HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

PREDICTIONS!!

• Chris’ Predictions:

• Big year for media production on Linux. Linux is damn near perfect for audio podcasting already.

• Microsoft makes a deal with Canonical to run a product on Ubuntu blessed Kernel
• A great year for Elementary OS / Solus – For different reasons, that appeal to a large and not yet discovered base.
• Plasma Desktop’s best year in ages. They’ve hit a stride and the Neon project is showing everyone the results as fast as they can ship it.

• Gnome will likely be the biggest receiver of Macs exodus.

• Dell expands its Linux line to the point that I start taking them seriously as a Linux vendor.

• Valve pulls back on Steam Machines for 2017, doubles down on Steam Link.
• Valve Brings early VR to Linux.

• By the end of 2017, OSS File Sync is mostly a finished discussion.

• Noah’s Predictions:

• IOT pisses me off more than in any year past

• USB3 available on every laptop sold
• A fall in macbook purchases
• Chris mispronounces a project name
• JB Moves to a internet based server arch
• Intensive application such as audio/video avail on linux via cloud
• Linux based self driving car as a service

— PICKS —

Runs Linux

Smart Watch RUNS LINUX

• Here’s the sad thing; on my laptop, I still am running the bloated, legacy X11 display server. I had to because I was involved in maintaining an X11 desktop environment. But Asteroid OS is 100% Wayland only. And it works like a charm:

Desktop App Pick

FSlint – Duplicate file finder for linux

FSlint is a utility to find and clean various forms of lint on a filesystem.
I.E. unwanted or problematic cruft in your files or file names.
For example, one form of lint it finds is duplicate files.
It has both GUI and command line modes.
For more info please see the FAQ.

Thunderbird

• Thunderbird replicates the new look and feel of Mozilla Firefox in an effort to provide a similar user experience across all Mozilla software desktop or mobile and all platforms.

• Tabbed email lets you load emails in separate tabs so you can quickly jump between them. Tabs appear on the top of the menu bar providing a powerful visual experience and allowing the toolbars to be much more contextual.

• Tabbed email lets you keep multiple emails open for easy reference. Double-clicking or hitting Enter on a mail message will open that message in a new tab.

• When quitting Thunderbird, visible tabs will be saved and will be restored when you open Thunderbird the next time. There is also a Tab menu on the Tab toolbar to help you switch between tabs.

Spotlight

Commercial DAW VST Plugins on Linux

• Unleash your creativity with this collection of inspiring, contemporary DSP effects. Compatible with all major DAW’s, your signature sound is no longer limited to a single host.

• Introducing a collection of 16 contemporary FX plugins for use with any DAW. Utilizing the very latest algorithms and coding techniques, the plugins feature extraordinary sound quality in an extremely efficient package, allowing the plugins to be used liberally across a wide range of native computer systems. Empower your creativity with the DAW Essentials Collection.

— NEWS —

Canonical Clarifies Ubuntu Phone State: Nothing Really Until Snap-Based Image Ready

Pat shares that the Click-based Ubuntu Phone images are indeed on the way out, there will be no new Ubuntu Phone models until there is a “Snap image”, and they don’t plan to do an OTA-15 feature release. Canonical doesn’t plan to land any new features to the current stable PPA, but they will be providing security updates for important components.

• Is Ubuntu Touch Dead?

Endless introduces Linux mini desktop PCs for American market

• For the past few years Endless Computers has been making inexpensive Linux-based computers designed for use in emerging markets. Last summer the company also started working with PC makers to load its Endless OS software on some computers.

• Now Endless is launching its first products designed specifically for the United States.
  The Endless Mission One and Mission Mini are small, low power computers that sell for $249 or less. They should both be available for pre-order starting January 16th.

• Home | Endless Computers

KDE Neon Now Available as Docker Image

• I’m announcing a beta of KDE neon on Docker. Docker containers are a lightweight way to create a virtual system running on top of your normal Linux install but with its own filesystem and other rules to stop it getting in the way of your OS. They are insanely popular now for server deployment but I think they work just as well for checking out desktop and other UI setups.

• To give it a try first setup docker as you would for your distro. For Ubuntu distros that means running:

NVidia New ShieldTV

• Nvidia’s Shield set-top streaming device got an update at this year’s CES, and it was a big one: The new hardware is 40 percent smaller than the original, with a new Android 7.0 Nougat-based operating system and a redesigned UI that groups games together and just generally organizes things a bit more logically. It also handles 4K HDR content streaming, and boasts the most sources available for such content of any set-top streaming device currently available.

Pornhub 2016 – Linux up by 3%

• When it comes to porn, we usually ask if you’re more into ass or tits, though the increasingly more important question when it comes to porn consumption is Apple or Android? And Pornhub never misses a chance to report on the different behavior between different OS users. So looking back at 2016, we (of course) dug into the difference in traffic and tastes by operating systems. Let’s start with desktop. While Windows continues to dominate when it comes to which operating system users count on to watch Pornhub (about 80% of desktop users), Mac OS and Linux are on the rise, with Mac OS up 8% in traffic share and Linux up an impressive 14%.

Feedback:

Mail Bag

• Name: frodo wiz

• Subject: Solus Feedback

• Message: I tried this out a few times throughout this year and was happy with it until i found out it will never support ZFS. solus os has some bells and whistles as far as steam goes. except for data integrity. simple question for Ike: Do you expect me to amass 500 gig of games over a cell phone connection and trust that data wont get bit rot with any other file system than ZFS? wanna re-download 10 of them over cell connection? i didn’t think so. ike has done a great job with solus os but it falls short if it leaves out ZFS. kinda like building a car by hand and equipping it with bicycle tires. you can still drive it on some roads maybe, under some circumstances. handicapped

ive been entrusting my data to a 2 TB ZFS mirror for 2 years now and i cringe thinking about anything else.when you dont have the time or resources, you use the best.

if solus had zfs, it would be a no-brainer, especially for a game machine.

• Name: Jason

• Subject: Getting into a Linux Career

• Message:

I have been listening to several of the shows that Jupiter Broadcasting has, and religiously tune in to LAS and Linux Unplugged every week. You guys are doing a great job!

Would studying with Linux Academy and getting my RHCA and RHCE be enough to get into a job making a decent wage? I know there is the Catch 22 of certs are worthless without experience. However, but if I am correct, RHCA and RHCE are performance based exams. Wouldn’t that be enough to get your foot in the door?

I have taken several Linux, Windows and Cisco courses back in 2005, 2006, however I know a lot has changed since then.

Any advice would be greatly appreciated. Thank you for everything you guys do at Jupiter Broadcasting and I want to wish you all a belated Happy New Year!

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux
• Altispeed Technologies
• System76 – system76

The post Mac's Exodus of 2017 | LAS 451 first appeared on Jupiter Broadcasting.

We’re in the middle of an epic battle for power in cyberspace & Bruce Schneier breaks it down. PHP gets broken, PornHub gets hacked & the disgruntled employee who wiped the router configs on his way out the door.

Plus great emails, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Power in the Age of the Feudal Internet

• “We’re in the middle of an epic battle for power in cyberspace. On one side are the nimble, unorganized, distributed powers such as dissident groups, criminals, and hackers. On the other side are the traditional, organized, institutional powers such as governments and large multinational corporations. During its early days, the Internet gave coordination and efficiency to the powerless. It made them powerful, and seem unbeatable. But now the more traditional institutional powers are winning, and winning big. How these two fare long-term, and the fate of the majority of us that don’t fall into either group, is an open question – and one vitally important to the future of the Internet.”
• “In its early days, there was a lot of talk about the “natural laws of the Internet” and how it would empower the masses, upend traditional power blocks, and spread freedom throughout the world. The international nature of the Internet made a mockery of national laws. Anonymity was easy. Censorship was impossible. Police were clueless about cybercrime. And bigger changes were inevitable. Digital cash would undermine national sovereignty. Citizen journalism would undermine the media, corporate PR, and political parties. Easy copying would destroy the traditional movie and music industries. Web marketing would allow even the smallest companies to compete against corporate giants. It really would be a new world order.”
• “On the corporate side, power is consolidating around both vendor-managed user devices and large personal-data aggregators. It’s a result of two current trends in computing. First, the rise of cloud computing means that we no longer have control of our data. Our e-mail, photos, calendar, address book, messages, and documents are on servers belonging to Google, Apple, Microsoft, Facebook, and so on. And second, the rise of vendor-managed platforms means that we no longer have control of our computing devices. We’re increasingly accessing our data using iPhones, iPads, Android phones, Kindles, ChromeBooks, and so on. Even Windows 8 and Apple’s Mountain Lion are heading in the direction of less user control.”
• “I have previously called this model of computing feudal. Users pledge allegiance to more powerful companies who, in turn, promise to protect them from both sysadmin duties and security threats. It’s a metaphor that’s rich in history and in fiction, and a model that’s increasingly permeating computing today.”
• “Feudal security consolidates power in the hands of the few. These companies act in their own self-interest. They use their relationship with us to increase their profits, sometimes at our expense. They act arbitrarily. They make mistakes.”
• “Government power is also increasing on the Internet. Long gone are the days of an Internet without borders, and governments are better able to use the four technologies of social control: surveillance, censorship, propaganda, and use control. There’s a growing “cyber sovereignty” movement that totalitarian governments are embracing to give them more control – a change the US opposes, because it has substantial control under the current system. And the cyberwar arms race is in full swing, further consolidating government power.”
• “What happened? How, in those early Internet years, did we get the future so wrong?”
• “The truth is that technology magnifies power in general, but the rates of adoption are different. The unorganized, the distributed, the marginal, the dissidents, the powerless, the criminal: they can make use of new technologies faster. And when those groups discovered the Internet, suddenly they had power. But when the already powerful big institutions finally figured out how to harness the Internet for their needs, they had more power to magnify. That’s the difference: the distributed were more nimble and were quicker to make use of their new power, while the institutional were slower but were able to use their power more effectively. So while the Syrian dissidents used Facebook to organize, the Syrian government used Facebook to identify dissidents.”
• “There’s another more subtle trend, one I discuss in my book Liars and Outliers. If you think of security as an arms race between attackers and defenders, technological advances – firearms, fingerprint identification, lockpicks, the radio – give one side or the other a temporary advantage. But most of the time, a new technology benefits the attackers first.”
• “It’s quick vs. strong. To return to medieval metaphors, you can think of a nimble distributed power – whether marginal, dissident, or criminal – as Robin Hood. And you can think of ponderous institutional power – both government and corporate – as the Sheriff of Nottingham.”
• “So who wins? Which type of power dominates in the coming decades? Right now, it looks like institutional power.”
• “This is largely because leveraging power on the Internet requires technical expertise, and most distributed power groups don’t have that expertise. Those with sufficient technical ability will be able to stay ahead of institutional power. Whether it’s setting up your own e-mail server, effectively using encryption and anonymity tools, or breaking copy protection, there will always be technologies that are one step ahead of institutional power. This is why cybercrime is still pervasive, even as institutional power increases, and why organizations like Anonymous are still a social and political force. If technology continues to advance – and there’s no reason to believe it won’t – there will always be a security gap in which technically savvy Robin Hoods can operate.”
• “My main concern is for the rest of us: everyone in the middle. These are people who don’t have the technical ability to evade either the large governments and corporations that are controlling our Internet use, or the criminal and hacker groups who prey on us. These are the people who accept the default configuration options, arbitrary terms of service, NSA-installed back doors, and the occasional complete loss of their data. In the feudal world, these are the hapless peasants. And it’s even worse when the feudal lords – or any powers – fight each other. As anyone watching Game of Thrones knows, peasants get trampled when powers fight: when Facebook, Google, Apple, and Amazon fight it out in the market; when the US, EU, China, and Russia fight it out in geopolitics; or when it’s the US vs. the terrorists or China vs. its dissidents. The abuse will only get worse as technology continues to advance. In the battle between institutional power and distributed power, more technology means more damage. Cybercriminals can rob more people more quickly than criminals who have to physically visit everyone they rob. Digital pirates can make more copies of more things much more quickly than their analog forebears. And 3D printers mean that the data use restriction debate now involves guns, not movies. It’s the same problem as the “weapons of mass destruction” fear: terrorists with nuclear or biological weapons can do a lot more damage than terrorists with conventional explosives.”
• “The more destabilizing the technologies, the greater the rhetoric of fear, and the stronger institutional power will get. This means even more repressive security measures, even if the security gap means that such measures are increasingly ineffective. And it will squeeze the peasants in the middle even more.”
• “Transparency and oversight give us the confidence to trust institutional powers to fight the bad side of distributed power, while still allowing the good side to flourish. For if we are going to entrust our security to institutional powers, we need to know they will act in our interests and not abuse that power. Otherwise, democracy fails.”
• “This won’t be an easy period for us as we try to work these issues out. Historically, no shift in power has ever been easy. Corporations have turned our personal data into an enormous revenue generator, and they’re not going to back down. Neither will governments, who have harnessed that same data for their own purposes. But we have a duty to tackle this problem.”
• “Data is the pollution problem of the information age. All computer processes produce it. It stays around. How we deal with it — how we reuse and recycle it, who has access to it, how we dispose of it, and what laws regulate it — is central to how the information age functions. And I believe that just as we look back at the early decades of the industrial age and wonder how society could ignore pollution in their rush to build an industrial world, our grandchildren will look back at us during these early decades of the information age and judge us on how we dealt with the rebalancing of power resulting from all this new data.”
• “I can’t tell you what the result will be. These are all complicated issues, and require meaningful debate, international cooperation, and innovative solutions. We need to decide on the proper balance between institutional and decentralized power, and how to build tools that amplify what is good in each while suppressing the bad.”

How we broke PHP, hacked PornHub, and earned $20,000

• As we covered a few months ago, PornHub has opened up their new bug bounty program via Hackerone.com
• Now, a group of researchers have collected a $20,000 bounty, and are sharing the details of how they did it
• “We have gained remote code execution on pornhub.com and have earned a $20,000 bug bounty on Hackerone. We were also awarded with $2,000 by the Internet Bug Bounty committee”
• “We have found two use-after-free vulnerabilities in PHP’s garbage collection algorithm. Those vulnerabilities were remotely exploitable over PHP’s unserialize function.”
• “After analyzing the platform we quickly detected the usage of unserialize on the website. Multiple paths (everywhere where you could upload hot pictures and so on) were affected”
• “In all cases a parameter named “cookie” got unserialized from POST data and afterwards reflected via Set-Cookie headers”
• So, whatever data you sent to the website while uploading, was serialized and set as a cookie, which would be unserialized and read back in by each subsequent request. This is how websites maintain state across multiple requests.
• When the researchers modified the POST request to include an a serialized PHP Exception, the PornHub website reacted to the exception
• “This might strike as a harmless information disclosure at first sight, but generally it is known that using user input on unserialize is a bad idea”
• “The core unserializer alone is relatively complex as it involves more than 1200 lines of code in PHP 5.6. Further, many internal PHP classes have their own unserialize methods. By supporting structures like objects, arrays, integers, strings or even references it is no surprise that PHP’s track record shows a tendency for bugs and memory corruption vulnerabilities. Sadly, there were no known vulnerabilities of such type for newer PHP versions like PHP 5.6 or PHP 7, especially because unserialize already got a lot of attention in the past”
• “Hence, auditing it can be compared to squeezing an already tightly squeezed lemon. Finally, after so much attention and so many security fixes its vulnerability potential should have been drained out and it should be secure, shouldn’t it?”
• The implemented a fuzzer, and started running it. Eventually they found a bug in PHP 7, but when they tried it against PornHub, it didn’t work. This suggested that PornHub used PHP 5.6. Running the fuzzer against PHP 5.6 generated more than 1 TB of logs, but no vulnerabilities.
• “Eventually, after putting more and more effort into fuzzing we’ve stumbled upon unexpected behavior again.”
• “A tremendous amount of time was necessary to analyze potential issues. After all, we could extract a concise proof of concept of a working memory corruption bug — a so called use-after-free vulnerability! Upon further investigation we discovered that the root cause could be found in PHP’s garbage collection algorithm, a component of PHP that is completely unrelated to unserialize. However, the interaction of both components occurred only after unserialize had finished its job. Consequently, it was not well suited for remote exploitation. After further analysis, gaining a deeper understanding for the problem’s root causes and a lot of hard work a similar use-after-free vulnerability was found that seemed to be promising for remote exploitation.”
• “Even this promising use-after-free vulnerability was considerably difficult to exploit. In particular, it involved multiple exploitation stages.”
• The article then goes on to explain how they exploited the use-after-free vulnerability in great detail
• Once they had the ability to execute the code they provided, they needed a way to view the output
• “Being able to execute arbitrary PHP code is an important step, but being able to view its output is equally important, unless one wants to deal with side channels to receive responses. So the remaining tricky part was to somehow display the result on Pornhub’s website.”
• “Usually php-cgi forwards the generated content back to the web server so that it’s displayed on the website, but wrecking the control flow that badly creates an abnormal termination of PHP so that its result will never reach the HTTP server. To get around this problem we simply told PHP to use direct unbuffered responses that are usually used for HTTP streaming”
• “Together with our ROP stack which was provided over POST data our payload did the following things:”
  • Created our fake object which was later on passed as a parameter to “setcookie”.
• This caused a call to the provided add_ref function i.e. it allowed us to gain program counter control.
• Our ROP chain then prepared all registers/parameters as discussed.
• Next, we were able to execute arbitrary PHP code by making a call to zend_eval_string.
• Finally, we caused a clean process termination while also fetching the output from the response body.
• “Once running the above code we were in and got a nice view of Pornhub’s ‘/etc/passwd’ file. Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls. However, just using PHP was more convenient at this point. Finally, we dumped a few details about the underlying system and immediately wrote and submitted a report to Pornhub over Hackerone.”
• “We gained remote code execution and would’ve been able to do the following things:”
  • Dump the complete database of pornhub.com including all sensitive user information.
  • Track and observe user behavior on the platform.
• Leak the complete available source code of all sites hosted on the server.
• Escalate further into the network or root the system.
• “It is well-known that using user input on unserialize is a bad idea. In particular, about 10 years have passed since its first weaknesses have become apparent. Unfortunately, even today, many developers seem to believe that unserialize is only dangerous in old PHP versions or when combined with unsafe classes. We sincerely hope to have destroyed this misbelief. Please finally put a nail into unserialize’s coffin so that the following mantra becomes obsolete.”
• “You should never use user input on unserialize. Assuming that using an up-to-date PHP version is enough to protect unserialize in such scenarios is a bad idea. Avoid it or use less complex serialization methods like JSON.”

Ex-Citibank employee wipes router configs and downs entire network

• “Lennon Ray Brown, 38, had been working at Citibank’s Irving, Texas, corporate office since 2012, first as a contractor and later as a staff employee, when he was called in by a manager and reprimanded for poor performance.”
• “At that point, the US Department of Justice said, the rogue employee uploaded a series of commands to Citibank’s Global Control Center routers, deleting the config files for nine of the routers and causing traffic to be re-routed through a set of backup routers. Court documents show that while there was not a complete outage, the re-routing led to “congestion” on the network and at the branch offices.”
• “Brown admits that on December 23, 2013, he issued commands to wipe the configuration files on 10 core routers within Citibank’s internal network. The resulting outage hit both network and phone access to 110 branches nationwide – about 90 per cent of all Citibank branch offices.”
• Brown said the following in a text message to a coworker shortly after the incident:
  • “They was firing me. I just beat them to it. Nothing personal, the upper management need to see what they guys on the floor is capable of doing when they keep getting mistreated. I took one for the team.”
  • “Sorry if I made my peers look bad, but sometimes it take something like what I did to wake the upper management up.”
• Brown admitted the intentional damage charge in February
• Justice Department Announcement
• Brown has been sentenced to 21 months in jail, and a $77,000 fine

Feedback:

• VBulletin Ubuntu Forums Hack

• Kids and Grown Up Networks

• Secure Webmail?

• ZFS snapshot to LUKs External on Linux

Round Up:

• Hijacking Youtube to transmit your Data
• NIST advises against SMS-Based Two-Factor Authentication — PDF
• LastPass: design flaw in communication between privileged and unprivileged components l
• LastPass Security Updates
• GOP delegates suckered into connecting to insecure Wi-Fi hotspots
• Katcr.co: Original KickassTorrents Community Is Back, Without Torrent s
• Tinder safe dating spam uses safety to scam users out of money
• Keys to Chimera crypto ransomware allegedly leaked by rival crime gang
• Pop star asks fans to send their passwords so he can tweet as them. May actually be a violation of the CFAA
• You can’t turn off Cortana in the Windows 10 Anniversary Update
• Vine accidently posts docker image with its source code publicly
• Yahoo ordered to show how it recovered deleted emails
• The sound of dialup, pictured, and explained
• Florida judge: Bitcoins aren’t currency, so state money laws don’t apply

The post Internet Power Struggle | TechSNAP 277 first appeared on Jupiter Broadcasting.