\’ll be chatting with Brian Callahan and Aaron Bieber about forming a local BSD users group. We\’ll get to hear their experiences of running one and maybe encourage some of you to start your own!

After that, we\’ve got a tutorial on the basics of NetBSD\’s package manager, pkgsrc. Answers to your emails and the latest headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD 11 goals and discussion

• Something that actually happened at BSDCan this year…
• During the FreeBSD devsummit, there was some discussion about what changes will be made in 11.0-RELEASE
• Slides from Dev Summit
• Some of MWL\’s notes include: the test suite will be merged to 10-STABLE, more work on the MIPS platforms, LLDB getting more attention, UEFI boot and install support
• A large list of possibilities was also included and open for discussion, including AES-GCM in IPSEC, ASLR, OpenMP, ICC, in-place kernel upgrades, Capsicum improvements, TCP performance improvements and A LOT more
• There\’s also some notes from the devsummit virtualization session, mostly talking about bhyve
• Lastly, he also provides some notes about ports and packages and where they\’re going

An SSH honeypot with OpenBSD and Kippo

• Everyone loves messing with script kiddies, right?
• This blog post introduces Kippo, an SSH honeypot tool, and how to use it in combination with OpenBSD
• It includes a step by step (or rather, command by command) guide and some tips for running a honeypot securely
• You can use this to get new 0day exploits or find weaknesses in your systems
• OpenBSD makes a great companion for security testing tools like this with all its exploit mitigation techniques that protect all running applications

NetBSD foundation financial report

• The NetBSD foundation has posted their 2013 financial report
• It\’s a very \”no nonsense\” page, pretty much only the hard numbers
• In 2013, they got $26,000 of income in donations
• The rest of the page shows all the details, how they spent it on hardware, consulting, conference fees, legal costs and everything else
• Be sure to donate to whichever BSDs you like and use!

Building a fully-encrypted NAS with OpenBSD

• Usually the popular choice for a NAS system is FreeNAS, or plain FreeBSD if you know what you\’re doing
• This article takes a look at the OpenBSD side and explains how to build a NAS with security in mind
• The NAS will be fully encrypted, no separate /boot partition like FreeBSD and FreeNAS require – this means the kernel itself is even protected
• The obvious trade-off is the lack of ZFS support for storage, but this is an interesting idea that would fit most people\’s needs too
• There\’s also a bit of background information on NAS systems in general, some NAS-specific security tips and even some nice graphs and pictures of the hardware – fantastic write up!

Interview – Brian Callahan & Aaron Bieber – admin@lists.nycbug.org & admin@cobug.org

Forming a local BSD Users Group

Tutorial

The basics of pkgsrc

News Roundup

FreeBSD periodic mails vs. monitoring

• If you\’ve ever been an admin for a lot of FreeBSD boxes, you\’ve probably noticed that you get a lot of email
• This page tells about all the different alert emails, cron emails and other reports you might end up getting, as well as how to manage them
• From bad SSH logins to Zabbix alerts, it all adds up quickly
• It highlights the periodic.conf file and FreeBSD\’s periodic daemon, as well as some third party monitoring tools you can use to keep track of your servers

Doing cool stuff with OpenBSD routing domains

• A blog post from our viewer and regular emailer, Kjell-Aleksander!
• He manages some internally-routed IP ranges at his work, but didn\’t want to have equipment for each separate project
• This is where OpenBSD routing domains and pf come in to save the day
• The blog post goes through the process with all the network details you could ever dream of
• He even named his networking equipment… after us

LibreSSL, the good and the bad

• We\’re all probably familiar with OpenBSD\’s fork of OpenSSL at this point
• However, \”for those of you that don\’t know it, OpenSSL is at the same time the best and most popular SSL/TLS library available, and utter junk\”
• This article talks about some of the cryptographic development challenges involved with maintaining such a massive project
• You need cryptographers, software engineers, software optimization specialists – there are a lot of roles that need to be filled
• It also mentions some OpenSSL alternatives and recent LibreSSL progress, as well as some downsides to the fork – the main one being their aim for backwards compatibility

PCBSD weekly digest

• Lots going on in PCBSD land this week, AppCafe has been redesigned
• The PBI system is being replaced with pkgng, PBIs will be automatically converted once you update
• In the more recent post, there\’s some further explanation of the PBI system and the reason for the transition
• It\’s got lots of details on the different ways to install software, so hopefully it will clear up any possible confusion
• Working on adding support for FDE with GELI using GRUB for 10.0.2
• Any devs who can grock the GRUB geli code are welcome to contact Kris

Feedback/Questions

• Antonio writes in
• Daniel writes in
• Sean writes in
• tsyn writes in
• Chris writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Michael Lucas will be giving a live presentation next Tuesday, \”Beyond Security: Getting to Know OpenBSD’s Real Purpose\” so be sure to catch that
• Preorders for the book of PF\’s third edition are up
• We got a picture of a bunch of old FreeBSD CDs
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post A BUG's Life | BSD Now 38 first appeared on Jupiter Broadcasting.

The long-awaited meetup is finally happening on today\’s show. We\’re going to be interviewing the original BSD podcaster, Will Backman, to discuss what he\’s been up to and what the future of BSD advocacy looks like. After that, we\’ll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We\’ve got answers to user-submitted questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we\’d love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they\’d be interested in someone helping out with
• OpenBSD\’s want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There\’s also details about flowd and nfsen, more great tools to make network monitoring easy
• If you\’re listening, Peter… stop ignoring our emails and come on the show! We know you\’re watching!

BSDMag\’s February issue is out

• The theme is \”configuring basic services on OpenBSD 5.4\”
• There\’s also an interview with Peter Hansteen
• Topics also include locking down SSH, a GIMP lesson, user/group management, and…
• Linux and Solaris articles? Why??

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords – other OSes need to update theirs too! (FreeBSD already has)
• \”The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor \’b\’.\”
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full post

This episode was brought to you by

Interview – Will Backman – bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the \”machdep.allowaperture\” sysctl to 0 and still use a GUI

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list

Creating an OpenBSD USB drive

• Since OpenBSD doesn\’t distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there\’s some recent emails that suggest official USB images may be coming soon… oh wait

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM

Feedback/Questions

• espressowar writes in: https://slexy.org/view/s2JpJ5EaZp
• Antonio writes in: https://slexy.org/view/s2QpPevJ3J
• Christian writes in: https://slexy.org/view/s2EZLxDfWh
• Adam writes in: https://slexy.org/view/s21gEBZbmG
• Alex writes in: https://slexy.org/view/s2RnCO1p9c

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We especially want to hear some tutorial ideas that you guys would like to see, so let us know
• Also, if you\’re a NetBSD or DragonflyBSD guy listening, we want to talk to you! We\’d love more interviews related to those, whether you\’re a developer or not
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post BSD Now vs. BSDTalk | BSD Now 27 first appeared on Jupiter Broadcasting.

A lot’s happened over our holiday break, we’ll round up the critical revelations in the NSA spying programs, and the major legal challenges the NSA is facing.

Then: On January 1st 2014 recreational cannabis stores open their doors in Colorado, and sparked interest around the world. We’ll check in on the first few days of making history.

Now the national debate has started, and the pundits take to the air to weigh in, but their analysis misses the target.

Plus live calls, our follow up, and much much more.

On this week’s Unfilter.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is CRAZY

• Senator presses NSA to reveal whether it spies on members of Congress | World news | theguardian.com

Sanders, in a letter dated 3 January, defined “spying” as “gathering metadata on calls made from official or personal phones, content from websites visited or emails sent, or collecting any other data from a third party not made available to the general public in the regular course of business”.

• NSA exploring alternatives to holding database of domestic phone records

The NSA’s director, Gen. Keith Alexander, told the advisory panel, the Review Group on Intelligence and Communications Technologies, that the “NSA itself has seriously considered moving to a model in which the data are held by the private sector.” But, according to a review group member, Alexander told the group that “no one else wanted it — especially not the phone companies.” Alexander, the member said, “described it as a ‘bit of a hot potato.’ ”

• ACLU will appeal ruling that NSA bulk phone record collection is legal

As expected, on Thursday the ACLU filed notice that it will appeal Pauley’s decision before the second circuit court of appeals. The civil liberties group said in a statement that it anticipates making its case before the appellate court in the spring.

“The government has a legitimate interest in tracking the associations of suspected terrorists, but tracking those associations does not require the government to subject every citizen to permanent surveillance,” deputy ACLU legal director Jameel Jaffer said in the statement.

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Kyle T

• Markus Z

• david

• Matt B

• Emil J

• Matthew L

• Russell W

• Phillip O

• Duncan D

• Brian W

• chad

• Paul H

• James T

• Aaron C

• Jeff J

• Brian H

• Susan R

• Thomas P

• Thanks to our 314 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

Devil Weed Takes Root in America

• Colorado Recreational Marijuana Sales Exceed $5 Million In First Week

Owners of the 37 new dispensaries around the state reported first week retail sales to The Huffington Post that, when added together, were roughly $5 million.

Prices also were boosted by the state’s 25 percent tax on retail purchases, including a 15 percent excise tax and a 10 percent sales tax. Voters approved the levy in November. Local taxes can add more to what customers pay.

• Colorado is running low on (legal) marijuana – The Margin – MarketWatch

Six days after sales became legal, stores are rationing how much they sell, and a company that makes cannabis-infused sparkling fruit drinks, chocolates, mints and more ran out of supplies in just three days, Denver’s local ABC affiliate reported. Among retailers, Lodo Wellness Center in downtown Denver, for example, is limiting customers to an eighth of an ounce, or one-eighth of what they can legally buy, it said.

The ArcView Group, which matches marijuana entrepreneurs and investors, has estimated the legalized pot market in the U.S. could reach $10.2 billion over the next five years, from $1.44 billion last year, as other states join Colorado and Washington in legalizing recreational marijuana use.

The Money Problem

• “People think we all became millionaires,” Ortega said. “But as a business owner, I can’t write anything off for the last three years.”

Still, the federal prohibition means banks won’t accept marijuana businesses for traditional bank accounts, and retailers said they can’t take advantage of traditional business tax writeoffs.

• “Absurd on every single level”: How the feds may be crippling the legal pot industry

Financial institutions don’t want to run afoul of the Anti-Money Laundering Act, which can charge fines of up to $500,000 per transaction for working with companies who sell illegal products. Though Colorado and Washington have been cleared for adult recreational use sales, and 21 states (plus the District of Columbia) have legalized pot for medicinal use, marijuana remains illegal under the federal Controlled Substances Act. Even a state-owned bank, which one Washington lawmaker has proposed, would have to abide by federal banking laws. The discrepancy between state and federal law puts financial institutions at risk of money laundering prosecution, and they want precise assurances before assuming that risk. “They want the safe harbor to be so abundantly clear,” said Rep. Heck.

The irony here is rich. A year ago, British-based bank HSBC was fined $1.9 billion for actual money laundering for Mexican drug cartels, suspected of killing thousands of innocent civilians. HSBC had no problem doing very profitable business with the illegal drug trade, and they basically got away with it, with no criminal prosecution and a paltry fine. But in Washington and Colorado, you have legal businesses operating within state law, and no bank will touch them. “I guess they don’t think we’re big enough dollar-wise for them to risk it,” said Alex Cooley of Solstice. “But it’s crazy, in Washington, Bank of America is the state bank. They’ll take our tax revenue from the state but they won’t take our money.”

The Legalization Trend

• Bill Aims For Tennessee To Legalize Medical Marijuana
• Agencies prepare for new Illinois medical marijuana law
• The Future Of Legal Weed Is Bright. Here’s Where It’s Headed Next

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post Sky “High” Sales | Unfilter 80 first appeared on Jupiter Broadcasting.

Declassified documents today reveal the NSA has intentionally abused their surveillance program, and retained data on US citizens despite a court order. All this as more details emerge about how the NSA collects nearly 75% of all US Internet traffic

David Miranda Glenn Greenwald’s partner was held for nine hours under an Orwellian anti-terrorism law. They confiscated his equipment, and questioned him about the Guardian’s reporting of the Snowden Leaks.

Plus we follow the money in Egypt, your feedback, and much much more.

On this week’s Unfilter.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

Glenn Greenwald’s partner detained at Heathrow airport for nine hours

• Glenn Greenwald’s partner detained at Heathrow airport for nine hours | World news | The Guardian

The 28-year-old was held for nine hours, the maximum the law allows before officers must release or formally arrest the individual. According to official figures, most examinations under schedule 7 – over 97% – last less than an hour, and only one in 2,000 people detained are kept for more than six hours.

Miranda was released, but officials confiscated electronics equipment including his mobile phone, laptop, camera, memory sticks, DVDs and games consoles.

• David Miranda’s lawyers apply for interim injunction over seized data | World news | theguardian.com

The London law firm Bindmans will present Miranda’s case for the injunction before two high court judges, arguing that the Metropolitan police misused schedule 7 of the Terrorism Act 2000.

• US doesn’t know what Snowden took, sources say – Investigations

More than two months after documents leaked by former contractor Edward Snowden first began appearing in the news media, the National Security Agency still doesn’t know the full extent of what he took, according to intelligence community sources, and is “overwhelmed” trying to assess the damage.

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• David P
• Kim J
• Jason T
• Quentin B
• Ben D
• Alexander S
• Josef D
• Sean from T-Town

• Thanks to our 162 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

NSA is CRAZY

• New Details Show Broader NSA Surveillance Reach – WSJ.com

The system has the capacity to reach roughly 75% of all U.S. Internet traffic in the hunt for foreign intelligence, including a wide array of communications by foreigners and Americans. In some cases, it retains the written content of emails sent between citizens within the U.S. and also filters domestic phone calls made with Internet technology

• New Details Show Broader NSA Surveillance Reach Infograph

• NSA gathered thousands of Americans’ e-mails before court struck down program

The 86-page opinion, which was declassified by U.S. intelligence officials Wednesday, explains why the chief judge of the Foreign Intelligence Surveillance Court ruled the collection method unconstitutional. The judge, John D. Bates, found that the government had “advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court had been led to believe.”

Under the program, the NSA for three years diverted large volumes of international data passing through fiber-optic cables in the United States into a repository where the material could be stored temporarily for processing and for the selection of foreign communications, rather than domestic ones. But in practice, the NSA was unable to filter out the communications between Americans.

According to NSA estimates, the agency may have been collecting as many as 56,000 “wholly domestic” communications each year.

Bradley Manning Gets 35

• WikiLeaks trial: Bradley Manning shows no reaction to prison sentence – latimes.com

Wednesday morning and was sentenced to 35 years in prison for leaking hundreds of thousands of classified documents to the anti-secrecy group WikiLeaks.

Manning, who could have been sentenced to 90 years, stood at attention and showed no emotion as the military judge, Army Col. Denise Lind, delivered the sentence. As soon as Lind left the bench, Army guards quickly rushed Manning out of the courtroom.

“We’ll keep fighting for you Bradley!” shouted half a dozen Manning supporters among the 45 spectators in the courtroom. “You’re our hero!”

That short scene, lasting no more than two minutes, ended more than three years of legal jousting and a summer-long court-martial that highlighted the growing national debate about government secrecy.

• WikiLeaks soldier Manning sentenced to 35 years in prison | Reuters

“It’s more than 17 times the next longest sentence ever served” for providing secret material to the media, Goitein said. “It is in line with sentences for paid espionage for the enemy.”

Following the Money Flowing to Egypt

• Where U.S. aid to Egypt goes

The money is deposited into an account at the Federal Reserve Bank of New York, which Egypt can access to make payments on long-term contracts it signs with defense companies. The U.S. government is a co-signer on the contracts, guaranteeing the payments will be made. If aid to Egypt is suspended, the U.S. government could still be responsible for the deals Egypt has made so far, according to a Congressional Research Service report.

• Point-Counterpoint Cut off aid to Egypt – and to Israel | National Columnists | ADN.com

Since July 3, the Israeli government has lobbied U.S. officials not to cut off aid to Egypt.

• Top 10 US companies profiting from military aid to Egypt

US defense contractors profiting from military aid to Egypt

Feedback:

Bitmessage Address: BM-GuQ4gqmBeW8CYpSo3Htg2pBrBdHbvpe7

• Ashamed of the British Goverment
• Some local information about the Detroit Bankruptcy

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post 75% of the Internet | Unfilter 64 first appeared on Jupiter Broadcasting.

Extending your office LAN for remote office workers, monitoring the monitoring service, and Zynga\’s embarrassing Apache error.

Plus a HUGE batch of your questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Show Notes:

Monitoring the Monitors

• An interesting short article from USENIX that raises the question of how do you monitor your monitoring system?
• The article breaks the monitor monitoring systems down based on their features:
• Automated vs. manual execution
• Automated vs. manual response
• Destructive vs. non-destructive response
• Monitoring vs. monitoring of notification services
• For example, a “dead-man switch” is an example of an automated execution (releasing the trigger happens automatically), automatic response (no other action is required to cause the response) and is generally destructive
• Another complication of monitoring systems is how do you monitor the notification service?
• If the sysadmin gets notified that a service is down via text message, how do you ensure they actually got the text message?
• One solution mentioned in the article is sending a text message to the on-duty admin at the start of each ‘shift’. If they do not get this message, they know something is wrong and investigate
• A better solution to this may be a similar alert that they must acknowledge it, possible before the off-going sysadmin is allowed to leave
• It is quite possible to ‘miss’ an event, especially when it becomes routine. If you get a text message every morning at 9am, would you notice if you didn’t get it one day?
• Instead, what if the text message contained a URL you had to visit in order to acknowledge the message, else the alert would repeat and eventually escalate

A Secure Processor Architecture

• A system designed to prevent someone with access to a system from determining what other operations are happening on that system
• Seems relevant to our previous discussion about how from inside one VM you could collect enough data to disclose the private encryption keys of another VM running on the same physical hardware
• The described system, ‘Ascend’ features ‘Obfuscated Instruction Execution’ and ‘Oblivious RAM’

Zynga directs support inquiries to a random stranger

• When Zynga users were confronted with an HTTP Error 500 page from the fb.themepark.zynga.com server, it told them to email someone @themepark.com which they did not actually own
• It appears Zynga uses Apache as their web server (no wonder they were throwing 500 errors under load), and had misconfigured the ‘ServerAdmin’ directive, so the error pages contained this incorrect email address
• The unfortunate recipient of emails from many whiny facebook gamers complained to Zynga, but got no response
• So he decided to have some fun with it, and wrote back responses trolling the users
• “I know that For Canada Day, the engineering department wraps the .ca servers in Canadian flags, and then sets a plate of poutine on top. This sometimes can cause the server to overheat, and sometimes even get gravy into the login/logout module.”

Feedback:

[asa]B008U5ZNIG[/asa]

• Michael asks about setting up a VPN for remote office workers
• Requires the pfSense ‘tap fix’, install it from the pfSense packages menu

• OpenVPN Bridge Mode How-To for pfSense

• Virtual Box / VmWare images

• How do you direct pfsense to direct packets sent to the gateway back to the local subnet?

• pfSense Performance Issue Followups

• Router DNS Caching?

• What is some advice you can give people starting out as a contractor or service provider?

• What is your backup?

• Secure lan messaging server

• First FreeBSD Desktop Questions

• Follow up on FreeBSD Media Server

Roundup:

• McAfee report: Average firm takes 10 hours to detect a securit breach
• Security update regarding your Ubisoft account – please create a new password
• Problem with Android digital signature checking means all android devices will accept a maliciously modified package as being unmodified
• Nginx just became the most used web server among the top 1000 websites
• California’s Attorney General wants to crack down on companies that do not encrypt data
• DecryptoCat – TobTu
• What can you learn about someone from 6 months worth of ‘metadata’
• Mastercard and Visa Start Banning VPN Providers
• Alcatel Lucent develops first gigabit DSL

The post Who Watches the Monitors | TechSNAP 117 first appeared on Jupiter Broadcasting.

In just the last week the situation in Cyprus has gone from outrageous to disastrous. We’ll break it down, and discuss the impacts the world changing event could have on the global economy.

And – Did you know the Internet is currently undergoing the “largest attack in history” that’s according to the BBC, and why the FBI has disclosed Real-Time Gmail Spying Powers as a “Top Priority” for 2013.

Plus Mayor Bloomberg begins personally financing a $12 Million Dollar Ad Campaign for Gun Checks, our follow up, your feedback, and much much more.

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

Pay With Bitcoin

— Show Notes —

Global internet slows after “biggest attack in history”

• BBC News – Global internet slows after ‘biggest attack in history’

The internet around the world has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.

• Cyberattack on anti-spam group Spamhaus has ripple effects

Spam-fighting organization Spamhaus said Wednesday that it had been buffeted by a massive distributed denial-of-service (DDoS) attack since mid-March, apparently from groups angry at being blacklisted by the Geneva-based group.

“It is a small miracle that we’re still online,” Spamhaus researcher Vincent Hanna said in an interview.

FBI Pursuing Real-Time Gmail Spying Powers as “Top Priority” for 2013

• Andrew Weissmann: FBI wants real-time Gmail, Dropbox spying power.

That’s because a 1994 surveillance law called the Communications Assistance for Law Enforcement Act only allows the government to force Internet providers and phone companies to install surveillance equipment within their networks. But it doesn’t cover email, cloud services, or online chat providers like Skype. Weissmann said that the FBI wants the power to mandate real-time surveillance of everything from Dropbox and online games (“the chat feature in Scrabble”) to Gmail and Google Voice. “Those communications are being used for criminal conversations,” he said.

Mayor Bloomberg Unveils $12 Million Ad Campaign for Gun Checks

• Mayor Bloomberg, NRA, gun legislation – latimes.com

New York Mayor Michael R. Bloomberg, a fierce proponent of restrictions on firearms, said he will bankroll a $12-million TV advertising blitz in 13 states to pressure individual senators from both parties during the two-week congressional recess.

Thanks for Supporting Unfilter:

Make Good: Sorry if we gave the wrong impression about ‘MERICA raw-dogging it in Iraq.

• US news media has devolved to ‘carnival act’

Chris Hedges, author, columnist and former Pulitzer-Prize winning journalist for The New York Times spoke with RT about how FCC deregulation during the Clinton administration allowed a handful of corporations to dominate US media.

Thanks to

• Damon L
• Trevor J
• Benjamin M
• Richard G – Who nailed the last $7.99 for now!
• Rusty switched to bitcoins, tip of the hat to our first bitcoin supporter!

• Thanks to our 59 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

Cyprus’ Gone Wild

• Cyprus controls expected to hit foreign transactions

With banks due to reopen on Thursday after nearly two weeks, Finance Minister Michael Sarris said capital controls will be “within the realms of reason” and a business leader said he had been told they would affect only international transactions.

• Cypriot Youth Rise Up In Pictures: “They Just Got Rid Of All Our Dreams”

They’ve just gotten rid of all our dreams, everything we’ve worked for, everything we’ve achieved up until now, what our parents have achieved,"

• Cyprus central bank ousts CEO of troubled Bank of Cyprus

CEO Yiannis Kypri said he was summoned to the Central Bank early on Wednesday and asked to submit his resignation.

“The reason I was given was that, based on the resolution decree recently passed by parliament and upon demands of the troika, an administrator had been appointed at the Bank,” Kypri said in a written statement.

• Have The Russians Already Quietly Withdrawn All Their Cash From Cyprus?

No one knows exactly how much money has left Cyprus’ banks, or where it has gone. The two banks at the centre of the crisis – Cyprus Popular Bank, also known as Laiki, and Bank of Cyprus – have units in London which remained open throughout the week and placed no limits on withdrawals. Bank of Cyprus also owns 80 percent of Russia’s Uniastrum Bank, which put no restrictions on withdrawals in Russia. Russians were among Cypriot banks’ largest depositors.

• Russia Loses Out as Cyprus Reaches Deal

“I think the Russians were understandably disappointed with this turn of events. They have had a long, successful and happy history and association and this has come partly as a shock despite the fact that many of these things had been rumored,” Cyprus’ finance minister, Michael Sarris, said early on Monday in Brussels.

• Europe threatens Cyprus with bankruptcy in power struggle with Russia

On Thursday the European Central Bank told Cyprus yesterday to find funding to secure a €10 billion ($12.9 billion) European Union (EU) bailout by Monday, or face a cut-off of ECB credit and the bankruptcy of Cyprus’ banks and government.

• The Cypriot government should instead have learned from Iceland

The Cypriot government should instead have learned from Iceland: taken over the banks, isolated the bad loans, protected deposits, imposed losses on the wealthy, and used a publicly owned banking sector to rebuild the domestic economy. That would have offered its citizens a better future, almost certainly outside the eurozone. But it would have also encroached on private capital’s privileges and clearly couldn’t be tolerated.

• Protests in Cyprus over bailout deal – YouTube

Protests have followed the agreement which called for Popular Bank, the country’s second biggest bank, to be closed down and the imposition of austerity measures.

US’ System Setup to Protect the Bankers?

• SEC Nom’s HUGE Conflict of Interest – Protect The Bankers? – YouTube

U.S. attorney nominated by President Barack Obama to lead the SEC. Her financial disclosures say that upon leaving New York-based Debevoise & Plimpton LLP, the law firm will give her $42,500 a month in retirement pay for life, or more than $500,000 a year."*

Mary Jo White, Obama’s nominee who will likely be confirmed as head of the SEC- the government agency in charge of regulating the banks- may not have the people’s best interests at hand. She’ll be paid a “retirement for life” from her former white-collar defense law firm that defends bankers.

China’s navy holds landing exercises near disputed islands

• China navy seeks to wear out Japanese ships in disputed waters

“The operational goal in the East China Sea is to wear out the Japanese Maritime Self Defence Force and the Japan Coast Guard,” said James Holmes, a maritime strategy expert at the Newport, Rhode Island U.S. Naval War College.

• China’s navy holds landing exercises near disputed islands

China’s increasingly powerful navy paid a symbolic visit to the country’s southernmost territorial claim deep in the South China Sea this week as part of military drills in the disputed Spratly Islands involving amphibious landings and aircraft.

• Chinese navy exercises ‘surprise’ neighbours – YouTube

Military tension is rising elsewhere in Asia. A Chinese naval taskforce has reached the southernmost part of the South China Sea, which it claims as its own – to the annoyance of neighbouring nations.

Fed pushes big bro drones despite public outcry in US

• Smile & Wave! Fed pushes big bro drones despite public outcry in US – YouTube

It appears the sky is the limit for U.S. law enforcement, with aerial surveillance drones set to be used domestically. But Capitol Hill has met some firm resistance to the plans. RT’s Gayane Chichyakyan reports on the attempts to fight back against the federal project.

Feedback:

• zSpaceman Updates His Bingo Board Even Better for Printing!

• With new high tech color technlogy

• Black and White

• For Chase – Peter Griffin – You know what really grinds my gears?

• Thanks to Joel who also emailed in a clip!

• Kicking out the UN Inspectors was all Bush Needed

• IRS Star Trek Parody… WTF Guys?

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase on Twitter

The post Cyprus Gone Wild | Unfilter 43 first appeared on Jupiter Broadcasting.

Monitor the end of the world from your Linux box. This week, we’ll show you how easy it can be to setup fully automated monitoring using Nagios and some easy to use front-end tools.

Plus Mozilla’s big online gaming play, XBMC on Android, and Microsoft’s real market share.

And so much more!

All this week on, The Linux Action Show!

Use our code linux295 to get a .COM for $2.95.

$4.99 SSL certificates, just use our code 499ssl3.

Expires 12-31-12!

BONOUS ROUND PROMO:

Save 20% off your order!
Code: go20off6

Download:

HD Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: