HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How I tricked Symantec with a Fake Private Key

• If true, not very good.

• The Baseline Requirements – a set of rules that browsers and certificate authorities agreed upon – regulate this and say that in such a case a certificate authority shall revoke the key within 24 hours (Section 4.9.1.1 in the current Baseline Requirements 1.4.8).

• I registered two test domains at a provider that would allow me to hide my identity and not show up in the whois information. I then ordered test certificates from Symantec (via their brand RapidSSL) and Comodo.

• Comodo didn’t fall for it. They answered me that there is something wrong with this key. Symantec however answered me that they revoked all certificates – including the one with the fake private key

Alert, backup, whatever on DNS NOTIFY with nsnotifyd

• Fair warning: blog post is from 2015, but with Let’s Encrypt all around us, I think this is relevant now.

• “Tony Finch has created a gem of a utility called nsnotifyd. It’s a teeny-tiny DNS “server” which sits around and listens for DNS NOTIFY messages which are sent by authority servers when they instruct their slaves that the zone has been updated and they should re-transfer (AXFR / IXFR) them. As soon as nsnotifyd receives a NOTIFY, it executes a shell script you provide.

• offical repo

• nsnotifyd on GitHub

• man 1 nsnotifyd

• man 1 nsnotify

• man 4 metazone

New details emerge on Fruitfly, highly-invasive Mac malware

• Mysterious Mac Malware Has Infected Victims for Years

• The recently discovered Fruitfly malware is a stealthy, but highly-invasive, malware for Macs that went undetected for years. The controller of the malware has the capability to remotely take complete control of an infected computer — files, webcam, screen, keyboard and mouse.

• Apple released security patches for Fruitfly earlier this year, but variants of the malware have since emerged. The core of the malware is an obfuscated perl script using antiquated code, with indicators in the code that suggest the malware may go back almost half a decade or more, the security firm said.

• Wardle said based on the target victims, the malware is less likely run by a nation state attacker, and more likely operated by a single hacker “with the goal to spy on people for perverse reasons.” He wouldn’t say how many were affected by the malware, but suggested it wasn’t widespread like other forms of malware.

Feedback

• Tell me more on XML vs JSON
• JSON – data format
• XML – language
• Stop Comparing JSON and XML
• Extensible Data Notation
• https://www.compoundtheory.com/clojure-edn-walkthrough/
• Transit is a format and set of libraries for conveying values between applications written in different programming languages.

• https://github.com/cognitect/transit-js

• Thanks for Dan’s recommendations
  +Lee Valley Divider boxes

• Duluth Fire Hose Pants

Round Up:

• Vulnerabilities discovered in Windows security protocols

• With Patch Tuesday imminent, make sure you have Automatic Update turned off + From Matthew Garrett‏ – YOU ARE EVERYTHING WRONG WITH SOCIETY
  

• Post mortums from NASA: flight test & Avionics cooling

• Interesting analysis by Bitdefender suggests Petya/Goldeneye/NotPetya gave Kaspersky AV users a pass

• Adobe to pull plug on Flash, ending an era

• Roomba’s Next Big Step Is Selling Maps of Your Home to the Highest Bidder

• How the coffee-machine took down a factory control room

The post Teeny Weeny DNS Server | TechSNAP 329 first appeared on Jupiter Broadcasting.

Red Hat highlights how leaky many open source RSA implementations are, Netflix releases Sleepy Puppy & the Mac is definitely under attack.

Plus some quick feedback, a rockin’ roundup & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

NetFlix releases new open source security tool, Sleepy Puppy

• Sleepy Puppy is a delayed XSS (Cross-Site Scripting) vulnerability scanner
• In a typical XSS scan, and attacker (or the scanner program) attempts to send a script as part of some user input (the comment on a blog or something like that, or via a URL variable). This content is then shown to that user, and often times, other users. If I can make a bit of my javascript run on your computer, when you visit someone else’s site, I have achieved XSS
• There are a number of scanners out there, and they “fuzz test” all of the inputs and variables they can find, and attempt to get some code they submit to be returned to them
• This new tool from NetFlix addresses second level vulnerabilities, and beyond
• What if an attacker injects the code on the website, and the website mitigates this, but some other application, internal or public facing, also uses the data from the database, and it then ends up being vulnerable to the XSS
• Sleepy Puppy is a “XSS payload management framework”, it generates unique code snippets for each injection, so that when a successful XSS happens, it can be tracked back to its source, even if that is outside of the application where the exploit took place
• “Delayed XSS testing is a variant of stored XSS testing that can be used to extend the scope of coverage beyond the immediate application being tested. With delayed XSS testing, security engineers inject an XSS payload on one application that may get reflected back in a separate application with a different origin.”
  • Show Diagram
• “Here we see a security engineer inject an XSS payload into the assessment target (App #1 Server) that does not result in an XSS vulnerability. However, that payload was stored in a database (DB) and reflected back in a second application not accessible to the tester. Even though the tester can’t access the vulnerable application, the vulnerability could still be used to take advantage of the user. In fact, these types of vulnerabilities can be even more dangerous than standard XSS since the potential victims are likely to be privileged types of users (employees, administrators, etc.)”
• SleepyPuppy ships with a default set of assessments includes, so is ready to use out of the box

Researchers announce new iOS vulnerability: brokenchain

• The vulnerability allows a piece of malware to access the keychain in iOS, and copy your saved passwords and other secret keys
• These keys can then be exfiltrated via SMS or HTTP etc
• When the malware attempts to access the keychain, iOS presents a dialog asking them user to allow or deny the action, but the malware can simulate a tap on the screen and accept the dialog
• Further, some malware seems to be able to cause the popup to appear off screen, so the user never even sees it
• “Special-crafted commands can be triggered by malware — or even an image or video — which causes OS X to display a prompt to click an Allow button. But rather than relying on users clicking on a button that appears unexpectedly, the button is displayed very briefly off the edge of the screen or behind the dock, and is automatically pressed using a further command. It is then possible to intercept a user’s password and send it to the attacker via SMS or any other means.”
• “Apple has been told about the vulnerability. The company has not only failed to issue a fix yet, but has not even responded to Jebara and Rahbani.”
• Ars Technica found that parts of the vulnerability have existed since 2011, and have been used actively
• “DevilRobber, the then new threat caught the attention of security researchers because it commandeered a Mac’s graphics card and CPU to perform the mathematical calculations necessary to mine Bitcoins, something that was novel at the time. Less obvious was the DevilRobber’s use of the AppleScript programming language to locate a window requesting permission to access the Keychain and then simulate a mouse click over the OK button.”
• “The same technique was being used by the Genieo adware installer to gain access to a Safari extensions list that’s protected inside the Mac Keychain.”
• The same day, another group of researchers independently found the same vulnerability
• Windows UAC has a bunch of defenses against apps users accidentally accepting or malware auto-clicking the authorization popups. Maybe we need the same in mobile OSes
• “Mac users should remember that the technique works only when invoked by an application already installed on their systems. There is no evidence the technique can be carried out through drive-by exploits or attacks that don’t require social engineering and end-user interaction. Still, the weakness is unsettling, because it allows the same app requesting access to the keychain to unilaterally approve it and to do so quickly enough for many users to have no idea what has happened. And by default, OS X will grant the access without requiring the user to enter a password. The Mac keychain is the protected place storing account passwords and cryptographic keys.”
• Maybe the solution is to require the unlock code or password in order to authorize access to sensitive areas like the keychain
• “I think that Apple needs to isolate that particular window,” Reed told Ars on Wednesday. “They need to pull that particular window out of the window list … in a way that an app can’t tell it’s on the screen and get its location.”

Factoring RSA keys with TLS Forward Secrecy

• “Back in 1996, Arjen Lenstra described an attack against an optimization (called the Chinese Remainder Theorem optimization, or RSA-CRT for short). If a fault happened during the computation of a signature (using the RSA-CRT optimization), an attacker might be able to recover the private key from the signature (an “RSA-CRT key leak”). At the time, use of cryptography on the Internet was uncommon, and even ten years later, most TLS (or HTTPS) connections were immune to this problem by design because they did not use RSA signatures.”
• “This changed gradually, when forward secrecy for TLS was recommended and introduced by many web sites.”
• “We evaluated the source code of several free software TLS implementations to see if they implement hardening against this particular side-channel attack, and discovered that it is missing in some of these implementations. In addition, we used a TLS crawler to perform TLS handshakes with servers on the Internet, and collected evidence that this kind of hardening is still needed, and missing in some of the server implementations: We saw several RSA-CRT key leaks, where we should not have observed any at all.”
• “An observer of the private key leak can use this information to cryptographically impersonate the server, after redirecting network traffic, conducting a man-in-the-middle attack. Either the client making the TLS handshake can see this leak, or a passive observer capturing network traffic. The key leak also enables decryption of connections which do not use forward secrecy, without the need for a man-in-the-middle attack. However, forward secrecy must be enabled in the server for this kind of key leak to happen in the first place, and with such a server configuration, most clients will use forward secrecy, so an active attack will be required for configurations which can theoretically lead to RSA-CRT key leaks.”
• “Does this break RSA? No. Lenstra’s attack is a so-called side-channel attack, which means that it does not attack RSA directly. Rather, it exploits unexpected implementation behavior. RSA, and the RSA-CRT optimization with appropriate hardening, is still considered secure.“
• While it appears that OpenSSL and NSS properly implement the hardening, some other products do not
• It seems RedHat discovered this issue some time ago, and reported it to a number of vendors
• Oracle patched OpenJDK back in April
• “None of the key leaks we observed in the wild could be attributed to these open-source projects, and no key leaks showed up in our lab testing, which is why this additional hardening, while certainly desirable to have, does not seem critical at this time.”
• “Once the necessary data is collected, the actual computation is marginally more complicated than a regular RSA signature verification. In short, it is quite cheap in terms of computing cost, particularly in comparison to other cryptographic attacks.”
• Then the most important question came up
• “Does this vulnerability have an name? We think that “RSA-CRT hardening” (for the countermeasure) and “RSA-CRT key leaks” (for a successful side-channel attack) is sufficiently short and descriptive, and no branding is appropriate. We expect that several CVE IDs will be assigned for the underlying vulnerabilities leading to RSA-CRT key leaks. Some vendors may also assign CVE IDs for RSA-CRT hardening, although no key leaks have been seen in practice so far.”
• Crypto Rundown, Hardened:
  • GnuPG
  • NSS
  • OpenSSL 1.0.1l
  • OpenJDK8 (after the April patch)
  • cryptlib (hardening disabled by default)
• Unhardened:
  • GNUTLS (via libgcrypt and Nettle)
  • Go 1.4.1
  • libgcrypt (1.6.2)
  • Nettle (3.0.0)
  • ocaml-nocrypto (0.5.1)
  • OpenSwan (2.6.44)
  • PolarSSL (1.3.9)
• Technical Record [PDF]

Feedback

• Reply to the pfSense question from episode 229
• Where to get news on vulnerabilities and urgent patches

Round Up:

• China and Russia cross-referencing OPM data, other hacks to out US spies
• The Zero Trust Initiative, making it possible to trust your vendors
• Hackers Stole the Biggest Number of Apple Accounts Ever with iOS Malware Researcher Post
• The police body camera business is not about camera, but overpriced cloud storage. 300 Cameras: $180,000. 5 year contract for storage: $889,000
• Pre-Installed Android Malware Raises Security Risks in Supply Chain
• AppLock, a popular Android app that claims to securely store photos, videos, and other content, turns out to just hide the files in a non-default location. It also has a weak pin reset feature, meaning it provides basically no security to its 100 million users
• Android ransomware uses XMPP chat to call home, claims it’s from NSA
• The Government should pay bug bounties and not attack security researchers
• Department of Justice being sued by Reuters for not fulfilling FoIA requests re: fake news stories with embedded malware used in 2007
• If documents are not for public release, try not posting them on the public Internet

The post Leaky RSA Keys | TechSNAP 231 first appeared on Jupiter Broadcasting.

A fresh version of LibreOffice hits the web, another Flash attack in the wild, this one uses “malvertising”. What the heck is malvertising? We discuss.

Plus what the state of Android looks like in 2015, another OS X bug & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• New Features | LibreOffice – Free Office Suite – Fun Project – Fantastic People
• Another Flash attack spotted, this time against Yahoo! users
• OS X Bug Exploited To Infect Macs Without Need For Password – Slashdot
• This is what Android fragmentation looks like in 2015
• This is what Android looks like in 2015 | The Verge

The post Lousy Lollipop Adoption | TTT 202 first appeared on Jupiter Broadcasting.

Microsoft announces support for SSH built into powershell, crashing Skype with a simple text chat, Tim Cook defends user’s rights to privacy and encryption & running OS X in VirtualBox.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Apple CEO Tim Cook Speaks on Importance of Privacy, Encryption at Champions of Freedom Event – Mac Rumors
• Let the snooping resume: Senate revives Patriot Act surveillance measures | Ars Technica
• Google Photos: The Mossberg Review | Re/code
• These 8 characters crash Skype, and once they’re in your chat history, the app can’t start (Update: fixed) | VentureBeat | Security | by Emil Protalinski
• Our Future, Wunderlist Joins Microsoft
• Looking Forward: Microsoft: Support for Secure Shell (SSH) – Looking Forward: Microsoft: Support for Secure Shell (SSH) – Site Home – MSDN Blogs
• Install OS X 10.10 Yosemite in VirtualBox
• Support Jupiter Broadcasting on Patreon

The post PowerSSHell | Tech Talk Today 178 first appeared on Jupiter Broadcasting.

Live from LFNW Scarlett Clark tells us about her work with KDE and Kubuntu!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Scarlett on G+
• LinuxFest Northwest
• Kubuntu
• KDE
• Jupiter Broadcasting
• Groovy
• Python

Full transcription of previous episodes can be found below or also at heywtr.tumblr.com

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: Angela, today we’re going to interview at Linux Fest Northwest live. We’re doing an interview with Scarlett Clark. She’s a developer on the KDE project and also works for Kubuntu.
ANGELA: But, before we get into the interview, I want to tell you about Patreon.com. You can go to patreon.com/jupitersignal to support Women’s Tech Radio and all the other shows on teh Jupiter Broadcasting Network. Go to jupiterbroadcasting.com and see if there’s another show that you might want to listen to in addition to Women’s Tech Radio. Again, go to patreon.com/jupitersignal.
PAIGE: And we got started with this week’s episode by asking Scarlett what she does with KDE and Kubuntu.
SCARLETT: I am a developer for Kubuntu, so I do a lot of the packaging for the software applications for the user to be able to easily install and whatnot. And then, on the other side of the spectrum I created, wrote all the code to automate job creation and job building for KDE’s continuous integration system. Which, it builds the software packages and then test them to make sure that its functional. And then after they all turn green like they’re supposed to, they’re ready to release to distributions like Kubuntu. And I also went the extra step, and we now are testing for OS X and Windows will be coming next.
PAIGE: Oh, wow.
SCARLETT: Yeah, all the code is already in there. It’s just figuring — Windows is a little more complicated because getting dependencies, you can’t tell the continuous integration system to, hey go to this website, download this file, and use it as a dependency. So, it gets little more complicated, but once we sort that out Windows will also be supported with KDE software.
PAIGE: Wow, I had no idea you guys were going for that. That’s really awesome. Before you did this project was their not test coverage for KDE?
SCARLETT: They had a very old system and it was not reliable. And it was also — the job creation was all manual, and OS X and Windows were not supported.
PAIGE: That’s pretty deep in the weeds. Like building, testing, and all that jazz –
SCARLETT: Oh yes.
PAIGE: – for such a big, robust piece of software. Was that you just woke up one morning and decided to do? How did you end up where you are?
SCARLETT: No, actually, Valerie, the gal you just spoke to, they do this season of KDE and it generally targets students. Obviously, I’m not a student. But, this project didn’t have anybody grabbing on it and she just asked me, are you interested in Dev Ops. I’m like, I’m interested in everything. So, she introduced me to Ben Cooksy, the main sys admin guy, and got rolling. I had no idea what I was getting into when I got into it. So, I ended up learning Groovy, Python, and Java on the fly. I had taken a few classes, but that was years ago in university.
ANGELA: What had you done prior to that? Was anything prior to that technology related other than the several classes you mentioned?
SCARLETT: A long time ago I was IT.
ANGELA: Oh, okay.
SCARLETT: But I had not had any real world experience coding. So, this is my first real world experience coding and i love it.
PAIGE: So, you went from no coding to developing a new test suite for KDE?
SCARLETT: Yes, the back end.
PAIGE: So, how was that journey? How did you go through that? Because learning that many languages and that much theory on the fly –
SCARLETT: Yes. At first it was very overwhelming and I just stared at the blank sheet going, oh no. Oh no. But then, I just bits and pieces at a time and things started coming together, and then oh that makes sense. ANd then it just all came together. And then when the final result, we just went live two days ago and it was smooth.
PAIGE: How long did that project take for you?
SCARLETT: It was several months.
PAIGE: Wow, only months?
SCARLETT: Oh yeah.
PAIGE: Wow.
SCARLETT: Actually, yeah, I surprised a lot of people with how fast.
PAIGE: So, doing all that and learning all that, were there awesome resources that you were using? Was it the community? Did you have books that were –
ANGELA: Online courses?
SCARLETT: Google was good.
ANGELA: Yeah, I bet.
PAIGE: So, I have a lot of ladies who are trying to get in tech, and their biggest holdback is learning how to Google the right things. Did you find that was difficult at first., like knowing how to ask the right questions?
SCARLETT: I’ve been using Google since they were in the garage.
PAIGE: Nice, but asking the right tech question.
ANGELA: Yeah, like sometimes you don’t know what you don’t know.
SCARLETT: I know. That’s actually that you have to develop over time, because I’ve learned to figure out what to ask and how to ask it, and sometimes you don’t get it right the first time and you just have to reword it. That can be challenging. That is just it. When I first started the project I didn’t know what I was looking. So, I actually branched off in wrong directions at first. I had a few setbacks because I wanted to go be a docker, which is the new cool technology. But, it wasn’t — with the OS X and Windows, that ended up being wasted time, because you won’t get native builds, because Docker is Linux. That didn’t quite pan out, but it was fun learning.
PAIGE: Yeah, it’s always good to add new stack to your brain.
SCARLETT: Oh yeah. Yeah.
ANGELA: Yeah. Something will resonate and help you learn something else.
SCARLETT: Absolutely. Yelah.
PAIGE: So, tell me the story of why you were in IT before, and then you weren’t, and now you are again.
SCARLETT: That’s a story of — I had to give up my career to follow my husband to another state and I could not recover.
ANGELA: That’s too bad. Well, you have now.
SCARLETT: I have. Well, yes.
PAIGE: Was it really difficult for you diving back in afterwards, or did it just kind of re-spark that? We had a guest who talks about kind of the mental stimulation of being in this technical field.
SCARLETT: Yeah, I’ve been a Linux advocate/user since 1998. I have my big stack of Red Hat floppy disc. But I have always wanted to contribute, and I could never really find my way in. It’s a tight knit community. But I finally found my way in with Kubuntu and Jonathan Riddell. He just stepped up and, you want to learn how to package? I’m like, sure. He just showed me the ropes and I’ve just been riding the cloud since.
PAIGE: How did you get in touch with Jonathan? What was that?
SCARLETT: I knew Valerie from several mailing groups and stuff. She saw that I was doing documentation for KDE. Actually, an easy way in is doing documentation. And then she introduced me to Jonathan.
PAIGE: I think we have some people who are just getting started. What does doing documentation mean? What does that look like?
SCARLETT: The easiest way is to start with, like Wiki. It’s much simpler than Doc Books. You pretty much well have to know XML and the layout and everything. But Wiki is pretty much just plain text. You just find an app that you really love and just use it, and figure out — use cases of, well somebody might want to do this, and then you just instruct them how to do that and just build on it. That’s the easiest way to really get your food in the door, and it’s pretty simple because you figure out ways that you use the application and then just write about it.
PAIGE: I think, especially as a newer user of an application, sometimes you have an even more valuable input for that.
SCARLETT: Oh yeah.
PAIGE: Because you have just learned it. You know where the pain points are.
ANGELA: Yes. That is, in my current conversion to Linux, it’s very refreshing for the Linux Action Show audience to hear this new user perspective.
SCARLETT: Yes, absolutely. And a lot of times, developers don’t even think of things that a user would try or want to do with their application, so it’s a good way to also give feedback to the developers. I worked on KMail documentation and there was a lot of things that I ran into. I would talk to the developer, how do you do this. And they’re like, oh, well I need to fix that. Thank you.
PAIGE: Did you find being primarily in open source that reaching out to the developer, that was actually a welcomed thing?
SCARLETT: Not generally, but with KDE the are surprisingly very open and very, very nice. I’ve just felt really at home with KDE. It’s been a nice breath of fresh air.
PAIGE: So, you know, don’t give up looking for the right community.
SCARLETT: You’ll find it. Yeah. I’ve been looking for a long time and I just stumbled into it and didn’t expect it.
ANGELA: So, are you from around here?
SCARLETT: I live in Portland, Oregon.
ANGELA: Okay. Do you always come to Linux Fest? And are there any other festivals that you go to?
SCARLETT: This is my first one, but I will be from now on coming to Linux Fest.
ANGELA: I know, isn’t it great?
SCARLETT: Yes, but I go to Academy each year, which is in various places in Europe. This year we’re going to Spain. And then in September I’ll be going into a Random meeting which is in Switzerland for KDE.
ANGELA: Great.
PAIGE: Awesome.
SCARLETT: Yeah, fun and exciting.
PAIGE: So, you’re in Portland. Is the rest of the KDE team in Portland?
SCARLETT: No, KDE is all around the world.
PAIGE: How do you guys work together? What kind of tools do you use to keep in touch?
SCARLETT: IRC.
PAIGE: IRC?
SCARLETT: Yeah, I live in IRC.
PAIGE: Do you use version control to work together?
SCARLETT: Git.
PAIGE: Git, which is, of course of Linux. Linus, thank you. What’s your stack of tools look like right now. I always like to find out what other developers are using.
SCARLETT: I use Eclipse because it’s the only good Groovy plugin that I could find. And I use KDevelop for the Python work.
PAIGE: And do you have a favorite hardware, like laptop, tablet that you’re into? Or because KDE is so nice and friendly it works on just about everything?
SCARLETT: Yeah, I have Kubuntu on my desktop, my laptop, and then my phone has, you know, Android.
ANGELA: Nice.
PAIGE: Very cool. So, I guess last question, what are you the most excited about, about what’s coming down the pipe for technology? Either with Linux or just with general stuff.
SCARLETT: We are going to be porting our apps on to Android, so that’s kind of big.
PAIGE: Oh wow, that’s exciting.
SCARLETT: That’s what the whole Switzerland trip is about.
PAIGE: Oh nice. Very cool. We’ll have to keep an eye on that. That will be great. KDE on your Android.
ANGELA: Thank you for listening to his episode of Women’s Tech Radio. Don’t forget, you can email us, WTR@jupiterbroadcasting.com, or you can use the contact form that is over at jupiterbroadcasting.com.
PAIGE: Don’t forget to follow us on Twitter, @HeyWTR. You can also find us on iTunes or any of your other RSS feeds. The RSS feed is available on the website at jupiterbroadcasting.com. And if you have a minute, leave us a review or some feedback. We’d love to hear from you.

Transcribed by Carrie Cotter | transcription@cotterville.net

The post Living The Linux Life | WTR 25 first appeared on Jupiter Broadcasting.

In Microsoft’s attempt to capitalize on container excitement they be rushing to ship a subpar product. We’ll discuss the possible weakness of Windows Server’s Docker implementation.

Plus new interesting details turned up by the Sony Hack, a tip of that hat to John Siracusa’s OS X reviews & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Microsoft Is Making a Stripped-Down Windows to Rival Linux | WIRED

Microsoft’s flagship operating system operates quite differently from Linux—which could be a problem as containers become the preferred way of computing in the cloud. But now, as so many others follow the lead of giants like Google and Twitter, Microsoft is reshaping Windows so that it doesn’t get left behind.

Wikileaks publishes hacked Sony emails, documents | ITworld

It’s made up of 173,132 emails and 30,287 documents, including some that contain highly personal information about Sony employees including home addresses, personal phone numbers and social security numbers.

After fifteen years, Ars says goodbye to John Siracusa’s OS X reviews | Ars Technica

For your reading enjoyment, here is the grand John Siracusa OS X Ars timeline:

• Mac OS X DP2, December 14, 1999
• Mac OS X Update: Quartz & Aqua, January 17, 2000
• Mac OS X DP3: Trial by Water, February 28, 2000
• Mac OS X DP4, May 24, 2000
• Mac OS X Q & A, June 20, 2000
• Mac OS X Public Beta, October 3, 2000
• Mac OS X 10.0 (Cheetah), April 2, 2001
• Mac OS X 10.1 (Puma), October 15, 2001
• Mac OS X 10.2 Jaguar, September 5, 2002
• Mac OS X 10.3 Panther, November 9, 2003
• Mac OS X 10.4 Tiger, April 28, 2005
• Five years of Mac OS X, March 24, 2006
• Mac OS X 10.5 Leopard, October 28, 2007
• Mac OS X 10.6 Snow Leopard, August 31, 2009
• Here’s to the crazy ones: a decade of Mac OS X reviews, May 12, 2011
• Mac OS X 10.7 Lion, July 20, 2011
• OS X 10.8 Mountain Lion, July 25, 2012
• OS X 10.9 Mavericks, October 22, 2013
• OS X 10.10 Yosemite, October 16, 2014

Fanboys Stab Each Other Over Android vs Apple

“When police arrived at the apartment complex, they learned that the roommates had been drinking and arguing over their mobile phones,” KTUL Tulsa reports.

The post Nano Diet Windows | Tech Talk Today 159 first appeared on Jupiter Broadcasting.

We discuss the top stories submitted by the audience this week. From the ultimate bridge burn to Stack Overflow’s developer survey & being ok with a little sociopathy.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Feedback:

• LiveCode might just be amazing?

Coder Radio Subreddit Hoopla

• I Quit: What Really Goes on at Apple | Road Less Travelled

I’ve just escaped the Apple institution. I’ve sent in my resignation, and fled down its bright white corridors curated by crass colourful pictures of iPhones past. I handed in my security pass and in return I was able to re-claim my creativity, individuality and free thinking from the secure Apple cloak room. Finally now, for the first time in two years, I feel light, creative and inspired. I am again an individual with my own creative ideas, perceptions, values and beliefs.

• 4 Core Goals in any Business : CoderRadio

While listening to the last CR episode, it occurred to me that the central issues of business are not being directly addressed.

• Stack Overflow Developer Survey 2015

26,086 people from 157 countries participated in our 45-question survey. 6,800 identified as full-stack developers, 1,900 as mobile developers, 1,200 as front-end developers, 2 as farmers, and 12,000 as something else.

• The unremarkable career of (some) modern software developers

I graduated from college a little bit over 10 years ago, and I’ve been messing with computers since I was 14. This doesn’t make me wise, but it certainly gives me a fair amount of experience to write one or two good tips for newcomers in the industry.

The post The Sociopath Code | CR 149 first appeared on Jupiter Broadcasting.

YouTube is preparing a monthly subscription service with no ads & other perks. But is the Internet ready to pay for YouTube content? Our panel is skeptical.

LinkedIn buys Lynda & their plans leave us a bit creeped out. Plus why Samsung is teetering on the edge of something huge.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Welcome to the LinkedIn Family, lynda.com! | Official LinkedIn Blog

So, I couldn’t be more thrilled to welcome the talented lynda.com team to the LinkedIn family today. Together, I believe we can make it even easier for professionals around the world to accelerate their careers and realize their potential through the learning and development of new skills. Today’s announcement that LinkedIn intends to acquire lynda.com allows us to take a meaningful step forward in building the Economic Graph, which you can read more about from our CEO Jeff Weiner’s post here.

YouTube’s paid subscription offering takes shape — and it’s almost here | The Verge

It will offer ad-free videos as well as the ability to store videos offline on their mobile devices, for a price expected to be around $10 a month. It will also let creators put their videos behind a paywall so that only subscribers to the premium version can view them, sources said. (Bloomberg published a letter sent to creators today.)

The offering may also include lower-priced subscriptions for specific categories, such as music and children’s programming. (YouTube Music Key, which serves as a model for the all-access subscription, has been in invite-only beta since November. At the time, Google said Music Key would cost $7.99 a month when it comes out of beta.)

Samsung Facing Supply Shortages for Curved-Screen Galaxy S6 Edge – WSJ

“We’re working hard to resolve the difficulty in supply,” he said at a media event in Seoul ahead of the flagship phone’s global launch on Friday. He added that the supply issue could persist “for a while.”

Hidden backdoor API to root privileges in Apple OS X |

The Admin framework in Apple OS X contains a hidden backdoor API to root privileges. It’s been there for several years (at least since 2011), I found it in October 2014 and it can be exploited to escalate privileges to root from any user account in the system.

Feedback TTT 154 “Bitcoin Recession”

I perked up when listening to “Bitcoin Recession” because I expected some thoughtful Bitcoin discussion. But instead all I heard was Popey pooping on Bitcoin for 10 minutes. I know Popey doesn’t like Bitcoin and won’t give it a chance. So can we get someone else from the mumble room to comment who isn’t openly, unabashedly against it? Can we please have a discussion about Bitcoin for once that doesn’t involve pooping on it?

Linuxbrew

• Can install software to a home directory and so does not require sudo
  • Install software not packaged by the native distribution
  • Install up-to-date versions of software when the native distribution is old
  • Use the same package manager to manage both your Mac and Linux machines

The post Cat Videos | Tech Talk Today 156 first appeared on Jupiter Broadcasting.

Angela and Chris discuss different organization, widgets, and tools to help your desktop be customized to the way you want it!

Direct Download:

HD Video | Mobile Video | MP3 Audio | YouTube

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Torrent Feed | iTunes Feed

— Show Notes —

• F.Lux Light
• Digital Blasphemy
• Icon Themes

Chatroom Wallpaper suggestions

<Twamp> i have used https://interfacelift.com/ for YEARS its wonderful
<iamikon> https://alpha.wallhaven.cc
<WWNSX> Angela, Space Wallpapers https://psiupuxa.com/
<_AACO> https://nik.bot.nu/

Chatroom Desktop Customizations

<Twamp> https://i.imgur.com/H4J1oJM.jpg what links?
<who_me> ChrisLAS, there’s a black bar on the bottom of the screen. Should it be there? https://imgur.com/yTphYvj
<TheLive1> ChrisLAS, screen shot album of Ubuntu Mate 15.04 Beta 1: https://imgur.com/a/HzO7B
<misuto> Antergos with nubix on laptop https://imgur.com/fQIoMdS
<moyamo> ChrisLAS: Arch Linux running XMonad https://i.imgur.com/UoWsO7N.png
<greendragon> ChrisLAS: Arch Linux Gnome Numix Theme https://imgur.com/a/QIJRC
<CountZero> ChrisLAS: I’m chatting on my laptop so here’s an old desktop screenshot pic that you have seen before but maybe it will be fresh for some of the guys in the chatroom… https://transfer.sh/sdgaz/countzero-desktop.jpg
<fourbitfox> ChrisLAS: Arch Linux with Mate https://i.imgur.com/JP0ItMw.png
<TheAnime> Angela: ChrisLAS: both awesome wm, compton compositor, sakura term, quassel irc client; I get my wallpaper from minitokyo.net; FreeBSD: https://whynot.click/images/screenshot4faux.png Mint: https://whynot.click/images/screenshot4faux2.png
<tappy> arch gnome numix https://tinypic.com/r/28j9us7/8
<GoatHerder> Mint, with MATE desktop. 2 monitors, the second for video editing only: https://goatslive.com/tmp/desktop.png
<Tyler> Angela: ChrisLAS; https://imgur.com/a/Foujd< an album showing the desktops of my main desktop and my Thinkpad. Go Cats!
<Arucarn> Arch Linux KDE https://i.imgur.com/p1IzeWD.png
<urza9814> Arch, Enlightenment, and lots of conky: https://bsflowers.net/desktop.png
<me4oslav> ChrisLAS: Mostly OzonOS, but with work in progress new Numix icon theme on which I’m working. The icon theme in incomplete, so you can’t have it just yet. https://i.imgur.com/5NVjeTD.png https://i.imgur.com/gVxwWvu.png https://i.imgur.com/FlBZpCc.png
<FlorianSchauer> NO SCREENCAST. If it is possible, please check it before you show it in the show. DESCRIPTION: a video (16:9) about my Linux PC and my Laptop and my Hardware, all running Ubuntu Gnome : https://www.youtube.com/watch?v=-Yhhy4Lfhi0
<PariahVi> Arch Linux, a custom desktop environment I’m working on (far from finished): https://i.imgur.com/jogEAuS.png
<TheLive1> ChrisLAS, screen shot album of Ubuntu Mate 15.04 Beta 1: https://imgur.com/a/HzO7B
<heller64bit> ChrisLAS: heres my Desktop, https://owncloud.apdigitaltech.com/public.php?service=files&t=c70a8674e18010ec8e2877b7fb60c7e0 Running Arch with Mate and Compiz.
<Twamp> Simple KDE/Arch https://i.imgur.com/H4J1oJM.jpg
<BrainwreckedTech> Recent XFCE setup with Slingscold: https://plus.google.com/u/0/+PaulHinchbergerIII/posts/CnWSgpMjC1L?pid=6123138462930387954&oid=108939121673543785910
<jblive_007> Just simple Ubuntu 14.10 with Numix… https://imgur.com/9Bo5a0V
<CountZero> Mint 17.1 Cinnamon with Eleganse theme and lots of Conky goodness: https://transfer.sh/sdgaz/countzero-desktop.jpg
<wolflarson> ChrisLAS, https://i.imgur.com/4kA0mV2.png yet another KDE desktop
<RottNKorpse-jbtv> ChrisLAS: my KDE to GNOME system = https://imgur.com/a/9viMg
<PariahVi> ChrisLAS: Arch Linux, a custom flat desktop environment I’m working on (far from finished): https://i.imgur.com/jogEAuS.png
<zane12> mint 17 with Cinnamon docky & conky https://www.facebook.com/photo.php?fbid=809701792442763&set=a.809701755776100.1073741826.100002088484802&type=3&theater
<fourbitfox> ChrisLAS: Pretty simple Arch Linux and Mate https://i.imgur.com/JP0ItMw.png
<PariahVi> ChrisLAS: My work computer, Arch Linux, Spectrwm (tiling window manager, basically a C version of Xmonad) https://i.imgur.com/qRNrvtX.png
<JustinTime4Tea> Arch – KDE4 – Numix Icons – https://imgur.com/a/ah1mV
<wolflarson> https://i.imgur.com/4kA0mV2.png ChrisLAS
<Kostic> ChrisLAS: Fedora 21 Workstation. Vanilla Gnome 3 desktop: https://www.dodaj.rs/f/2R/Ex/sS8yLcB/—2015-03-15-195530.png
<tomracing79> Arch Mate running some scientific computing https://imgur.com/0bIS1Ev
<rikai> ChrisLAS: I have a single customization for the JB editing system install because it makes things much less jarring to me when editing to not have a bright bar across the top, and thats Obsidian Menu Bar ( https://www.obsidianmenubar.com/ ). Screenshot: https://i.imgur.com/1KY0T8j.jpg
<kaipee> ChrisLAS https://i.imgur.com/9P45vHT.jpg – Arch | Gnome 3.14 | Faenza Azure icons | Zukitwo theme
<FlorianSchauer> ChrisLAS, NO SCREENCAST. If it is possible, please check it before you show it in the show. DESCRIPTION: a video (16:9) about my Linux PC and my Laptop and my Hardware, all running Ubuntu Gnome : https://www.youtube.com/watch?v=-Yhhy4Lfhi0
<urza9814> Enlightenment, Arch, 3k+ lines of conky and bash…and no icons https://bsflowers.net/desktop.png
<Twamp> ChrisLAS: https://i.imgur.com/H4J1oJM.jpg simple KDE/Arch nothing too special, but everything I need
<wolflarson> https://i.imgur.com/BzwApFE.jpg personal favorite background. has been my background on 3 different builds
<TheAnime> muh wallpapers https://whynot.click/images/wallpapurz.png
<RottNKorpse-jbtv> ChrisLAS: https://imgur.com/a/9viMg | KDE4 looks like GNOME | Arch
<heller64bit> Arch: https://imgur.com/BjXXsEd
<JustinTime4Tea> ARM_ Ubuntu SoC MK808 – https://imgur.com/a/24TgU
<douglascodes> https://imgur.com/a/CXvcq
<westexjeff> ChrisLAS: Arch, Cinnamon, Conky, Tint2 https://imgur.com/W56ZZt5
<JustinTime4Tea> ChrisLAS: Here is an ARM System desktop -> https://imgur.com/a/24TgU
<PariahVi> foreverAnEnd-user: Here is what happens when you click on the applications icon. As I mentioned, this is far from finished. https://i.imgur.com/Zk2WvUT.png

WTR

• Check out Women’s Tech Radio – Episode 17
• Follow WTR on twitter: www.twitter.com/heywtr
• Email WTR: wtr@jupiterbroadcasting.com

Follow Jupiter Broadcasting

• See more pics: https://instagram.com/jupiterbroadcasting#
• Sign up for Jupiter Signal: www.bit.ly/jupitersignal
• Unfilter is on Patreon! https://www.patreon.com/unfilter
• Tech Talk Today is on Patreon! https://www.patreon.com/jupitersignal

JB SWAG

• LAS LFNW Shirt

• TechSNAP 200

• Jupiter Logo Shirt

— Find the FauxShow! —

• Facebook: https://www.facebook.com/thefauxshow
• Twitter: https://www.twitter.com/angerz
• G+: https://www.gplus.to/fauxshow
• Subscribe to Jupiter Signal: https://www.bit.ly/jupitersignal
• Jupiter Radio: https://jblive.info
• Affiliates Firefox Extension: https://addons.mozilla.org/en-US/firefox/addon/jupiterbroadcasting/
• Affiliates Chrome Extension: https://chrome.google.com/webstore/detail/bjekemhblnilimncanbehhjijdpjgimj
• Donations: https://original.jupiterbroadcasting.net/donate
• Shows & Shownotes: https://original.jupiterbroadcasting.net/show/fauxshow/

The post Customize Your Desktop | FauxShow 211 first appeared on Jupiter Broadcasting.

Chris shares what’s prevented him from getting started with development & shares the three languages that are at the top of his list to try.

Plus we get passionate after some feedback to the Mac Exodus topic & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

• Mac Exdus

Dev Hoopla:

• Is there any shame in being a casual developer? From the outside it feels like you’ve got to go all in deep, or bust.

• Three controversial choices Chris is faced with.

The post Ruby is not Perl | CR 136 first appeared on Jupiter Broadcasting.

Is the quality of Apple’s desktop and mobile software causing a slow bleeding of developers? Chris & Mike debate what developers will do over 2015.

Plus we read some great follow up, feature a community project & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Feedback / Follow Up:

• What to do….

• Paid vs Unpaid Internships

OpenYourMouth UPDATE

• OpenYourMouth Web GUI

• OpenYourMouth Web Interface Now Public – 19kestier

• tadcan – Ok I’m going to provide a dissenting voice here

• Women’s Tech Radio

Dev Hoopla:

Apple has lost the functional high ground – Marco.org

Apple’s hardware today is amazing — it has never been better. But the software quality has taken such a nosedive in the last few years that I’m deeply concerned for its future. I’m typing this on a computer whose existence I didn’t even think would be possible yet, but it runs an OS riddled with embarrassing bugs and fundamental regressions. Just a few years ago, we would have relentlessly made fun of Windows users for these same bugs on their inferior OS, but we can’t talk anymore.

CNBC video is up: https://t.co/BG03O6LfWk (thanks @_DavidSmith) Not as bad as I feared. The web rewrites are mostly worse.

— Marco Arment (@marcoarment) January 5, 2015

Microsoft is building a new browser as part of its Windows 10 push

Spartan is still going to use Microsoft’s Chakra JavaScript engine and Microsoft’s Trident rendering engine (not WebKit), sources say. As Neowin’s Brad Sams reported back in September, the coming browser will look and feel more like Chrome and Firefox and will support extensions.

Sams also reported on December 29 that Microsoft has two different versions of Trident in the works, which also seemingly supports the claim that the company has two different Trident-based browsers.

However, if my sources are right, Spartan is not IE 12. Instead, Spartan is a new, light-weight browser Microsoft is building.

The post Macs Exodus | CR 135 first appeared on Jupiter Broadcasting.

One of the worlds most prolific spammers gets profiled & the technical details are fascinating. New Apple malware is getting everyones attention, but why iOS trusts the code is really the more fascinating story, we’ll explain.

Plus a great batch of questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

MeetBSD

• MeetBSD2014 – UCL all of the things

Spammers are always developing new tactics

• Prolific spammer Michael Persaud has been caught sending spam yet again
• The 37-year-old from San Diego was the first spammer to have been criminally prosecuted, 13 years ago
• By following a string of clues in the details used to register 1100 new domains used to send spam, researcher Ron Guilmette was able to track the source of the spam back to Persuad
• What makes this case specially interesting was the technique used to send the spam
• The chain of events starts with a block of IP addresses getting added to a blacklist, and the owner of those IP addresses being notified of the fact
• The owner of the IP addresses was adamant that the spam was not coming from their network, as they do not host any spammers
• When Cisco provided evidence that the spam was in fact coming from their IP addresses, further investigation revealed that that block of addresses was not actually in use
• The block of IPs was not being announced via BGP by the owner of the IP space, thus the IPs were dormant (unannounced)
• The spammers had looked around the internet, found ranges of dormant IP addresses, and announced those themselves, in effect moving the hosting for that IP range to their hosting provider, instead of that of the owner
• This allowed the spammers to send spam from ‘clean’ IP addresses, that had never been used to send spam before
• The spammer in question claims he did not know the IP addresses were hijacked, that the ISP he was using was selling him ‘stolen’ IPs without his knowledge
• Persuad made this seem like a common occurrence, but it isn’t, and the researchers are not buying it

• “In 1998, Persaud was sued by AOL, which charged that he committed fraud by using various names to send millions of get-rich-quick spam messages to America Online customers. In 2001, the San Diego District Attorney’s office filed criminal charges against Persaud, alleging that he and an accomplice crashed a company’s email server after routing their spam through the company’s servers. In 2000, Persaud admitted to one felony count (PDF) of stealing from the U.S. government, after being prosecuted for fraud related to some asbestos removal work that he did for the U.S. Navy”

• Spam Nation: The Inside Story of Organized Cybercrime – from Global Epidemic to Your Front Door Audiobook | Brian Krebs | Audible.com

Google launches new network security testing tool: nogotofail

• SSL/TLS has seen a number of major vulnerabilities lately, including Heartbleed, Apple’s goto fail, GNUTLS and NSS both having certificate verification flaws, and most recently the POODLE vulnerability
• To help researchers and administrators test for these vulnerabilities, Google has released nogotofail, a new testing tool
• “allows developers to set up an infrastructure through which they can run known attacks against the target application. It has the ability to execute various attacks that require man-in-the-middle position, which is one of the key components of many of the known attacks on SSL/TLS, including POODLE, BEAST and others“
• “The core of nogotofail is the on path network MiTM named nogotofail.mitm that intercepts TCP traffic. It is designed to primarily run on path and centers around a set of handlers for each connection which are responsible for actively modifying traffic to test for vulnerabilities or passively look for issues. nogotofail is completely port agnostic and instead detects vulnerable traffic using DPI instead of based on port numbers. Additionally, because it uses DPI, it is capable of testing TLS/SSL traffic in protocols that use STARTTLS“
• The tool can be deployed on Clients, Routers, and VPNs to automatically detect connections between clients and servers that are vulnerable to any of the known flaws
• Project on GitHub

Feedback:

• Homeserver / SSH / Permissions or SPOUSAL APPROVAL

• Printers with public IPs?

• 10Gb NIC query

• ZFS on Linux and ECC RAM?

• Healthcare vendor negligent of POODLE

• Daniel Blair on Twitter: “Hey @ChrisLAS I am wearing my #TechSNAP 100th episode shirt while getting interviewed after #innovateordiedays https://t.co/4UwbBTJ0sl #rep”

Round-Up:

• WireLurker Mac OS X Malware Found, Shut Down
• New, harder to detect version of the Backoff Point-of-Sales malware found in the wild. Old version still infecting more than 1000 point of sales systems
• FBI Holds Secret Meeting To Scare Congress Into Backdooring Phone Encryption
• Linksys patches more routers for flaw found in July. Flaws Include allowing attackers to steal password database
• Secure Messaging Scorecard | Electronic Frontier Foundation
• Next weeks Microsoft Patch Tuesday will be a big one, 16 patches covering IE, Windows, Exchange, Office and more
• Swedish hacker finds ‘serious’ vulnerability in OS X Yosemite
• American Express proposes new tokenized payment cards, unique code for each merchant, transaction type, or device.

The post Apple Approved Malware | TechSNAP 187 first appeared on Jupiter Broadcasting.

Recent major flaws found in in critical open source software have sent the Internet into a panic. From Shellshock to Xen we’ll discuss how these vulnerabilities can be chained together to own a box.

Plus how secure are VLANs, a big batch of your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Bash plus Xen bug send the entire internet scrambling

• A critical flaw was discovered in the bash shell, used as the default system shell in most versions of linux, as well as OS X.
• The flaw was with the parsing of environment variables. If a new variable was set to contain a function, if that function was followed by a semi-colon (normally a separator that can be used to chain multiple commands together), the code after the semicolon would be be executed when the shell started
• Many people are not aware, that CGI scripts pass the original request data, as well as all HTTP headers to the scripts via environment variables
• After those using bash CGI scripts ran around with chickens with their heads cut off, others came to realize that even if the CGI scripts are actually perl or something else, if they happen to fork a shell with the system() call, or similar, to do something, that shell will inherit those environment variables, and be vulnerable
• As more people spent brain cycles thinking of creative ways to exploit this bug, it was realized that even qmail was vulnerable in some cases, if a user has a .qmail file or similar to forward their email via a pipe, that command is executed via the system shell, with environment variables containing the email headers, including from, to, subject etc
• While FreeBSD does not ship with bash by default, it is a common dependency of most of the desktop environments, including gnome and KDE. PCBSD also makes bash available to users, to make life easier to linux switchers. FreeNAS uses bash for its interactive web shell for the same reason. While not vulnerable in most cases, all have been updated to ensure that some new creative way to exploit the bug does not crop up
• Apparently the DHCP client in Mac OS X also uses bash, and a malicious DHCP server could exploit the flaw
• The flaw also affects a number of VMWare products
• OpenVPN and many other software packages have also been found to be vulnerable
• The version of bash on your system can be tested easily with this one-liner:
  env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
• Which will print “this is a test”, and if bash has not yet been patched, will first print ‘vulnerable’
• ArsTechnica: Bug in bash shell creates big security hole on anything with linux in it
• Concern over bash bug grows as it is actively exploited in the wild
• First bash patch doesn’t solve problem, second patch rushed out to resolve issue
• Now that people are looking, even more bugs in bash found and fixed
• Shellshock fixes result in another round of patches as attacks get more clever
• Apple releases patch for shellshock bug
• There were also a critical update to NSS (the Mozilla cryptographic library, which was not properly validating SSL certificates)
• The other big patch this week was for Xen
• It was announced by a number of public cloud providers, including Amazon and Rackspace, that some virtual server host machines would need to be rebooted to install security fixes, resulting in downtime for 10% of Amazon instances
• It is not clear why this could not be resolved by live migrations
• All versions of Xen since 4.1 until this patch are vulnerable. The flaw is only exploitable when running fully virtualized guests (HVM mode, uses the processor virtualization features), and can not be exploited by virtual machines running in the older paravirtualization mode. Xen on ARM is not affected
• Xen Security Advisory
• Amazon Blog Post #1
• Amazon Blog Post #2
• Rackspace Blog Post
• Additional Coverage: eweek

Cox Communications takes the privacy of its customers seriously, kind of

• A female employee of Cox Communications (a large US ISP) was socially engineered into giving up her username and password
• These credentials were then used to access the private data of Cox Customers
• The attacker apparently only stole data about 52 customers, one of which was Brian Krebs
• This makes it sound like a targeted attack, or at least an attacker by someone who is (or is not) a fan of Brian Krebs
• It appears that the Cox internal customer database can be accessed directly from the internet, with only a username and password
• Cox says they use two factor authentication “in some cases”, and plan to expand the use of 2FA in the wake of this breach
• Cox being able to quickly determine exactly how many customers’ data was compromised suggests they atleast have some form of auditing in place, to leave a trail describing what data was accessed
• Brian points out: “This sad state of affairs is likely the same across multiple companies that claim to be protecting your personal and financial data. In my opinion, any company — particularly one in the ISP business — that isn’t using more than a username and a password to protect their customers’ personal information should be publicly shamed.” “Unfortunately, most companies will not proactively take steps to safeguard this information until they are forced to do so — usually in response to a data breach. Barring any pressure from Congress to find proactive ways to avoid breaches like this one, companies will continue to guarantee the security and privacy of their customers’ records, one breach at a time.”

Other researches recreate the BadUSB exploit and release the code on Github

• The “BadUSB” research was originally done by Karsten Nohl and Jakob Lell, at SR Labs in Germany.
• Presented at BlackHat, it described being able to reprogram the firmware of USB devices to perform other functions, such as a USB memory stick that presented itself to the computer as a keyboard, and typed out commands once plugged in, allowing it to compromise the computer and exfiltrate data
• Brandon Wilson and Adam Caudill were doing their own work in this space, and when they heard about the talk at BlackHat, decided to accelerate their own work
• They have now posted their code on Github
• “The problem is that Nohl and Lell—and Caudill and Wilson—have not exploited vulnerabilities in USB. They’re just taking advantage of weaknesses in the manner in which USBs are supposed to behave“
• “At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC“
• “It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”
• The way around this issue would be for device manufacturers to implement code signing
• The existing firmware would only allow the firmware to be updated if the new firmware was signed by the manufacturer, preventing a malicious users from overwriting the good firmware with ‘bad’ firmware
• However, users could obviously create their own devices specifically for the purpose of the evil firmware, but it would prevent the case where an attack modifies your device to work against you
• At the same time, many users might argue against losing control over their device, and no longer being able to update the firmware if they wish
• The real solution may be for Operating Systems and users to evolve to no longer trust random USB devices, and instead allow the user to decide if they trust the device, possibly something similar to mobile apps, where the OS tells the user what functionality the device is trying to present
• You might choose to not trust that USB memstick that is also attempting to present a network adapter, in order to override your DHCP settings and make your system use a set of rogue DNS servers

Feedback:

• GroffTheBSDGoat

• [Suggestion] Is it possible to enable https on www.jupiterbroadcasting.com?

• I need a cli encryption tool

• Security of a VLAN?

• Weird emails delivered to wildcard mailbox

• Bash Shellshock vs SSH

• Is open source better?

Round Up:

• Chinese iOS Trojan Targets Jailbroken iPhones Used by Hong Kong Protesters
• The science of network troubleshooting
• GitHub.com blacklisted in Russia as of today
• TheSecuritySetup.com profiles H. D. Moore’s setup
• An FBI informant led hacks against 30 countries—now we know which ones
• How hackers accidentally sold a homemade pre-release XBox One to the FBI
• LibreSSL: More Than 30 Days Later
• Cross site scripting vulnerability at eBay has existed since atleast February, redirected users to password harvesting sites and other malicious links which clicking on auction listings
• OpenVPN vulnerable to Shellshock Bash vulnerability
• Large advertising network Zedo found serving malware infected advertisements, including via Google’s DoubleClick advertising service, affected large sites including Last.fm
• The Open Technology Fund (backed by Google, Dropbox and others) is attempting to team User Interface Designers with Security Experts to design new security and cryptography tools that are easy to use
• Why parts of the internet stopped working – A small company accidently started announcing the entire internet routing table it received from one of its upstreams via its second upstream provider, causing large swaths of the internet to be routed via their connection
• Second same-origin policy bypass flaw in Android Browser

The post Xen Gets bashed | TechSNAP 182 first appeared on Jupiter Broadcasting.

We’ll take a look at the new features of Linux Mint 17, and discuss the new Cinnamon release. Then we’ll debate if distro derivatives are a bad thing.

Plus: Is Red Hat too over controlling of Gnome? Candidates for the Gnome Foundation’s board think so, we’ll discuss.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU:

• South East Linux Fest 2014 JB Check-in

• Texas Linux Fest

• In defense of Manjaro

• OS X Gnome | Tech Talk Today 2

Does Apple\’s new OS X Yosemite rip off Gnome 3\’s design? And should we consider imitation the sincerest form of flattery when the one doing the imitation is in Apple\’s position?

GNOME Foundation board candidate questions Red Hat\’s \’dominance\’

According to its own website, the GNOME Foundation \”steers releases, determines what software is officially part of the Project, and acts as the official face of the GNOME Project to the outside world, though it delegates most of its authority to specialised teams\”.

Are Ubuntu Derivatives a Bad Idea?

When most people think of Ubuntu derivatives, they usually categorize them into an \”Ubuntu with a different desktop environment than Unity\” category. However, according to Ubuntu, they refer to Ubuntu-based distros with different desktop environments as a derivative as well as distros using their own tools/apps/goals as customizations.

New features in Linux Mint 17 Cinnamon

Linux Mint 17 features Cinnamon 2.2, MDM 1.6, a Linux kernel 3.13 and an Ubuntu 14.04 package base.

• Linux Mint 17 will receive security updates until 2019.

Until 2016, future versions of Linux Mint will use the same package base as Linux Mint 17, making it trivial for people to upgrade.

Until 2016, the development team won\’t start working on a new base and will be fully focused on this one.

New Show: Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

The post Mint 17: Fresh or Stagnant? | LINUX Unplugged 43 first appeared on Jupiter Broadcasting.

OpenBSD launches LibreSSL, but what challenges do they face? And how much progress have they made? We’ll report!

Apple is struck with its own woes, Heartbleed is used to bypass two-factor authentication, and then its a great batch of your questions and our answers!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

OpenBSD launches LibreSSL

• The team behind OpenBSD has formalized their fork of OpenSSL and called it LibreSSL
• The goal is to update the coding standards, to use more modern and safer C programming practises
• The impetus for this was infact not Heartbleed, but the mitigation countermeasures discovered by OpenBSD developers before Heartbleed was found
• The way much of OpenSSL is constructed makes it harder to audit with tools like Coverient and Valgrind, and the lack of consistent style, naming etc, makes it exceptionally hard to audit by hand
• There were many bugs in the OpenSSL bug tracker that had been open for as much as 4 years and never addressed
• Bob Beck of the OpenBSD project says that most of the actual crypto code in OpenSSL is very good, as it was written by cryptographers, but a lot of the plumbing is very old and needs serious updating
• Part of the 90,000 lines of code removed in LibreSSL was the FIPS compliance module, which has not been maintained for nearly 20 years
• So far, all of the changes have been API compatible, so any application that can use OpenSSL can still use LibreSSL
• The OpenBSD Foundation is soliciting donations to continue the work on LibreSSL and develop a portable version for other operating systems
• LibreSSL site, complete with working tag

Apple fixes major SSL flaw that could have allowed an attacker to intercept data over an encrypted connection, or inject their own data into the connection

• Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday
• In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple
• The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
• OSX also contains two separate vulnerabilities that could enable an attacker to bypass ASLR, one of the key exploit mitigations built into the operating system. One of the flaws is in the IOKit kernel while the other is in the OSX kernel. The IOKit kernel ASLR bypass also affects iOS 7.1 users.
• Among the other flaws Apple patched in its new releases are a number other severe vulnerabilities. For OSX Mavericks users, the two most concerning issues are a pair of buffer overflows that could lead to remote code execution. One of the bugs is in the font parser and the second is in the imageIO component. The upshot of the vulnerabilities is that opening a malicious PDF or JPEG could lead to arbitrary code execution.

Heartbleed used to defeat 2 factor authentication

• Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye
• An attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
• The attack bypassed both the organization\’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
• \”Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,\” Mandiant\’s Christopher Glyer explained.
• With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
• After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
• Additional Coverage

Feedback:

• 2 Questions for Allan and Chris

• SSL Certificate rating questions

• How does Tarsnap\’s dedupe work?

• How to protect apache httpd against ddos?

• How to protect apache httpd from (D)DoS attacks?

• Using Varnish to block DDoS or DoS

Round Up:

• North America is down to its last IPv4 address block
• Heartbleed used to steal SSL private key from Swedish VPN provider mullvad
• ICS-CERT issues advisory about heartbleed vulnerabilities in siemens SCADA/ICS gear
• Healthcare.gov preventatively resets all passwords
• F.B.I. Informant Is Tied to Cyberattacks Abroad
• Heartbleed highlights contradicition of the web
• Intel\’s next-gen Thunderbolt rumored to hit 40Gbps transfer speeds with new connector
• The value of, and problems with, CRLs and OCSP
• Google is working on end-to-end encryption for Gmail
• Java fixes critical SSL flaws

The post Heartbleed Fallout | TechSNAP 160 first appeared on Jupiter Broadcasting.

Is devastating fragmentation going to doom Desktop Linux, can a case for multiple display servers?

Don’t care about the display server? We’ll make the case why you need to care, and why the biggest community confrontation could be brewing.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU

• SolydXK

• Lots of emails from folks switching to SolydXK

• Use Docker NOT PPAs in Debian

• DigitalOcean unadvertised feature!!

• Linux Foundation Course

• LinuxFoundationX: LFS101x : Introduction to Linux

• Straw Poll: Should LAS Drop Seasons?

Does the Display Server Matter? Depends Who you Ask…

Bob\’s development blog: Why the display server doesn\’t matter

Display servers are the component in the display stack that seems to hog a lot of the limelight. I think this is a bit of a mistake, as it\’s actually probably the least important component, at least to a user.

Why the Display Server DOES matter

Now I don’t know how to put it, the best description is that I’m shocked that Canonical is still not seeing the problems they created by having multiple display servers.

more on why the display server does matter

Does this effect users? It means that some desktop environments will not be available on all operating systems, depending on what display systems are supported. Currently, people can usually pick whatever desktop environment they wish to run on any of the more popular Linux distributions. This will no longer be the case as shells segregate along display system lines.

LAS Subreddit Thread on the post

Feedback Kickoff: Linux Mint Might Use The Same LTS Base For Linux Mint 17, 18, 19 and 20

• Linux Mint Might Use The Same LTS Base For Linux Mint 17, 18, 19 and 20

Linux Mint might use the same LTS base for Linux Mint 17 (to be released at the end of May 2014) as well as the next 3 releases.

That means that Linux Mint 17, 18, 19 and 20 might all use Ubuntu 14.04 LTS as a base instead of being based on newer Ubuntu releases.

If that happens, Linux Mint would have a more stable base and it would allow the Mint team to \”push innovation on Cinnamon, be more active in the development of MATE, better support Mint tools and engage in projects we\’ve postponed for years\”.

The post Graphical Civil War | LINUX Unplugged 33 first appeared on Jupiter Broadcasting.

The failure of Google Talk takes down several other Google services including GMail and then as a result even Twitter, we got the details. Plus how to determine if your WordPress site has been hacked, and some dangerous new Mac malware.

And a batch of audience questions, and our answers.

All that and more in this week’s episode of TechSNAP.

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! .COMs just $4.95 per year up to 3 domains! Additional .COMs just $7.99* per year!
Code: 495tech

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show:

   

Show Notes: