Show Notes: linuxactionnews.com/163

The post Linux Action News 163 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/110

The post Linux Action News 110 first appeared on Jupiter Broadcasting.

MP3 Feed | HD Video Feed | iTunes Feed

Become a supporter on Patreon:

— Show Notes: —

— The Cliff Notes —

• Paypal – The Worst Example of Customer Service

• Cloud Connected Garage Door

• Cloud Connected Garage

— Noobs Corner —

Tips for buying used tech on Ebay

• Read the description carefully
• Look at the photos carefully
• Ask questions before bidding
• Don’t be afraid to give it a shot!
• Check out bidnapper.com to automate bidding

Quick and Dirty RSync Guide

— Stay In Touch —

Find all the resources for this show on the Ask Noah Dashboard

Ask Noah Dashboard

Need more help than a radio show can offer? Altispeed provides commercial IT services and they’re excited to offer you a great deal for listening to the Ask Noah Show. Call today and ask about the discount for listeners of the Ask Noah Show!

Altispeed Technologies

Contact Noah

asknoah [at] jupiterbroadcasting.com

— Twitter —
+ Noah – Kernellinux
+ Ask Noah Show
+ Altispeed Technologies
+ Jupiter Broadcasting

The post The Cost Of Cloud | Ask Noah 5 first appeared on Jupiter Broadcasting.

Drones dropping blood, HTC’s dropping profits & Microsoft’s dropping ASUS rigs.

Plus the end to the latest Bitcoin saga, the FBI labeling TOR users & a Kickstarter you won’t believe!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Drones to Deliver Medical Supplies in Rwanda – YouTube
• Here’s the Smartest Drone Delivery Idea We’ve Seen Yet
• Holy earnings catastrophe, Batman: HTC revenue falls 64% in Q1
• Podcasts Surge, but Producers Fear Apple Isn’t Listening
• Apple’s actual role in podcasting: be careful what you wish for – Marco.org
• Nvidia’s new graphics cards are a big deal
• Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch
• FBI Can Obtain A Warrant If You Run Tor Come Decembe
• Bitcoin ‘creator’ backs out of Satoshi coin move ‘proof’
• Bruce Fenton on Twitter: “With cryptography & blockchain based audits Madoff, who fooled the board of Nasdaq, would have been caught in days rather than 40 years.”
• WikiLeaks on Twitter: “We’d like to thank #Satoshi hoaxer Dr Craig Wright for showing how bankrupt the fact-checking standards are at the BBC, LRB & Economist.”
• PayPal quietly removes buyer protections for Kickstarter, Indiegogo and other crowdfunding platforms

KICKSTARTER OF THE WEEEAAAAK:

• flatev – The Artisan Tortilla Maker by flatev — Kickstarter

The post Queso the Mondays | TTT 243 first appeared on Jupiter Broadcasting.

We break down the Bicycle attack against SSL, the story of Brian Krebs’s PayPal account getting hacked & the scoop on the Juniper Saga.

Plus some great questions, our answers, a news breaking round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The Bicycle Attack against SSL/TLS

• Security Researcher Guido Vranken has published a new attack against all versions to SSL/TLS
• “While the sound configuration of both endpoints of a connection is understood to prevent the decoding from ciphertext to plaintext without having access to the private key(s), transactions conducted over a channel embedded in TLS leak various types of information.”
• “A lot of research has been performed on how to stack up these different ‘knowns’ in order to meticulously reconstruct the user’s actions, given that the encrypted streams are known to an observer who is or has been listening in on the ‘secure’ transmission between two endpoints.”
• “In this paper I will show that for a presumably large subset of web applications, it is easy to infer the length of parts of the plaintext, or certain attributes thereof, from a recorded stream of encrypted messages. Having access to the private key is not necessary. In fact, the actual ciphertexts embedded in the stream are irrelevant to the deduction, and entry-level arithmetic suffices.”
• The attack can allow a passive listener to determine the length of your password, significantly reducing the effort required to brute force crack the password
• The attack takes advantage of the known characteristics of HTTP transactions (although it could be used against other protocols), to determine the length of a specific field
• In a regular HTTP form post, when a user is logging into a website, the post data consists of the form fields encoded as a string
• Something like: username=allan&password=correcthorsebatterystaple&sub=Login
• When the form is submitted over an encrypted connection (HTTPS), the text is not visible, however the length of the payload is known
• If the length of the form field names, and the username are known, then the length of the password can be determined
• So, this attack requires knowing the targets username, although that is not a problem during a targeted attack
• Most of the other information can be determined by the attacker by logging into an account on the site themselves
• The attack requires knowing things like the target user’s browser user-agent string, but this can be determined by them visiting any unencrypted website.
• The lengths of other headers, like user-agent and cookie, can be calculated by looking at requests to other known assets on the site, like an image or css file that is loaded by the login page
• With all of this information, the length of the packet, less the lengths of the known fields, leaves you with the length of the targets password
• This significantly reduces the complexity of a brute force attack
• If you know the password is exactly 12 characters long, you do not have to try every possible combination of 10, 11, 13, 14 etc character long passwords.
• Because of the nature of this attack, it also works against previously recorded sessions, even from years ago
• “It may also be executed on a larger scale on TOR exit nodes, VPN’s, proxies and other Internet traffic conduits in order to detect weak or short passwords susceptible to a brute-force or an attack based on a dictionary of often-used passwords”
• The name “Bicycle Attack” was chosen because: if you wrap a bicycle in giftwrap, you can still tell it is a bicycle
• The research then goes on to look at how this same concept can be applied to GPS coordinates, and IPv4 addresses. Just by knowing the length of the IP address, you can reduce the possible search space to only ~30% of the total. Some lengths cut the search space even more.

• #missioncomplete

• https://forums.freenas.org/index.php?threads/freenas-logo-design-contest.39968/

Merry Christmas: We stole your paypal account

• Alternative link, Krebs appears to be under a DDoS attack
• Krebs’ PayPal account was compromised on Christmas Eve
• “The perpetrator tried to further stir up trouble by sending my PayPal funds to a hacker gang tied to the jihadist militant group ISIS. Although the intruder failed to siphon any funds, the successful takeover of the account speaks volumes about why most organizations — including many financial institutions — remain woefully behind the times in authenticating their customers and staying ahead of identity thieves.”
• “On Christmas Eve morning, I received an email from PayPal stating that an email address had been added to my account. I immediately logged into my account from a pristine computer, changed the password, switched my email address back to to the primary contact address, and deleted the rogue email account.”
• “I then called PayPal and asked how the perpetrator had gotten in, and was there anything else they could do to prevent this from happening again? The customer service person at PayPal said the attacker had simply logged in with my username and password, and that I had done everything I could in response to the attack. The representative assured me they would monitor the account for suspicious activity, and that I should rest easy.”
• “Twenty minutes later I was outside exercising in the unseasonably warm weather when I stopped briefly to check email again: Sure enough, the very same rogue email address had been added back to my account. But by the time I got back home to a computer, my email address had been removed and my password had been changed. So much for PayPal’s supposed “monitoring;” the company couldn’t even spot the same fraudulent email address when it was added a second time.”
• “In my second call to PayPal, I insisted on speaking with a supervisor. That person was able to tell me that, as I suspected, my (very long and complex) password was never really compromised. The attacker had merely called in to PayPal’s customer support, pretended to be me and was able to reset my password by providing nothing more than the last four digits of my Social Security number and the last four numbers of an old credit card account.”
• “Let’s leave aside for a moment the reality that all of this static information about Brian Krebs has been posted online by various miscreants over the years (and probably remains online): Any company that authenticates customers with nothing more than static identifiers — address, SSN, DOB, phone number, credit card number, etc. — is vulnerable to these takeover attempts.”
• “I asked the PayPal supervisor why the company couldn’t simply verify my identity by sending a text message to my phone, or a special signal to a PayPal mobile app? After all, PayPal has had the same mobile number of mine on file for years (the attacker also deleted that number from my profile as well). The supervisor explained that the company didn’t have any mobile authentication technologies, and that in order to regain access to the funds in my account I had to send the company a photocopied or scanned copy of my driver’s license.”
• Not exactly something hard to fake, because I doubt they check it very carefully
• “When I pressed the PayPal representative about whether he had any other ways to validate my identity short of sending a copy of my license, he offered to do so “using public records.” Now, I understand that what he actually meant was that PayPal would work with a major credit bureau to ask me a series of so-called “out of wallet” or “knowledge-based authentication” (KBA) questions — essentially yet more requests for static information that can be gleaned from a variety of sources online. But that didn’t stop me from playfully asking the representative why a security challenge should rely on answers from public records? He responded that someone probably would have to go down to a courthouse somewhere to do that, which made me laugh out loud and wish him a Merry Christmas.”
• Krebs had a PayPal two-factor authentication token, but it apparently was not required to access the account
• A user in the comments points out: “A dynamic identifier, such as a temporary code sent via SMS to a user’s mobile phone, isn’t any better if the provider of the mobile service is also vulnerable. I had my bank accounts emptied after Vodafone UK allowed someone to walk in off the street and transfer my phone number to a new Vodafone account in store. Hugely frustrating that they could ever allow this.”

The Juniper Saga

• “On December 17, Juniper announced that some of their products were affected by “unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen® devices and to decrypt VPN connections”. That sounds like an attacker managed to subvert Juniper’s source code repository and insert a backdoor.”
• “Juniper followed up with a slightly more detailed post that noted that there were two backdoors: one via SSH and one that “may allow a knowledgeable attacker who can monitor VPN traffic to decrypt that traffic”. Either of these would be very interesting to a nation-state attacker but that latter—passive decryption of VPN connections—is really in their neighborhood.”
• “Dual-EC was an NSA effort to introduce a backdoored pseudo-random number generator (PRNG) that, given knowledge of a secret key, allowed an attacker to observe output from the RNG and then predict its future output. If an attacker can predict the output of the PRNG then they can know the keys that one or both sides of a VPN connection will choose and decrypt it. (For more details, see the research paper.)”
• “During the CRYPTO 2007 rump session, Niels Ferguson and Dan Shumow demonstrated that if the points are not randomly generated, but carefully chosen in advance, the security of Dual_EC DRBG can be subverted by the party doing the choosing; effectively backdooring the PRNG. Namely if one chooses P, Q such that Q=P*e holds for a value e that is kept secret, it will allow the party that generated said P, Q to recover the internal state of the PRNG from observed output in a computationally “cheap fashion” – hence instances of Dual_EC PRNG for which the provenance of the points P and Q is unknown are susceptible to having been backdoored.”
• “It stands to reason that whoever managed to slip in their own Q will also know the corresponding e such that P*e=Q (the value P was unchanged from the standard) and hence is able recover the internal state of the backdoored Dual_EC generator from the output generator. What is unknown however is what an attack would look like for the PRNG cascade employed by Juniper’s ScreenOS.”
• In the past, Juniper put out a KB article explaining their use of Dual_EC:
• “ScreenOS does make use of the Dual_EC_DRBG standard, but is designed to not use Dual_EC_DRBG as its primary random number generator. ScreenOS uses it in a way that should not be vulnerable to the possible issue that has been brought to light. Instead of using the NIST recommended curve points it uses self-generated basis points and then takes the output as an input to FIPS/ANSI X.9.31 PRNG, which is the random number generator used in ScreenOS cryptographic operations.”
• “However, apparently starting in August 2012 (release date according to release notes for 6.3.0r12), Juniper started shipping ScreenOS firmware images with a different point Q. Adam Caucill first noted this difference after HD Moore posted a diff of strings found in the SSG 500 6.2.0r14 and the 6.2.0r15 firmware. As we can deduce from their recent security advisory and the fact that they reverted back to the old value Q in the patched images, this was a change not authored by them. Apparently Juniper only realised this recently and not when they were issuing KB28205.”
• “Static analysis indicates that the output of the Dual_EC generator indeed is not used directly, but rather only to reseed an ANSI X9.31 PRNG. Besides the unused EC PRNG known-answer test function, a function we call reseed_system_prng is the only one that references the ec_prng_generate_output function”
• “Update: Shortly after reading my post, Willem Pinckaers pointed out that the reseed_system_prng function sets the global variable system_prng_bufpos to 32. This means that after the first invocation of this function, the for loop right after the reseed call in system_prng_gen_block never executes. Hence, the ANSI X9.31 PRNG code is completely non-functional.”
• “if it wasn’t the NSA who did this, we have a case where a US government backdoor effort (Dual-EC) laid the groundwork for someone else to attack US interests. Certainly this attack would be a lot easier given the presence of a backdoor-friendly RNG already in place. And I’ve not even discussed the SSH backdoor which, as Wired notes, could have been the work of a different group entirely. That backdoor certainly isn’t NOBUS—Fox-IT claim to have found the backdoor password in six hours”
• “NOBUS” is an intelligence community term for “nobody but us”

Feedback:

• Greylist mystery

• Top to Bottom security?

• Crowdsourced question

https://twitter.com/JohnLaTwC/status/682350922710659073

2/10 Adversaries need credentials more than malware. Avoid the sins of Windows credential administration. pic.twitter.com/8fOHSYDDkt

— John Lambert (@JohnLaTwC) December 31, 2015

3/10 Threat intel can be rewarding but beware the perils of the journey. pic.twitter.com/rzmCgfmNlL

— John Lambert (@JohnLaTwC) December 31, 2015

4/10 Look for ways to get early warning. The Inside Story of MS08-067: https://t.co/RR7CMMJ5jH pic.twitter.com/z1xUHNgEpF

— John Lambert (@JohnLaTwC) December 31, 2015

5/10 Attackers seek to turn illegitimate access into legitimate access. Find them after they submerge. pic.twitter.com/ZiFVyzu8JJ

— John Lambert (@JohnLaTwC) December 31, 2015

6/10 The point of the kill chain is not only to stop attacks early. It’s also that the fight isn’t over once they’re in. Assume Breach.

— John Lambert (@JohnLaTwC) December 31, 2015

7/10 Why poor infosec teams stay poor—understand the dangers of the Capability Chasm. pic.twitter.com/qN2r5WQ3xg

— John Lambert (@JohnLaTwC) December 31, 2015

8/10 Prevention is the guardian of detection. Prevention creates the whitespace to detect and respond to the most important things.

— John Lambert (@JohnLaTwC) December 31, 2015

9/10 Wonder why COTS isn’t enough? Know who you’re up against in the Adversary Matrix pic.twitter.com/g5ARVA4F0B

— John Lambert (@JohnLaTwC) December 31, 2015

https://twitter.com/JohnLaTwC/status/682352201927294976

Round Up:

• Malvertising campaign used a free certificate from Let’s Encrypt
• Hurricane Electric, the most peered transit provider on the Internet, would like to teach you to code. For free.
• Microsoft Got Hacked and Didn’t Tell Anyone
• Comparison of airgap bypass techniques
• Time Warner Cable Warns Some Customer Passwords May Be Compromised
• Dutch government comes out against backdooring encryption, commits 500,000 euros to OpenSSL
• Latest tech support scam stokes concerns Dell customer data was breached
• IETF Best Common Practices guide on using reverse dns
• Fraudsters Automate Russian Dating Scams
• Compile like it’s 1992
• Microsoft to kill off Internet Explorer 8, 9 and 10
• 191 million voter records exposed, no one wants to claim ownership of the database
• 18 million voter records contained detailed profiling data
• Facebook bug congratulates long time users on 46 years of being facebook friends, how?
• The Unreasonable Effectiveness of Adhesive Tape
• Looking at the breakdown for CVEs in 2015. Remember, this is not the entire story, some vendors fix many bugs with one CVE to keep their count low
• Gamer leaves SNES powered on for 20 years because battery in cartridge was flat and couldn’t retain saved game data
• Threat Post: Things to watch in 2016
• Uber Settles With New York Attorney General Over “God View” Tracking Program
• The Network Revolution required to support tele-surgery
• Google researchers finds that AVG anti-virus Chrome plugin can be exploited to steal cookies and browser history

The post Virtual Private Surveillance | TechSNAP 248 first appeared on Jupiter Broadcasting.

Holly is a software engineer at BlackLocus, a big data analyzer for Home Depot. She discusses her journey into technology that started in college & took a big detour.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

• Holly Gibson (@hollyglot) | Twitter
• Women Who Code ATX (@wwcodeatx) | Twitter
• SSD Cloud Hosting – Linode
• BlackLocus
• Women Who Code Austin (Austin, TX) – Meetup
• Welcome | Women Who Code

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE:: So Angela, today we are going to talk to Holly Gibson. She is a programer for BlackLocus. Yes, it was awesome, which apparently has a reference to black hole, which is bad ass. Anyway, she is working kind of on data science and she went through boot camp and she does all sorts of cool things. And we talk about all of them.
ANGELA: Yes. It’s a very good interview that we are going to get into as soon as I mention that you can support this show. If you’re listening week after week and you like the content and you would like to help in some way, you can go to Patreaon.com/today. It is how the whole network of Jupiter Broadcasting is funded, but specifically, when you subscribe you are helping out Women’s Tech Radio as well. Patreon.com/today.
PAIGE: And we get started with today’s interview by asking Holly what she’s up to in tech today.
HOLLY: I’m a software engineer at BlackLocus. It’s a subsidiary of Home Depot and they do data science for Home Depot. They do a lot of web scraping and track all of Home Depot’s product catalog and their competitor’s prices so that they can price their products accurately. So lots of big data.
ANGELA: That’s really cool, because in a previous episode we were discussing that, was it Sears that needed a total IT aspect to it.
PAIGE: Yeah.
ANGELA: And so now this is similar. BlackLocus, you said?
HOLLY: Yes.
ANGELA: Yeah, for Home Depot.
HOLLY: Uh, Locus means place. They’re kind of like the black hole of the internet. They’re sucking in everything.
ANGELA: Wow.
PAIGE: I like that. That’s really cool.
ANGELA: Yeah, it is.
PAIGE: So we were essentially touching on the idea that at this point all companies are become tech companies.
ANGELA: Yeah.
HOLLY: Yes. Yes. Home Depot acquired them three years ago. They had become a client and immediately started negotiating to buy them, because their tool was so awesome.
PAIGE: Awesome. So you do data science, which I think of as kind of like a magical unicorn at this point, because no one is quite willing to nail down what that means in the tech sphere, so can you enlighten me?
HOLLY: Sure. I’m more on the software engineer side so I”m not writing the fancy algorithms that the data science people are. We’re working in Python and Java and Javascript to consume the data and wrap it and make it beautiful so that an average person can look at it and understand what it means.
PAIGE: Okay. So you write tools in Python and Javascript and stuff and then you take what they’ve done and make it so that someone like me can get their head around it?
HOLLY: Yes.
PAIGE: Very cool. What’s your favorite piece of that stack?
HOLLY: I really like all of it still. I”m a generalist engineer. I’m, you know, full stack as they say, but generalist. I dabble in a little bit of everything. I came out of a boot camp two years ago and my first job was working at an education startup doing everything from supporting the IT for the office to managing the serve and the databases, doing the front end and the back end. So I really like all of it. Mainly I like solving problems. So just let me solve problems. Let me use logic and my brain and I’m happy.
PAIGE: So, boot camp, is that the way that you got into the technology field?
HOLLY: Sort of. It was a reboot. I studied Javascript and databases in college and I took over the college website and I managed it for five years. And i really enjoyed it, but I was a one woman team and solo. So it was very lonely. I didn’t have any mentors at that time. You know, web applications were just coming out and it was before Facebook, so that’s how old I am. So people were just figuring stuff out and so I didn’t know how much I knew. I thought, I’m just a beginner. I don’t know very much. I’ve done this for five years. This is fun, but now I”m going to go try a bunch of other stuff. So I sold antiques on Ebay. I managed a restaurant. I did summer camps for kids with disabilities. And then two years ago I found out about a boot camp here in Austin, Texas, where I live, and my husband I signed up to do it together. It was a three-month program over the summer. The hardest thing I’ve ever done, but got through it and really enjoyed having teachers I could ask questions from, classmates along side of me. We were learning together. Building actual applications and projects. It was a really, really great experience.
PAIGE: What do you think was the major difference between studying at a university level and being in the boot camp. Maybe, was it the timeliness of it? Where the internet has grown so much and we have so much more to work with and so many more resources, or more like the way that the instruction was done? What was the real standout to you that made it stick this time around and didn’t last time?
HOLLY: The way the instruction was done. I think sometimes universities are behind the ball so the technology I was learning in school was already a couple years old. I went to a very small school and the classes were really little. Most of them I was by myself so the professor would hand me a text book and say go read this. Which was great, I was learning, but having the hands on experience of the boot camp really resonated with me. I’m a mechanical person. I like building. I like learning by projects. So it cemented the theory much more in my brain when I was actually doing stuff.
PAIGE: That makes total sense. So you mentioned in talking about your university that it was really confusing to you to tell what the next steps were and understanding how much you knew. Do you think that was — and then you mentioned a lack of mentors. Do you think that those two are kind of related and how have you tackled that this time around?
HOLLY: Sure. Yeah. The program that I studied in school wasn’t a traditional computer science program. It was a degree in Theology and they had just added web design, because they thought, well people might want websites. So I took all the classes, because I actually thought theology was boring. So I loved the web design and I wanted a job afterwards, and i didn’t want to be a minister. So the web design seemed like a good route to go, but then I, you know, after I had built some sites and when I was thinking about leaving the university, I wasn’t sure how to go about that, because I didn’t have computer science degree on my resume. I didn’t know anybody in computer science. All I knew is I liked web design and I had built some stuff, but I wasn’t sure how to translate that into getting a different job. And so I kind of just gave up and went and did other stuff where I knew I could sale myself in marketing, graphic design, and stuff. Since going through the boot camp, it was great because they had relationships with local companies. They recommended we go to meetups, that we looked for mentors, that we meet people in the local tech scene. And so immediately in the boot camp we started as a class going to different meetups. Going to the Javascripts meetup. Going to the Rails meetup. And then I was really lucky to go to a Women Who Code meetup that had just started here in Austin at our bootcamp. They had the first night there and I went and it was an informational meeting and I said how can I help? And the women said how would you like to run Austin Women Who Code. So-
PAIGE: The same thing happened to me.
ANGELA: Wow.
HOLLY: Yeah.
PAIGE: Yeah, not kidding.
HOLLY: So I took it over and now two years later we have 1,200 members and it’s been awesome. So that’s really been a great avenue for me to meet other women in tech, to find mentors. But what i tell the women in my group is go to the meetups. If you see someone talking intelligently about something and you want to know more, go ask them questions. They could turn into a mentor. Like I mentioned, my first job was at an education startup by myself. So again, that’s like a one woman team and I knew I needed help. And I knew where to go. So I went to the meetups. I met some people and I was like can you help me? Explain this code. I”m not understanding this. You know, I’m all by myself. And I said, yeah, let’s meet for coffee. And I said I”ll buy you coffee. I’ll buy you tacos, whatever you want. So one guy, we started meeting weekly for about four months and he explained code to me and design patterns and different things, and really got me over the first hump in my job. And since then I’ve been kind of networking through his friends and going, so do you know of someone who knows this, and someone who knows that. And just finding where the holes are in my knowledge and who can help me with those. There’s lots of online classes and blogs and videos and those are great. I learn mostly sitting with someone in pair programming and so I’ll read books and I will look up blogs. My best source of learning is from an actual physical person. So I really do like meeting. I write. Now I’m learning Haskell and functional programing so I meet weekly with my mentor, who came through my first mentor. And it’s great, because he has a master’s in Computer Science and he’s been doing this for 15 years and I can ask so many questions. I have this wealth of knowledge in that brain.
PAIGE: So did you find it with these mentors, were they resistant to the idea of being an official mentor or were they welcoming? How did you get over the fear of asking them for that relationship?
ANGELA: Or do they know that they’re your mentor?
PAIGE: Yeah, also that.
HOLLY: That’s a funny question. Yeah, a lot of them don’t like the label mentor, but they’re getting used to it. Most of them have been fascinated to teach a woman how to program, because some of them haven’t worked as often with a woman in programming. And I”m fine with being a social experiment for them.
PAIGE: You’re their token female programmer friend.
HOLLY: Yes. And I’m fine. If they want to explain things and teach me, that’s fine. I just make sure that it’s someone i connect with, you know, on a personality level. I’m not going to work with someone who’s going to speak down to me, you know, or be a programmer. And the guys I work with have been very nice and very supportive and want to start a mentorship program for Women Who Code so that they can get more women into tech. First of all, I didn’t say will you be my mentor. I would just say will you explain some code to me. And then if they’re willing to meet, then I”ll ask do you ever mentor people. And if they’re like, no I, I don’t and I’m not sure what that means, I’ll say well I’m learning this, would you mind explaining stuff with me. Could you work with me on a weekly or a bi-weekly, bi-monthly basis. What would fit in your schedule. So far, the people I’ve met, have said oh yeah I can meet with you weekly. I”ll buy them coffee. I make sure that I’m thanking them in some way. And they have all been really casual and nice about it. And I do the same. You know, I meet with women from my Women Who Code group. We have a Sunday morning ladies coding brunch and we code every Sunday morning. And I explain things to them that my mentors are teaching me. I think it’s important that people keep giving and raising up the people below them.
PAIGE: That was totally going to be my question for you and you answered it. Do you mentor as well? That’s very awesome that you do. I love that it’s a brunch.
ANGELA: Yeah.
PAIGE: That’s perfect. It’s just perfect. Very cool. So you go from like mentor first dating. Like, can you explain this thing to me? And then if it goes well you ask for more.
HOLLY: Yes.
PAIGE: So you filled out our awesome guest form and you mentioned this and I just have to ask about it, that you rebuilt a server from a remote cabin in Finland?
HOLLY: Yeah. So, last summer our server was hacked while I was on a two-week vacation in Finland. My mother-in-law is Finnish and she has a cabin on a lake. A lot of people do there. They have saunas and cabins and stuff. And so we were on — I was on the train with my husband and they have WiFI. Finland is, you know, great tech country. You know, that’s where Linux came from and Angry Birds and everything. So there’s WiFi on the train and I was checking my email and I saw that our server had been quarantined and over the next week I got to rebuild our server. I got a hotspot from the only electronic store in the village and had about three hours of sleep a night for a week.
PAIGE: Wow, that’s crazy. I do love that though about the modern world. It’s like you can be anywhere and do what we do.
HOLLY: Yeah. I was Facetiming with my boss. There was an eight hour difference and it would be 3:00 in the morning for her, but I was awake and telling her what I had fixed, where the progress was. And what happened is our app had been built by a backend team in Siberia and they had forgot to put a firewall on our elasticsearch engine, it has an open facing port and it didn’t have a firewall and a robot got installed and was DDosing other servers.
PAIGE: Oh man. That’s not fun.
HOLLY: No, but I got it fixed and that actually, that experience really made me feel like I can do this, because up to that point I’d been at that job straight out of the boot camp nine months. And it was nine months of being terrified. Do I know what I’m doing? I’m all by myself. You know, even with my mentor you have fear and sometimes the imposter syndrome and you can make things bigger than they really are in your head, because you’re not sure what’s going to happen. This is a whole new experience. You don’t know what’s coming down the road. And the unknown is more scary than the known. Well the worst thing that can happen to you is having your server hacked. But once I got through that I was like I can do anything. I’m not afraid anymore. I can solve anything.
PAIGE: Totally. So I can’t imagine that you went through that much ops during boot camp. At least with the boot camps I’ve been exposed to and know about, they don’t do a ton of server stuff. How did you dive into that? Was that something you brought from before or were you just kind of teaching yourself on the fly to fix this thing?
HOLLY: Everything I learned on the job. We used Linode so they did have some documentation. I knew the services that we used so I knew how to install them and set them up. Thankfully we used New Relic as a monitoring tool so I could see what processes were running and see that elasticsearch had a crazy amount of data being processed, because it was DdoSing other stuff. So having the right tools I think is also really important and thankfully the team in Siberia, even though they forgot the firewall, did set up New Relic and we have now — that company I had, after I came back we switched over to Herope so we didn’t have to worry about security anymore, but I still kept New Relic because I said I need to be able to see the different processes. I need to know the health of our application and what’s going on. I Googled a lot.
PAIGE: Right.
ANGELA: Yeah.
HOLLY: And Linode did have a brief document on how to deal with a quarantined server what tools to install to scan your files and make sure they weren’t corrupted. But mainly it was just me solving this big riddle of what happened, what’s going on, and how do I fix it.
PAIGE: That’s how I do things. You kind of dive in and start Googling.
ANGELA: Uh-huh.
HOLLY: Google knows.
PAIGE: How did you get to the point where you could kind of know what to Google? I’ve had that question from a lot of ladies as I start to mentor them or they come into Women Who Code and they’re like, well I don’t even know what to ask. Was a lot of that — where did that happen for you or did that happen for you?
HOLLY: Sure. That was one thing that I really appreciated from the boot camp. They worked with us on how do you Google. In the beginning the teachers would say oh well just Google it and I said I don’t know what to Google. Like what? What terms? Like if I’m trying to solve this how do I Google? Like what’s the tech speak. And so having them work with us a few times, then you started to get comfortable with realizing, okay these are the terms I need to search and is this bringing a result on Stack Overflow. Then I’m probably searching the right thing. You know, if I’m getting results for tech forums then, you just keep doing it and if it’s not returning the right thing, then switching out some terms and just trial and error.
PAIGE: Uh-huh.
HOLLY: Really helped. And time. As you do it more often and often then you’re going to start to know what are the key terms to search and it will get easier.
PAIGE: It is definitely a practiced skill, I would say, personally.
ANGELA: So I wanted to ask about your Ebay selling and you mentioned already a little bit that you were selling antiques.
HOLLY: Uh-huh.
ANGELA: So how did you even — did you get into Ebay when it was super — I think it was like ‘99 or 2000 that it really-
PAIGE: Yeah, right about then.
ANGELA: Became popular. When did you get into it and why?
HOLLY: 2009 is when I got into it, because my mother-in-law is a power seller. Her whole job is selling on Ebay. She had been doing it since ‘96. So after I left the university and I was looking at other things to do, she said well I can teach you a skill that you can use all the time, no matter what job you’re at. And so she showed me how to set up a store, so again, mentoring is so important.
ANGELA: Yes.
HOLLY: And she showed me how to take good pictures. She bought me a light box so that I could place the items in the light box and take quality photos and a scale so I could say how heavy the things were for jewelry. The different things that people want to know in the description of antique stuff. So having her as a resource was really great. And then also where to find the stuff. We went to a lot of estate sales and since my mother-in-law had been doing this for about 14 years she knew what kind of brands to look for and how to find good deals and we would buy box lots and sift through the stuff and she knew what could be sold by itself. What could be sold as an assortment. Having her as a mentor was great and it was fun. I never made enough money at it, because it’s something you have to really work at full time to build up enough inventory.
ANGELA: Yeah.
HOLLY: But my mother-in-law does it and she makes a good income and loves it.
PAIGE: Great.
ANGELA: I actually just went to a garage sale recently and it’s people that I actually know and they buy storage units that are unpaid and it’s just the luck of the draw. Everybody bids on it, whoever is the highest gets it. And then they have a garage sale. It’s a really interesting model, but a lot of work. A lot of footwork, but interesting.
HOLLY: A lot of footwork. So if you like that stuff, great. I was like man I don’t want to do this. This is taking me hours to make a few dollars.
ANGELA: Right. Right.
HOLLY: So I want to go work in an industry where I can make a nice amount of money for just an hour of work.
ANGELA: Yeah. If you’re passionate about finding really unique antiques or something I could see it being a fun thing to do on the side, but yeah, definitely not-
HOLLY: Definitely fun on the side.
ANGELA: A primary thing.
HOLLY: I got my furniture through an estate sale and so it’s nice to have that resource.
PAIGE: It’s amazing how, like, the skills we accumulate over a lifetime and how they affect everything.
ANGELA: Yes. Yes, definitely.
HOLLY: Yeah, it actually came back to be a benefit, because I judged at a Paypal Ebay Hackathon here in Austin and I got to say yeah I’m an Ebay seller.
PAIGE: Yeah, there you go. It’s always interesting. So one last question before we go. I wanted to know, since you mentioned it kind of before, like what tools do you use on a daily basis to do the work that you’re doing now? You said you’re in Python and Javascript, but what’s on your laptop kind of a thing?
HOLLY: Sure. The text editor I use is Sublime Text. I really like it. I have installed a bunch of different packages that help me work with the code. I use Mac, Macbook so I use iTerm as my terminal. I’m running in a virtual environment for Python using VIrtual ENBS and, let’s see, for (indiscernible) testing we like to use Gulp or Karma. We are using Elasticsearch and Redis for our search engine. The whole team is on HipChat and then Slack if HipChat breaks.
ANGELA: NIce to have an alternative.
HOLLY: Yes. And we have a lot of fun making our own little GIFs to have emoticons. I would say those are the main tools that I’m using. We use AWS for our servers and our fancy ops guys do all of our builds at Debian packages so builds have to be done on a Linux machine, but most of the team is on Macbooks.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember, you can find the full transcript of the show over at JupiterBroadcasting.com in the show notes. You can also catch us on Twitter, @HetyWTR or email us, WTR@JupiterBroadcasting.com
PAIGE: You can also find us and subscribe on any podcasting network of your choice, including iTunes. Or check us out on YouTube if you are not a podcast person or have a friend who’s not a podcast person. Please feel free to recommend us. You can also email us directly if you have comments, feedback, or people you’d like to hear on the show’ we’d love to hear about it. Our email is WTR@JupiterBroadcasting.com Thanks so much for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post Not a Bro-grammer | WTR 42 first appeared on Jupiter Broadcasting.

Cisco announces plans to buy OpenDNS, the European Government agrees on Net Neutrality rules, Microsoft selling Bing imaging to Uber & display ads to AOL, PayPal kills it’s terrible robocalling policy & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• European Government Agrees On Net Neutrality Rules, With Exemptions
• Cisco to buy cybersecurity firm OpenDNS in $635m deal | ZDNet
• Two keys to rule them all: Cisco warns of default SSH keys on appliances | Ars Technica
• Microsoft selling Bing imaging to Uber, moving display ads to AOL | Ars Technica
• Samsung Electronics plans more Tizen smartphones this year: source | Reuters
• PayPal Just Killed Its Terrible Robocalling Policy
• In Wake Of Hack, OPM Shutters System For Federal Background Checks – ABC News

The post Openly Acquired | TTT 190 first appeared on Jupiter Broadcasting.

The sad state of SMTP encryption, a new huge round of flaws has been found in consumer routers & the reviews of Intel’s new Broadwell desktop processors are in!

Plus some great questions, a huge round-up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The sad state of SMTP (email) encryption

• This article talks about the problems with the way email transport encryption is done
• When clients submit mail to a mail server, and when mail servers talk to each other to exchange those emails, they have the option of encrypting that communication to prevent snooping
• This “opportunistic” encryption happens if the server you are connecting to (as a client, or as another server), advertises the STARTTLS option during the opening exchange
• If that keyword is there, then your client can optionally send the STARTTLS command, and switch further communications to be encrypted
• The first problem with this is that it happens over plain text, which has no protection against modification
• Some cisco firewalls, and most bad guys, will simply modify the message from the server before it gets to you, to remove the STARTTLS keyword, so you client will assume the server just doesn’t speak TLS.
• Do we maybe need something like HSTS for SMTP?
• When submitting email from my client machine, I always use a special port that is ALWAYS SSL.
• But this is only the beginning of the problem
• SSL/TLS are designed to provide 3 guarantees:
  • Authenticity: You are talking to who you think you are talking to (not someone pretending to be them). This is provided by verifying that the presented SSL Certificate is issued by a trusted CA
  • Integrity: The message was not modified or tampered with by someone during transit. This is provided by the MAC (Message Authentication Code), a hash that is used to ensure the message has not been modified
  • Privacy: The contents of the message are encrypted so no one else can read them. This is provided by symmetric encryption using a session key negotiated with the other side using asymmetric cryptography based on the SSL Certificate.
• Mail servers rarely actually check authenticity, because many mail servers use self-signed certificates.
• Many domains are hosted on one server, so the certificate is not likely to match the name of the email domain
• The certificate check is done against the hostname in the MX record, but most people prefer to use a ‘vanity’ name here, mail.mydomain.com, which won’t match in2-smtp.messagingengine.com or whatever the mail server ends up being called
• But, even if we did enforce this, and reject mail sent by servers with self-signed certificates, without DNSSEC, someone could just spoof the MX records, and instead of my email being sent over an encrypted channel to your server, which I have verified, I would be given an incorrect MX record, telling me to deliver mail to mx1.evilguy.com, which has a perfectly vaild SSL certificate for that domain
• In the end, the better solution looks like it will be DNSSEC + DANE (publish the fingerprint of the correct SSL certificate as a DNS entry, alongside your MX record)
• With this setup, you still get all 3 protections of SSL, without needing to trust the Certificate Authorities, who do not have the best record at this point
• Don’t think MitM is a big deal? The ongoing problem of BGP hijacking suggests otherwise. A lot of internet traffic is getting misdirected. If it eventually makes it to its destination, people are much less likely to notice.

Researchers find 60 flaws in 22 common consumer network devices

• A group of security researchers doing their IT Security Master’s Thesis at Universidad Europea de Madrid in Spain have published their research
• They found serious flaws in 22 different SOHO network devices, including those from D-Link, Belkin, Linksys, Huawei, Netgear, and Zyxel
• Most of the devices they surveyed were ones distributed by ISPs in Spain, so these vulnerabilities have a very large impact, since almost every Internet user in Spain has one of these 22 devices
• They found 11 unique types of vulnerability, for a total of 60 flaws across the 22 devices
• Persistent Cross Site Scripting (XSS)
  • Unauthenticated Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • Denial of Service (DoS)
  • Privilege Escalation
  • Information Disclosure
  • Backdoor
  • Bypass Authentication using SMB Symlinks
  • USB Device Bypass Authentication
  • Bypass Authentication
  • Universal Plug and Play related vulnerabilities
• All of this makes me glad my router runs FreeBSD.
• Luckily, there are finally some consumer network devices like these that can run a real OS, like the TP-LINK WDR3600, which has a 560mhz MIPS CPU and can run FreeBSD 11 or Linux distros such as DD-WRT
• Additional Coverage – ITWorld

CareFirst Blue Cross hit by security breach affecting 1.1 million customers

• “CareFirst BlueCross BlueShield last week said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.”
• It would be interesting to know if there are common bits of infrastructure or software in use at these providers that made these compromises possible, or if security was just generally lax enough that the attackers were able to compromise the three insurance providers separately
• “According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.”
• “There are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.”
• “As Krebs noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com. ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.”
• “On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”)
• So it seems that the compromises may have just been a combination of spear phishing and malware, to trick employees into divulging their credentials to sites they thought were legitimate
• Such targeted attacks on teleworkers are a disturbing new trend
• The same Chinese bulk registrant also bought careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
• “Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.”
• Anthem has broken the trend, and is offering “AllClear ID” credit and identity theft monitoring, rather than Experian

First review of Intel’s new Broadwell desktop processors

• The long awaited new line of desktop processors has landed
• Problems with the new 14nm fabrication process resulted in the entire broadwell line being delayed, significantly in the case of the desktop chip
• The two new models are the Core i7 5775c, and Core i5 5765c with a 65W TDP
• These Broadwell chips are a lower TDP than the top-end Haswell cousins, actually being closer to the lower clocked i7-4790S than the top end i7-4770K
• Overall, speeds are not quite as fast as the current generation Haswell flagship processors
• These new processors use Intel’s Iris Pro 6200 Integrated GPU, with performance numbers that now outpace rival AMD’s offerings, although at a higher price point
• Broadwell will soon be replaced by Skylake, later this year, so you might want to wait to make your next big purchase
• Broadwell also features: “128MB of eDRAM that acts almost like an L4 cache. This helps alleviate memory bandwidth pressure by providing a large(ish) pool near the CPU but with lower latency and much greater bandwidth than main memory. The eDRAM has the greatest effect in graphics, but we also saw some moderate increases in our non-3D regular benchmark suite”
• In the end, it is a bit unexpected for the desktop range to include only 2 processors, and in the middle TDP, with no offerings at the lower end (35W) or higher end (88W)
• Some of the benchmarks suggest the eDRAM may help with video encoding

Feedback:

• FreeNAS question

• iSCSI Question

• ZFS mirrored vdevs, raidz1, or raidz2

Round Up:

• PayPal Draws Consumer Ire Over Robo-Texting Right
• Comparison of SSD firmware reliability of different brands after using thousands of drives for five years
• Facebook announces you’ll be able to give them your PGP key, and they will encrypt all emails they send you. Separately, you can also publish your PGP key on your profile page
• New study finds fake answers to security questions may be more predictable than the real answers
• Everything moving to the cloud may be hurting consumer PC sales, but is bolstering server and storage sales
• Red Hat CEO publishes book on running an open source organization
• Creator of sleeper ransomware appologizes and released decryption keys – possibly due to unwanted attention from either law enforcement or Eastern European organized cybercrime syndicates
• A year later, another text message that can permanently crash all iOS devices
• Feds crack a million dollar coupon counterfeiting site
• Hacked emails claim to reveal Russian operation to steal US military thermal Imaging tech
• Interesting course, learn to hack software by hacking the hardware it runs on
• Why powerpoint presentations should be banned
• Writing more robush shell scripts
• Researchers find that Firefox’s optional tracking protection feature makes news sites load 44% faster and use 39% less data
• Putting your Mac to sleep may make it vulnerable to an EFI rootkit
• Android factory reset fails to delete all sensitive data
• Turns out, powering off your SSD will not cause it to lose all of your data after all. Data was based on SSDs at the end of their live, not at the beginning

The post An Encryptioner's Conscience | TechSNAP 217 first appeared on Jupiter Broadcasting.

HP is breaking up, Facebook wants to be your wallet & Bill Gates thinks Bitcoin is better than cash.

Plus what is going on with Bitcoin? And are you ready for autonomous Linux powered drone boats?

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Hewlett-Packard Plans to Break in Two – WSJ

Hewlett-Packard plans to separate its personal-computer and printer businesses from its corporate hardware and services operations, the latest attempt by the technology company to improve its fortunes by breaking itself in two.

The company intends to announce the move on Monday, people familiar with the plan said. It is expected to make the split through a tax-free distribution of shares to stockholders next year, said one of the people.

If the division goes off as planned, it would give rise to two publicly traded companies, each with more than $50 billion in annual revenue.

The impending move, first reported Sunday by The Wall Street Journal, set off a round of speculation in the industry about whether the separation could lead to more deal making.

In 2012, under current H-P Chief Executive Meg Whitman, the company reorganized itself to combine the PC business with its more profitable printer operation, helping pave the way for the current plan.

Ms. Whitman is slated to be chairman of the PC and printer business, to be known as HP Inc., and CEO of the other company, to be called Hewlett-Packard Enterprise, said one of the people familiar with the plan. Current lead independent director
Patricia Russo will be chairman of the enterprise company, while Dion Weisler,
an executive in the PC and printer operation, is to be CEO of that business, this person said.

Hacked Screenshots Show Friend-To-Friend Payments Feature Hidden In Facebook Messenger | TechCrunch

Facebook Messenger is all set up to allow friends to send each other money. All Facebook has to do is turn on the feature, according to screenshots and video taken using iOS app exploration developer tool Cycript by Stanford computer science student Andrew Aude.

Facebook CEO Mark Zuckerberg said on the company’s Q2 earnings call that “over time there will be some overlap between [Messenger] and payments. […] The payments piece will be a part of what will help drive the overall success and help people share with each other and interact with businesses.” However, he urged Wall Street not to get too foamy at the mouth because it may be awhile since “there’s so much groundwork for us to do.”

He urged analysts and investors to revise their estimates of Facebook’s revenue if they expected this to come quickly. “To the extent that your models or anything reflect that we might be doing that, I strongly encourage you to adjust that, because we’re not going to. We’re going to take the time to do this in the way that is going to be right over multiple years” Zuckerberg concluded.

Bill Gates: Bitcoin Is ‘Better Than Currency’

After long remaining mostly mum on Bitcoin, Microsoft’s co-founder Bill Gates has spoken. At a financial-services industry conference in Boston, he threw his weight behind the controversial crypto currency. Well, at least as a low-cost payments solution. … “Bitcoin is exciting because it shows how cheap it can be,” he told Erik Schatzker during a Bloomberg TV’s Smart Street show interview yesterday (video). “Bitcoin is better than currency in that you don’t have to be physically in the same place and, of course, for large transactions, currency can get pretty inconvenient.” … While he seems relatively bullish on how inexpensive transacting in Bitcoin can be, Gates isn’t singing the praises of its anonymity. The billionaire alluded in an oblique, somewhat rambling fashion to some of the more nefarious anonymous uses associated with Bitcoin.

• Gates talks Nadella and how Office needs to be dramatically better

The conversation then switched to new Microsoft CEO Satya Nadella and whether this is something the Windows maker should be focusing on, and how Gates feels the new man in charge is doing in his job. Although Gates stated that he’s “very happy with what he’s doing,” curiously he went on to say that he believes the company needs to make Microsoft Office dramatically better. We’re not sure exactly what that means, but Gates was very animated about it, and he’s apparently making sure the company heeds this advice.

BG: Certainly, Microsoft should do as well or better, but of all the things Microsoft needs to do in terms of making people more productive in their work, helping them communicate in new ways. It’s a long list of opportunities Microsoft has to innovate, and taking Office and making it dramatically better would be really high on the list, that’s the kind of thing that I’m trying to make sure they move fast on. I’m very happy with what he’s doing. I see a new sense of energy. There’s a lot of opportunity there. Some things the company isn’t the leader on, and he sees he needs to change that.

• Live USD/BTC

US Navy Develops Robot Boat Swarm To Overwhelm Enemies

“Jeremy Hsu reports that the US Navy has been testing a large-scale swarm of autonomous boats designed to overwhelm enemies. In the test, large ship that the Navy sometimes calls a high-value unit, HVU, is making its way down the river’s thalweg, escorted by 13 small guard boats. Between them, they carry a variety of payloads, loud speakers and flashing lights, a .50-caliber machine gun and a microwave direct energy weapon or heat ray. Detecting the enemy vessel with radar and infrared sensors, they perform a series of maneuvers to encircle the craft, coming close enough to the boat to engage it and near enough to one another to seal off any potential escape or access to the ship they are guarding. They blast warnings via loudspeaker and flash their lights. The HVU is now free to safely move away.

Rear Adm. Matthew Klunder, chief of the Office of Naval Research (ONR), points out that a maneuver that required 40 people had just dropped down to just one. “Think about it as replicating the functions that a human boat pilot would do. We’ve taken that capability and extended it to multiple [unmanned surface vehicles] operating together within that, we’ve designed team behaviors,” says Robert Brizzolara. The timing of the briefing happens to coincide with the 14-year anniversary of the bombing of the USS Cole off the coast of Yemen that killed 17 sailors. It’s an anniversary that Klunder observes with a unique sense of responsibility. “If we had this capability there on that day. We could have saved that ship. I never want to see the USS Cole happen again.”

The post Facebank | Tech Talk Today 70 first appeared on Jupiter Broadcasting.

eBay and PayPal split & we speculate what the big picture might look like going forward. Adobe brings Photoshop to Chromebooks, Phoneblocks gets closer to reality & we bring the Kickstarters of the week in front of the judge.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

eBay and PayPal are splitting up | The Verge

Citing a “rapidly changing global commerce and payments landscape,” eBay has just announced plans to separate its business into two distinct and independent companies: eBay and PayPal. Spinning off PayPal is seen as a way to refocus both companies on the “enormous opportunities” before them and to ensure that they move to grasp them as quickly as possible. Current eBay Marketplaces chief Devin Wenig will become the new eBay Inc. CEO when the restructuring is completed in the latter half of next year, while American Express executive Dan Schulman has been recruited to helm the new PayPal. He joins today as president and CEO-designee.

The separation of eBay, whose focus is facilitating online commerce, and PayPal, who wants to be seen as the leader in online payments, is something that activist investor Carl Icahn has been pushing for both publicly and behind the scenes.

Adobe brings Creative Cloud to Chromebooks starting w/ ‘Project Photoshop Streaming’ beta | 9to5Google

Google announced a new partnership with Adobe today that will see the companies bring Adobe’s suite of popular Creative Cloud apps to Chromebooks. Initially, Adobe will launch just the Photoshop app as a beta and make it available to only its education customers.

Project Photoshop Streaming is identical to the Photoshop you’d install locally with a few notable exceptions. This build can be accessed from any Chrome browser (Windows only) or Chromebook and does not require a full download and install. In other words, this is the same build of Photoshop you’d typically download and install from Creative Cloud, however, instead of being installed on your local machine, it is running in a virtualized environment so can be accessed from any Chrome browser or Chromebook. Because this version of Photoshop is running in a virtualized environment, you open, save, export and recover files from/to your Google Drive rather than your local file share. Also this Beta version of the virtualized environment does not have support for GPU consequently GPU dependent features are not yet available (coming soon). This build also does not yet support for print.

PHONEBLOKS.COM • PROJECT ARA NEWS

The first fully functional prototype will be shown at the second Ara developer conference, in December.

Project Ara will use a modified version of Android L, developed in collaboration with Linaro. Thanks to this version, the modules, except the CPU and the display, will be hot swappable. This means you can change them without turning the phone off. The modules will be available on a new online store, like Play store.

Ello | wtf

Ello is a simple, beautiful, and ad-free social network created by a small group of artists and designers.

We originally built Ello as a private social network. Over time, so many people wanted to join Ello that we built a public version of Ello for everyone to use.

Kickstarter of the week: iScent – Smell Your Ringtone by Qblinks — Kickstarter

iScent is a Bluetooth 4.0 atomizer which works with your phone, allowing you to use a custom scented mist as your ringtone or music.

BNOUS ROUND: HAVEN: The Stronger Smarter Home Lock by Haven Smart Lock — Kickstarter

Deadbolts have gone digital, but this hasn’t made them more secure. Inspired by a break-in, HAVEN is a stronger, smarter home lock.

The post eBay Auctions Paypal | Tech Talk Today 67 first appeared on Jupiter Broadcasting.

Russian hackers collect 1.2 billion usernames and passwords, and while questions remain the details are compelling.

Plus simply working around two-factor authentication, crypto-malware that targets NAS Boxes, your questions, our answers and much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Reportedly 1.2 billion username and password combinations found in Russian cybercrime stash

• The data was apparently stolen from 420,000 different websites using SQL injection and other common techniques
• Original post at Hold Security
• “So far, the criminals have not sold many of the records online. Instead, they appear to be using the stolen information to send spam on social networks like Twitter at the behest of other groups, collecting fees for their work.”
• The Russian cybercrime group (called CyberVor by Hold Security) appears to have used a large botnet to scan most of the internet looking for vulnerable sites and software and collecting as much data as possible
• “Criminals were able to collect 4.5 billion records — each a user name and password — though many overlapped. After sorting through the data, Hold Security found that 1.2 billion of those records were unique”
• Because of the varied sources of the data, the passwords are likely a combination of plain text, simple hashes (md5, sha1, sha256), esoteric hashes like md5(salt.password.salt) or md5(salt.md5(password)) etc, and proper cryptographic hashes
• Original Coverage from 6 months ago
• Alex Holden was the researcher who originally discovered the Adobe breach late last year, and tracked the trafficking of the stolen Target data
• Krebs has a Q&A on the subject, based on his past working with Alex Holden, or Holden Security
• There has been a bit of backlash against Hold Security, because they are charging $120/year for their “Breach Notification Service” (BNS) to be alerted if your website was one of the ones compromised
• Sophos and others still have questions about the data from CyberVor
• While still under construction, there is a individual version of the service that will allow you to find out if your electronic identity was found in possession of the CyberVor gang, which will be provided free for the first 30 days
• This service will take a SHA512 hash of your password(s), and then compare that to the passwords in the data dump, notifying you which of your passwords may have been compromised
• The issue with this is that if a compromised site used proper cryptographic hashes, the only way to compare the passwords without knowing your original password in plain text, is to brute force the hash and return it to the plain text. If Hold Security had your plain text password, they could compare it to the database much more quickly and accurately, but it would then lead them to being a bigger security threat than the exposure of the hashed passwords
• Additional Coverage: Forbes

PayPal 2 factor authentication contained simple bypass used for linking ebay account

• While investigating the usefulness of the PayPal 2 Factor Authentication system, a security researcher (Joshua Rogers) was astonished to find a simple by pass
• PayPal (owned by eBay) has a system to link your eBay account to your PayPal account to facilitate sending and receiving payments in connection with auctions
• This system works by sending an additional HTTP GET parameter when directing the user to the PayPal login or signup page
• By using “cmd=_integrated-registration” in the request, PayPal skips asking for any two factor authentication, allowing an attacker that knows your username and password to access your account without requiring the second factor
• The exploit can be used without needing to have an affiliated eBay account
• The issue was reported to PayPal on June 5th 2014, who replied on June 27th and July 4th
• After two months the issue has not been resolved, so the researcher released his findings
• It is not clear if the issue was reported via the PayPal Bug Bounty program, but if it was, publicly disclosing the vulnerability voids the researchers eligibility for the bug bounty reward

SynoLocker malware targets Synology NAS appliances, encrypts files and demands ransom

• New malware has serviced that has been targeting Synology NAS appliances exposed to the Internet
• Users will be greeted by a screen telling them that the files on their NAS have been encrypted, and directing them to use tor to visit a website and pay a 0.6 Bitcoin (~$350) ransom to get the decryption keys to regain access to their files
• It was not immediately clear how the NAS devices were being compromised
• Synology reports: “Based on our current observations, this issue only affects Synology NAS servers running some older versions of DSM (DSM 4.3-3810 or earlier), by exploiting a security vulnerability that was fixed and patched in December, 2013. At present, we have not observed this vulnerability in DSM 5.0”
• Users are encouraged to upgrade to the latest DSM 5.0 or:
• For DSM 4.3, please install DSM 4.3-3827 or later
• For DSM 4.1 or DSM 4.2, please install DSM 4.2-3243 or later
• For DSM 4.0, please install DSM 4.0-2259 or later
• If you suspect you have been affected by this, Synology recommends following these steps:
  1. Shutdown the Synology NAS to prevent any more files being encrypted
  2. Contact the Synology support team at security@synology.com or fill out the support form
• Users whose files have already been encrypted may not be out of luck, yesterday a new service launched that can decrypt files locked by CryptoLocker similar malware that targetted Windows

Feedback:

• DNSsec and DANE

• LastPass Trick

• USB 3 faster then HDD 7200rpm

• cruelfate comments on “Kreb’s Law”

• ZM-VE300-B 2.5″ SATA USB 3.0 External HDD Enclosure

Round Up:

• PFChangs posts update about security breach
• Microsoft blocks older versions of Skype, leaving customers using older versions of OS X without a version they can install. Linux users also need to upgrade to 4.3.0 or higher in order to connect
• Mozilla accidently discloses email addresses of 76,000 members of the Mozilla Developers Network, as well as 4000 hashes passwords. The email and password columns were supposed to be sanitized from the database before it was disclosed, but for a period of approximately 30 days this was not happening correctly
• Dan Geer @ Blackhat – Cybersecurity as Realpolitik
  
• CIA infosec guru: US govt must buy all zero-days and set them free
• US State Department Passport database (largest known Oracle database in the world) suffers outage, “crashed shortly after maintenance was performed. We believe the root cause of the problem was a combination of software optimization and hardware compatibility issues.”
• David Litchfield @ Blackhat: Oracle Database Redaction service is trivial to bypass
• Catherine Pearce and Patrick Thomas @ Blackhat: Multipath TCP may leave security appliances blind to new types of attacks
• The FinFisher spyware used by governments, cannot intercept calls from the Metro version of Skype
• Docker does not provide security, stop assuming it does

The post Two-factor Exemption | TechSNAP 174 first appeared on Jupiter Broadcasting.

In an ironic twist of fate, the Onion suffers an embarrassing compromising, that appears to match a new pattern of attack. We’ve got the details.

Plus picking the right open source load balancer, Google’s aggressive new disclosure policies, and big batch of your questions, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show:

   

Support the Show: