Show Notes: techsnap.systems/413

The post The Coffee Shop Problem | TechSNAP 413 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/391

The post Firecracker Fundamentals | TechSNAP 391 first appeared on Jupiter Broadcasting.

A new vulnerability in many websites, Oracle’s Outside In Technology, Turned Inside-Out & the value of a hacked company.

Plus your questions, our answers, a really great round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New vulnerability in many websites: HTTPoxy

• Background #1: The CGI (Common Gateway Interface) Specification defines the standard way that web servers run backend applications to dynamically generate websites
• CGI can be used to run Perl, PHP, Python, Ruby, Go, C, and any other language
• To provide access to information about the original request from the user, the web server sets a number of environment variables to represent the HTTP headers that were sent with the request
• To avoid conflicting with any existing environment variables, the headers are prefixed with HTTP_
• So, when you pass the the Accept-Encoding header, to indicate your browser supports receiving compressed data, the environment variable HTTP_ACCEPT_ENCODING gets set to the contents of that header
• This allows your application to know what compression algorithms are supported
• Background #2: Most tools support accessing the Internet via a proxy, and in UNIX, this is usually configured by setting an environment variable, which happens to be named: HTTP_PROXY
• “httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict:”
  • RFC 3875 (CGI) puts the HTTP Proxy header from a request into the environment variables as HTTP_PROXY
  • HTTP_PROXY is a popular environment variable used to configure an outgoing proxy
• “This leads to a remotely exploitable vulnerability. httpoxy is a vulnerability for server-side web applications. If you’re not deploying code, you don’t need to worry.”
• “What can happen if my web application is vulnerable? If a vulnerable HTTP client makes an outgoing HTTP connection, while running in a server-side CGI application, an attacker may be able to:”
  • Proxy the outgoing HTTP requests made by the web application
• Direct the server to open outgoing connections to an address and port of their choosing
• Tie up server resources by forcing the vulnerable software to use a malicious proxy
• “httpoxy is extremely easy to exploit in basic form. And we expect security researchers to be able to scan for it quickly. Luckily, if you read on and find you are affected, easy mitigations are available.”
• So, I can send a header that will cause your application to make all of its connections, even to things like your backend API, via a proxy that I control. This could allow me to get access to passwords and other data that you thought would only ever be transmitted over your internal network.
• Timeline:
• March 2001: The issue is discovered in libwww-perl and fixed. Reported by Randal L. Schwartz
• April 2001: The issue is discovered in curl, and fixed there too (albeit probably not for Windows). Reported by Cris Bailiff.
• July 2012: In implementing HTTP_PROXY for Net::HTTP, the Ruby team notice and avoid the potential issue. Nice work Akira Tanaka!
• November 2013: The issue is mentioned on the NGINX mailing list. The user humbly points out the issue: “unless I’m missing something, which is very possible”. No, Jonathan Matthews, you were exactly right!
• February 2015: The issue is mentioned on the Apache httpd-dev mailing list. Spotted by Stefan Fritsch.
• July 2016: Scott Geary, an engineer at Vend, found an instance of the bug in the wild. The Vend security team found the vulnerability was still exploitable in PHP, and present in many modern languages and libraries. We started to disclose to security response teams.
• So this issue was found and dealt with in Perl and cURL in 2001, but, not widely advertised enough to make people aware that it could also impact every other CGI application and language
• Luckily, you can solve it fairly easily, the site provides instructions for fixing most popular web servers, including NGINX, Apache. Varnish, Relayd, HAProxy, lighttpd, Microsoft IIS, and others
• The fix is simple, remove or blank out the ‘Proxy’ header before it is sent to the application. Since this is a non-standard header, and should never be used, it is safe to just delete the header
• Other Mitigations: Firewall the web server so it can not make outgoing requests, or use HTTPS for all internal requests, so they cannot be snooped upon.

Oracle’s Outside In Technology, Turned Inside-Out

• From Oracle’s Outside In Technology, Turned Inside-Out Site: “Outside In Technology is a suite of software development kits (SDKs) that provides developers with a comprehensive solution to extract, normalize, scrub, convert and view the contents of 600 unstructured file formats.”
• In April, Talos blogged about one of the OIT-related arbitrary code execution bugs patched by Oracle.
• The impact of that vulnerability, plus these additional eighteen OIT bugs disclosed in these findings, is severe because so many third-party products use Oracle’s OIT to parse and transform files.

A review of an OIT-related CERT advisory from January 2016 reveals a large list of third-party products, especially security and messaging-related products, that are affected. The list of products that, according to CERT, rely on Oracle’s Outside In SDK includes:

• Avira AntiVir for Exchange – antivirus protection for Microsoft Exchange * IBM WebSphere Portal – provides enterprise web portals
• Google Search Appliance – search all content in an enterprise through a single search box
• Guidance Encase – forensic investigation software
• Microsoft Exchange – enterprise email and productivity software
• Novell Groupwise – a collaboration tool for large enterprise
• Raytheon SureView – software designed for enterprise visibility and user activity monitoring

• Veritas (Symantec) Enterprise Vault – a program for information governance through archiving

• Talos has not confirmed that each of the third-party products listed above are affected. We have, however, confirmed that some are running vulnerable OIT-related code. For example, if WebReady Document Viewing is enabled for Microsoft Exchange 2013 (& earlier), an attacker could exploit these vulnerabilities by sending a malicious email attachment to a victim who then opens the email using web preview.

• Further, if Data Loss Prevention is enabled, the vulnerability can be triggered simply by sending an email with a malicious attachment outbound from the affected Exchange server. If Avira AntiVir for Exchange (v12.0.2775.0 & earlier) is in place, just sending or receiving a malicious email is sufficient, since this program will scan all inbound and outbound email. Additionally, multiple OIT vulnerabilities could conceivably be exploited in a chained fashion for a more effective approach.

  • PDF /Size Integer Overflow
  • TIFF ExtraSamples Code Execution
  • TIFF Photometric Interpretation Code Execution
  • GIF ImageWidth Code Execution
  • Gem_Text Code Execution
  • PSI Image File Code Execution
  • Word DggInfo Code Execution
  • Mac Works Database VwStreamSection Code Execution
  • Mac Word ContentAccess libvs_word+63AC Code Execution
  • BMP Heap Buffer Overflow & Code Execution
  • Mac Works VwStreamReadRecord Memory Corruption
  • PDF /Kids Information Leakage
  • PDF NULL Pointer Dereference Denial of Service
  • PDF Recursion Stack Overflow Denial of Service
  • PDF /FlateDecode /Colors Denial of Service
  • PDF /Type /Xref Denial of Service
  • PDF Xref Offset Denial of Service
  • Mac Word ContentAccess libvs_word Denial of Service

• Over, and over again we see problems that arise from software using untrusted data as input without proper and necessary validation of that data, and because not all software developers are experts in the multitude of file formats in existence they are forced to rely on SDKs such as Oracle’s OIT.

• However, the unfortunate reality is that vulnerabilities that are found in an SDK that is utilized by third-parties will take additional time to patch: First the organization that maintains the SDK issues a fix, and some amount of time later, third-parties that utilize the SDK provide an update to their customers including these fixes.
• This provides a rather large window of time in which miscreants can exploit vulnerabilities in third-party products.
• In related news: TALOS also found a similar vulnerability in Apple’s OS X
• Additional Coverage
• In other news: Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products
• Includes 4 Java vulnerabilities with CVSS scores of 9.6 out of 10

Krebs: The value of a hacked company

• Based on his previous infographic, the value of a hacked email address, this new post covers the value of a hacked company
• “Most organizations only grow in security maturity the hard way — that is, from the intense learning that takes place in the wake of a costly data breach. That may be because so few company leaders really grasp the centrality of computer and network security to the organization’s overall goals and productivity, and fewer still have taken an honest inventory of what may be at stake in the event that these assets are compromised.”
• “If you’re unsure how much of your organization’s strategic assets may be intimately tied up with all this technology stuff, ask yourself what would be of special worth to a network intruder. Here’s a look at some of the key corporate assets that may be of interest and value to modern bad guys.”
• There is a lot of value that an attack can extract from a hacked company:
  • Intellectual Property, like trade secrets, plans, or even just a list of customers
  • Physical Property: Desktops, backups, telecom equipment, access to VOIP infrastructure
  • Partners: Access to other companies that the hacked company deals with, weather it be for the sake of Phishing those companies, accessing their bank details, or spreading the compromise to their network
  • HR Data: Information about employees, for tax fraud, insurance fraud, identity theft, or as further targeting data for future attacks
  • Financials: Draining the company bank account, company credit card details, customer credit card details, employee bank account details (payroll), sensitive financial data
  • Virtual Property: Access to cloud services, websites (watering hole attacks), software licenses, encryption keys, etc.
• “This isn’t meant to be an exhaustive list; I’m sure we can all think of other examples, and perhaps if I receive enough suggestions from readers I’ll update this graphic. But the point is that whatever paltry monetary value the cybercrime underground may assign to these stolen assets individually, they’re each likely worth far more to the victimized company — if indeed a price can be placed on them at all.”
• “In years past, most traditional, financially-oriented cybercrime was opportunistic: That is, the bad guys tended to focus on getting in quickly, grabbing all the data that they knew how to easily monetize, and then perhaps leaving behind malware on the hacked systems that abused them for spam distribution.”
• “These days, an opportunistic, mass-mailed malware infection can quickly and easily morph into a much more serious and sustained problem for the victim organization (just ask Target). This is partly because many of the criminals who run large spam crime machines responsible for pumping out the latest malware threats have grown more adept at mining and harvesting stolen data.”
• “It’s also never been easier for disgruntled employees to sell access to their employer’s systems or data, thanks to the proliferation of open and anonymous cybercrime forums on the Dark Web that serve as a bustling marketplace for such commerce.”
• “Organizational leaders in search of a clue about how to increase both their security maturity and the resiliency of all their precious technology stuff could do far worse than to start with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST), the federal agency that works with industry to develop and apply technology, measurements, and standards. This primer (PDF) from PWC does a good job of explaining why the NIST Framework may be worth a closer look.”

Feedback:

• ZFS Fillin Up

• InfiniBand

• IPSEC VPN server & OS options

Mention: Networking for Information Security/Penetration Testing

Round Up:

• Feds Seize KickassTorrents Domains, Arrest Alleged Owner
• How to many money by abusing 2 Factor Auth — Have Google, Instagram, etc, call your premium rate (900) number to verify your 1000s of accounts
• Apple Has Its Own Stagefright Vulnerability
• PostgreSQL EnterpriseDB first open source database to pass Defense Information Systems Agency (DISA) testing, and publish a Security Technical Implementation Guide (STIG)
• Skype is Transitioning to a More Modern, Mobile-Friendly Architecture
• Microsoft killing off last bits of p2p in skype, and all old clients, in favour of new cloud-server backed infrastructure
• Seagate launches its new line of 10TB Helium drives: BarraCuda (Desktop HDD), FireCuda (Desktop SSHD), BarraCuda Pro (5 year Warrenty), IronWolf (NAS), and SkyHawk (Surveillance).
• Stack Exchange Outage Postmortem – July 20, 2016
• Engineer gets tired of waiting for Telcos, wires up his whole town
• Microsoft ordered to fix ‘excessively intrusive, insecure’ Windows 10
• France’s National Data Protection Commission (CNIL) has ordered Microsoft to “stop collecting excessive data and tracking browsing by users without consent”
• How (and why) FreeDOS keeps DOS alive
• Verizon to disconnect unlimited data customers who use over 100GB/month
• BT Outage the fault of Data Center and Exchange operator Equanix
• Mitsubishi Outlander Flaw Opens Door to Thieves—Literally – Infosecurity Magazine
• The Ubuntu forums have been hacked, IP address, username, and email address of over two million users have been compromised

The post Bitmap Pox | TechSNAP 276 first appeared on Jupiter Broadcasting.

Chris discovers he’s being snooped on by his ISP, we discuss some Linux friendly solutions solve the situation. Is Linux Mint 18 really the best Linux distro every? Or should Ubuntu 16.04 be getting more of the credit?

Plus our chat with a Matrix.org developer, Solus goes rolling, Unity on Windows & building a long-term financially sustainable open source product.

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

​Linux Mint 18: The best desktop — period | ZDNet

I’ve been using Linux desktops since the leading desktop front-end was Bash. Things have changed in those 25 years. Today, the best Linux desktop is the latest version of Linux Mint: Linux Mint 18 Sarah with the Cinnamon 3.0 interface.

• Linux Mint 18 reviews roundup | InfoWorld

Latest Vivaldi Browser Snapshot Improves Tab Hibernation on GNU/Linux Distros

“Good news for Linux users! You can now hibernate tabs while the browser is running,” said Magnus Peter Langeland. “Choose Hibernate Tab to hibernate the selected tab or Hibernate Background Tabs to hibernate all other tabs in the window. Oh and remember, you cannot hibernate a tab while you are viewing its contents.”

ICSI Netalyzr — Command-line Client

Debug your Internet.

• Any good Linux friendly VPN providers?

• 3G and 4G LTE Cell Coverage Map – OpenSignal

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

You Can Now Run Ubuntu Linux with the Unity Desktop on Top of Windows 10 – Updated

After doing all sorts of tricks in the CompizConfig Settings Manager (CSSM) GUI configuration tool for Compiz, and using a combination of VcXsrv and XLaunch, two applications for configuring and setting up a Windows X server, he has managed to run Ubuntu 14.04.4 LTS with the Unity desktop environment on top of Windows 10.

Linux’s AV Stack Adding Awesome Features

• Beamforming in PulseAudio | Arun Raghavan

Beamforming as a concept is used in various aspects of signal processing including radio waves, but I’m going to be talking about it only as applied to audio. The basic idea is that if you have a number of microphones (a mic array) in some known arrangement, it is possible to “point” or steer the array in a particular direction, so sounds coming from that direction are made louder, while sounds from other directions are rendered softer (attenuated).

Practically speaking, it should be easy to see the value of this on a laptop, for example, where you might want to focus a mic array to point in front of the laptop, where the user probably is, and suppress sounds that might be coming from other locations. You can see an example of this in the webcam below. Notice the grilles on either side of the camera — there is a microphone behind each of these.

• Introducing GStreamer VR Plug-ins and SPHVR – Lubosz’s Blog

Pronounced sphere, SPHVR is a python video player using gst-plugins-vr. Currently it is capable of opening a URL of an equirectangular mapped spherical video.

CopperheadOS – Secure Android

CopperheadOS currently supports the Nexus 5, Nexus 9, Nexus 5X and Nexus 6P.

TING

• Ting – mobile that makes sense

Nylas N1

• Nylas Pro

But right now, Nylas N1 is also free as in free beer, and that’s a problem. Due to its popularity, the API traffic for N1 users has dramatically eclipsed the combined volume of all other apps built on the Nylas Cloud APIs. We already sync several hundred terabytes of data for our users and are adding tens of thousands of new users each month. It’s costing us real dollars.

• Does anyone here use Nylas?

Dekko Is Shaping Up Nicely for Desktop Convergence

• Dekko developer Dan Chapman shared some images of a new, converged Dekko for the desktop on Google+, under the title “An all new Dekko is coming!”.

Linux Academy

• Linux Academy | Linux and AWS Online Training

What’s Going on with Matrix.org?

• Ruma – A Matrix homeserver written in Rust.

Matrix is an open specification for an online communication protocol. It includes all the features you’d expect from a modern chat platform including instant messaging, group chats, audio and video calls, searchable message history, synchronization across all your devices, and end-to-end encryption. Matrix is federated, so no single company controls the system or your data. You can use an existing server you trust or run your own, and the servers synchronize messages seamlessly. Learn more in the Introduction to Matrix.

• Say Hello To Vector! — Medium

This week, we’re officially launching Vector, a forward-looking open source collaboration app, and the very first production-ready application built on top of the Matrix open standard. In fact Vector Web has been around for a bit, growing and being polished with the help of a passionate community of pioneers and they’ve done a great job of supporting us with useful feedback! And now the mobile apps are out! So today Vector is ready to be shared more widely as a proper beta.

• Interview with Matrix Dev

Support Jupiter Broadcasting on Patreon

The post One NAT to Rule Them | LINUX Unplugged 153 first appeared on Jupiter Broadcasting.

It’s called the longest war in US history, so why does the US fight in Afghanistan? Is it the poppyseeds? Maybe it’s the oil? Or perhaps there’s a much bigger, longer-term reason the US has for staying there. We look into the big elephant sitting in the room.

Plus the latest in the hunt for home grown terrorist, the stoner who hacked the CIA director’s AOL email & the drone policy you need to know about.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• Top Cuban general, key forces in Syria to aid Assad, Russia, sources say | Fox News
• The Imaginary Cuban Troops in Syria | Dissident Voice
• Memo to Afghanistan: Don’t forget Russia – Al Jazeera English
• Is Russia Making Moves On Afghanistan? : NPR
• Tony Blair memo reveals he backed George W Bush 12 months before Iraq war | Daily Mail Online
• Shocking Emails Expose George Bush and Tony Blair Plotting Iraq War a YEAR Before the Invasion | The Free Thought Project
• Pensito Review Flashback: Rove Erases 22 Million White House Emails on Private Server at Height of U.S. Attorney Scandal – Media Yawns
• Turkey shoots down unidentified drone near Syrian border | World news | The Guardian
• Nearly 90% Of Those Killed By US Drones Were Not Intended Targets During Five-Month Span: Report
• Joe Biden announces he will not run for president in 2016 | US news | The Guardian
• Canada to withdraw fighter jets from Syria and Iraq strikes – BBC News
• ‘Too many aircraft in Syrian airspace’: MoD posts video with Russian jet approaching drone — RT News

The post Why the US Stays in Afghanistan | Unfilter 163 first appeared on Jupiter Broadcasting.

The Trans Pacific Partnership, Obama’s big legacy making deal is signed. Early details about how it handles copyright law, the pharma industry & labor have been leaked. We dig into how the TPP will impact online intellectual property & consumers.

Plus deeper look at Russia’s involvement in Syria, a high note & much more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter supporter on Patreon:

Show Notes:

— Episode Links —

• U.S. Weaponry Is Turning Syria Into Proxy War With Russia – The New York Times

CIA Weapons now flooding into Syria since Russian support began.

The American-made TOW antitank missiles began arriving in the region in 2013, through a covert program run by the United States, Saudi Arabia and other allies to help certain C.I.A.-vetted insurgent groups battle the Syrian government.
The weapons are delivered to the field by American allies, but the United States approves their destination. That suggests that the newly steady battlefield supply has at least tacit American approval, now that Russian air power is backing President Bashar al-Assad.
“By bombing us, Russia is bombing the 13 ‘Friends of Syria’ countries,” he said, referring to the group of the United States and its allies that called for the ouster of Mr. Assad after his crackdown on political protests in 2011.

The C.I.A. program that delivered the TOWs (an acronym for tube-launched, optically tracked, wire-guided missiles) is separate from — and significantly larger than — the failed $500 million Pentagon program that was canceled last week after it trained only a handful of fighters. That was unsuccessful largely because few recruits would agree to its goal of fighting only the militant Islamic State and not Mr. Assad.

Rebel commanders scoffed when asked about reports of the delivery of 500 TOWs from Saudi Arabia, saying it was an insignificant number compared with what is available. Saudi Arabia in 2013 ordered more than 13,000 of them. Given that American weapons contracts require disclosure of the “end user,” insurgents said they were being delivered with Washington’s approval.

• ‘MH17 crash’ test simulation video: Il-86 plane cockpit hit with BUK missile – YouTube
• Dutch Safety Board simulates MH17 being hit by BUK missile – YouTube
• Dutch Safety Board MH17 final report (FULL VIDEO) – YouTube

The post What is the TPP | Unfilter 162 first appeared on Jupiter Broadcasting.

A special edition of the Unplugged show, Chris joins the Virtual LUG from the road & Noah and Wes host the show. They compare and contrast Fedora and Arch & the nice new features of Fedora 23.

Then everyone has their own perspective on home automation, from security to convenience. We have a great discussion about the broader ramifications of home automation.

Then we wrap it all up with some closing thoughts on using Linux & open source to live offline, like you’re online.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• I’ve been tinkering with Numix Project on Ubuntu MATE 15.04.

I’ve been tinkering with Numix Project on Ubuntu MATE 15.04. Everything integrated very nicely indeed.

Feedback:

• Support antergos: Backed by a friendly and helpful community, antergos is for everyone. – Salt – Bountysource

A modern, elegant, and powerful operating system based on one of the best Linux distributions available, Arch Linux. Users need not be linux experts nor developers in order to use antergos. From long-time linux users to linux users of only a few months, antergos is for everyone.

• WANproxy : compress/deduplicate your network sessions : LinuxActionShow

Rover Log – Live Tracker

Grand Forks Roadtrip Meetup

TING

• Ting – mobile that makes sense

This guy’s light bulb performed a DoS attack on his entire smart house

The challenge of being a futurist pioneer is being Patient Zero for the future’s headaches.
In 2009, Raul Rojas, a computer science professor at the Free University of Berlin (and a robot soccer team coach), built one of Germany’s first “smart homes.” Everything in the house was connected to the Internet so that lights, music, television, heating and cooling could all be turned on and off from afar. Even the stove, oven, and microwave could be turned off with Rojas’s computer, which prevented some potential panic attacks about leaving an appliance on after exiting the house. One of the few things not connected in the house were the locks. Automated locks Rojas bought in 2009 are still sitting in a drawer waiting to be installed. “I was afraid of not being able to open the doors,” Rojas said in a phone interview.

About two years ago, Rojas’s house froze up, and stopped responding to his commands. “Nothing worked. I couldn’t turn the lights on or off. It got stuck,” he says. It was like when the beach ball of death begins spinning on your computer—except it was his entire home.

It wasn’t quite as bad as the “nightmare on connected home street” dreamed up by Wired last year, in which a fictional smart home’s obsolete technology gets loaded up with viruses and malware and starts misbehaving and uploading naked photos of its owner. Rojas—a professor who specializes in artificial intelligence—knows his way around a network well enough to cure his own home. And, when he investigated, it turned out that the culprit was a single, connected light bulb.
“I connected my laptop to the network and looked at the traffic and saw that one unit was sending packets continuously,” said Rojas. He realized that his light fixture had burned out, and was trying to tell the hub that it needed attention. To do so, it was sending continuous requests that had overloaded the network and caused it to freeze. “It was a classic denial of service attack,” says Rojas. The light was performing a DoS attack on the smart home to say, ‘Change me.’”
Rojas changed the bulb, which fixed the problem. But his issue points to other potential problems for homeowners who opt for connected devices.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Fedora 23 Beta released!

The Fedora 23 Beta is here, right on schedule for our planned October final release! Want to help make Fedora 23 be the best release ever, or just want to get a sneak peek? Download the prerelease from our Get Fedora site and give it a whirl:

• Get Fedora 23 Beta Workstation — a reliable, user-friendly, and powerful operating system for your laptop or desktop computer
• Get Fedora 23 Beta Server — make use of the very latest server-based technologies available in the open source community
• Get Fedora 23 Beta Cloud — build scale-out computing and utilize the next generation of container deployment technology
• Get Fedora 23 Beta Spins — alternative desktops for Fedora
• Get Fedora 23 Beta Labs — curated bundles of purpose-driven software and content

Linux Academy

• Linux Academy | Linux and AWS Online Training

Live Offline Like Your Online (Powered by Linux) Part 2

• Chris Follows up on using Linux to live offline.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

Post Show:

• Skype calling knocked offline by major outage

• Skype Outage: An Update, and an Apology

The post Completely Unplugged | LINUX Unplugged 111 first appeared on Jupiter Broadcasting.

Microsoft takes 4 years to fix a nasty bug, how to bypass 2 factor authentication in the popular ‘Authy’ app.

Hijacking a domain with photoshop, hardware vs software RAID revisited, tons of great questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Microsoft took 4 years to recover privileged TLS certificate addresses

• The way TLS certificates are issued currently is not always foolproof
• In order to get a TLS certificate, you must prove you own the domain that you are attempting to request the certificate for
• Usually, the way this is done is sending an email to one of the administrative addresses at the domain, like postmaster@, hostmaster@, administrator@, or abuse@
• The problem comes when webmail services, like hotmail, allow these usernames to be registered
• That is exactly what happened with Microsoft’s live.be and live.fi
• A Finnish man reported to Microsoft that he had been able to get a valid HTTPS certificate for live.fi by registering the address hostmaster@live.fi
• It took Microsoft four to six weeks to solve the problem
• Additional Coverage – Ars Technica
• When this news story came out, another man, from Belgium, came forward to say he reported the same problem with live.be over 4 years ago
• “After the Finnish man used his address to obtain a TLS certificate for the live.fi domain, Microsoft warned users it could be used in man-in-the-middle and phishing attacks. To foreclose any chance of abuse, Microsoft advised users to install an update that will prevent Internet Explorer from trusting the unauthorized credential. By leaving similar addresses unsecured, similar risks may have existed for years.”

Bypass 2 factor authentication in popular ‘Authy’ app

• Authy is a popular reusable 2 factor authentication API
• It allows 3rd party sites to easily implement 2 factor authentication
• Maybe a little too easily
• When asked for the verification code that is sent to your phone after a request to Authy is received, simply entering ../sms gives you access to the application
• The problem is that the 3rd party sites send the request, and just look for a ‘success’ response
• However, because the input is interpreted in the URL, the number you enter is not fed to: https://api.authy.com/protected/json/verify/1234/authy_id as it is expected to be
• But rather, the url ends up being: https://api.authy.com/protected/json/verify/../sms/authy_id
• Which is actually interpreted by the Authy API as: https://api.authy.com/protected/json/sms/authy_id
• This API call is the one used to actually send the code to the user
• This call sends another token to the user and returns success
• The 3rd party application sees the ‘success’ part, and allows the user access
• It seems like a weak design, there should be some kind of token that is returned and verified, or the implementation instructions for the API should be explicit about checking “token”:”is valid” rather than just “success”:true
• Also, the middleware should probably not unescape and parse the user input

Hijacking a domain

• An article where a reporter had a security researcher steal his GoDaddy account, and document how it was done
• A combination of social engineering, publically available information, and a photoshopped government ID, allowed the security researcher to take over the GoDaddy account, and all of the domains inside of it
• This could allow:
• an attacker to inject malware into your site
• redirect your email, capturing password reset emails from other services
• redirect traffic from your website to their own
• issue new SSL certificates for your sites, allowing them to perform man-in-the-middle attackers on your visitors with a valid SSL certificate
• Some of the social engineering steps:

  • Create a fake Social Media profile in the name of the victim (with the fake picture of them)

  • Create a gmail address in the name of the victim

  • Call and use myriad plausible excuses why you do not have the required information:
  • please provide your pin #? I don’t remember setting up a pin number
  • my assistant registered the domain for me, so I don’t have access to the email address used
  • my assistant used the credit card ending in: 4 made up numbers
  • create a sense of urgency: “I apologized, both for not having the information and for my daughter yelling in the background. She laughed and said it wasn’t a problem”
  • GoDaddy requires additional verification is the domain is registered to a business, however, since many people make up a business name when they register a domain, it is very common for these business to not actually exist, and there are loopholes
  • Often, you can create a letter on a fake letterhead, and it will be acceptable
• In the end, Customer Support reps are there to help the customer, it is usually rather difficult for them to get away with refusing to help the customer because they lack the required details, or seem suspicious
• GoDaddy’s automated system sends notifications when changes are made, however in this case it is often too later, the attacker has already compromised your account
• GoDaddy issued a response: “GoDaddy has stringent processes and a dedicated team in place for verifying the identification of customers when a change of account/email is requested. While our processes and team are extremely effective at thwarting illegal requests, no system is 100 percent efficient. Falsifying government issued identification is a crime, even when consent is given, that we take very seriously and will report to law enforcement where appropriate.”
• It appears that Hover.com (owned by Tucows, the same company that owns Ting) is one of the only registrars that does not allow photo ID as a form of verification, stating “anyone could just whip something up in Photoshop.”
• GoDaddy notes that forging government ID (in photoshop or otherwise) is illegal

Feedback:

• Securing apache server

• How to set up SSH server for anonymous web surfing

• Latest iPod skimming device found at cashpoints

• ZFS vs Hardware RAID

• ZFS Snapshots & MySQL Backups

• Android ZFS Monitor app

• ZFS Monitor – on Google Play

Round Up:

• Cisco will ship equipment to dead drops for its most sensitive clients, to avoid NSA interception and tampering
• “Evolution Market” a digital underground shop selling everything illegal, has shut down, apparently the founders made of with 12 million in bitcoin
• Cisco still in the process of patching FREAK SSL flaw from January
• Facebook Develops ‘Yosemite’ Open Server Chassis with Intel
• HiltonHonors reward program offering 1000 points for changing your password before April 1st
• Safari’s Private Browsing Mode Saves URLs In an Easily Accessible File
• OpenSSL announces patch for multiple vulnerabilities
• GCHQ admits to hacking ISPs and other systems
• Researchers to demo new persistent bios rootkit at CanSecWest.
• Target reaches huge settlement with security breach victims – CBS News
• Convicted tax fraudster fugitive caught by authorities

The post Two Factor Falsification | TechSNAP 206 first appeared on Jupiter Broadcasting.

Home Depot is breached, and the scale could be much larger than the recent Target hack & we discuss the explosion of fake cell towers in the US, and whats behind it. Then the tools used in the recent celebrity photo leak & the steps that need to be taken.

Plus a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Krebs: Banks report breach at Home Depot. Update: Almost all home depot stores hit

• Sources from multiple banks have reported to Brian Krebs that the common retailer in a series of stolen credit cards appears to be Home Depot
• Home Depots Spokesperson Paula Drake says: “I can confirm we are looking into some unusual activity and we are working with our banking partners and law enforcement to investigate,” Drake said, reading from a prepared statement. “Protecting our customers’ information is something we take extremely seriously, and we are aggressively gathering facts at this point while working to protect customers. If we confirm that a breach has occurred, we will make sure customers are notified immediately. Right now, for security reasons, it would be inappropriate for us to speculate further – but we will provide further information as soon as possible.”
• “Several banks contacted by this reporter said they believe this breach may extend back to late April or early May 2014. If that is accurate — and if even a majority of Home Depot stores were compromised — this breach could be many times larger than Target, which had 40 million credit and debit cards stolen over a three-week period”
• “The breach appears to extend across all 2,200 Home Depot stores in the United States. Home Depot also operates some 287 stores outside the U.S. including in Canada, Guam, Mexico, and Puerto Rico”
• Zip-code analysis shows 99.4% overlap between stolen cards and home depot store locations
• This is important, as the fraud detection system at many banks is based on proximity
• If a card is used far away from where the card holder normally shops, that can trigger the card being frozen by the bank
• By knowing the zip code of the store the cards were stolen from, the criminal who buys the stolen card information to make counterfeit cards with, can use cards that are from the same region they intent to attack, increasing their chance of successfully buying gift cards or high value items that they can later turn into cash
• The credit card numbers are for sale on the same site that sold the Target, Sally Beauty, and P.F. Chang’s cards
• “How does this affect you, dear reader? It’s important for Americans to remember that you have zero fraud liability on your credit card. If the card is compromised in a data breach and fraud occurs, any fraudulent charges will be reversed. BUT, not all fraudulent charges may be detected by the bank that issued your card, so it’s important to monitor your account for any unauthorized transactions and report those bogus charges immediately.”
• Some retailers, including Urban Outfitters, say they do not plan to notify customers, vendors or the authorities if their systems are compromised

Fake cell towers found operating in the US

• Seventeen mysterious cellphone towers have been found in America which look (to your phone) like ordinary towers, and can only be identified by a heavily customized handset built for Android security – but have a much more malicious purpose. Source: Popular Science
• Mobile Handsets are supposed to warn the user when the tower does not support encryption, as all legitimate towers do support encryption, and the most likely cause of a tower not supporting encryption, is that it is a rogue tower, trying to trick your phone into not encrypting calls and data, so they can be eavesdropped upon
• The rogue towers were discovered by users of the CryptoPhone 500, a Samsung SIII running a modified Android that reports suspicious activity, like towers without encryption, or data communications over the baseband chip without corresponding activity from the OS (suggesting the tower might be trying to install spyware on your phone)
• “One of our customers took a road trip from Florida to North Carolina and he found eight different interceptors on that trip. We even found one near the South Point Casino in Las Vegas.”
• “What we find suspicious is that a lot of these interceptors are right on top of U.S. military bases.” says Goldsmith. “Whose interceptor is it? Who are they, that’s listening to calls around military bases? The point is: we don’t really know whose they are.”
• Documents released last week by the City of Oakland reveal that it is one of a handful of American jurisdictions attempting to upgrade an existing cellular surveillance system, commonly known as a stingray.
• The Oakland Police Department, the nearby Fremont Police Department, and the Alameda County District Attorney jointly applied for a grant from the Department of Homeland Security to “obtain a state-of-the-art cell phone tracking system,” the records show.
• Stingray is a trademark of its manufacturer, publicly traded defense contractor Harris Corporation, but “stingray” has also come to be used as a generic term for similar devices.
• According to Harris’ annual report, which was filed with the Securities and Exchange Commission last week, the company profited over $534 million in its latest fiscal year, the most since 2011.
• Relatively little is known about how stingrays are precisely used by law enforcement agencies nationwide, although documents have surfaced showing how they have been purchased and used in some limited instances.
• Last year, Ars reported on leaked documents showing the existence of a body-worn stingray. In 2010, Kristin Paget famously demonstrated a homemade device built for just $1,500.
• According to the newly released documents, the entire upgrade will cost $460,000—including $205,000 in total Homeland Security grant money, and $50,000 from the Oakland Police Department (OPD). Neither the OPD nor the mayor’s office immediately responded to requests for comment.
• One of the primary ways that stingrays operate is by taking advantage of a design feature in any phone available today. When 3G or 4G networks are unavailable, the handset will drop down to the older 2G network. While normally that works as a nice last-resort backup to provide service, 2G networks are notoriously insecure.
• Handsets operating on 2G will readily accept communication from another device purporting to be a valid cell tower, like a stingray. So the stingray takes advantage of this feature by jamming the 3G and 4G signals, forcing the phone to use a 2G signal.
• Cities scramble to upgrade “stingray” tracking as end of 2G network looms

The Nude Celebrity Photo Leak Was Made Possible By Law Enforcement Software That Anyone Can Get

• Elcomsoft Phone Password Breaker requires the iCloud username and password, but once you have it you can impersonate the phone of the valid user, and have access to all of their iCloud information, not just photos
• “If a hacker can obtain a user’s iCloud username and password, he or she can log in to the victim’s iCloud.com account to steal photos. But if attackers instead impersonate the user’s device with Elcomsoft’s tool, the desktop application allows them to download the entire iPhone or iPad backup as a single folder, says Jonathan Zdziarski, a forensics consult and security researcher. That gives the intruders access to far more data, he says, including videos, application data, contacts, and text messages.”
• “It’s important to keep in mind that EPPB doesn’t work because of some formal agreement between Apple and Elcomsoft, but because Elcomsoft reverse-engineered the protocol that Apple uses for communicating between iCloud and iOS devices. This has been done before —Wired specifically refers to two other computer forensic firms called Oxygen and Cellebrite that have done the same thing — but EPPB seems to be a hacker’s weapon of choice. As long as it is so readily accessible, it’s sure to remain that way”
• All of this still requires the attacker to know the celebrities username and password
• This is where iBrute came in
• A simple tool that takes advantage of the fact that when Apple built the ‘Find My iPhone’ service, they failed to implement login rate limiting
• An attacker can sit and brute force the passwords at high speed, with no limitations
• The API should block an IP address after too many failed attempts. This has now been fixed
• Another way to deal with this type of attack is to lockout an account after too many failed attempts, to ensure a distributed botnet cannot do something like try just 3 passwords each from 1000s of different IP addresses
• When it becomes obvious that an account is under attack, locking it so that no one can gain access to it until the true owner of the account can be verified and steps can be taken to ensure the security of the account (change the username?)
• The issue with this approach is that Apple Support has proven to be a weak link in regards to security in the past. See TechSNAP Episode 70 .
• Obviously, the iPhone to iCloud protocol should not depend of obscurity to provide security either. We have seen a number of different attacks against the iPhone based on reverse engineering the “secret” Apple protocols
• Security is often a trade-off against ease-of-use, and Apple keeps coming down on the wrong side of the scale

Feedback:

• Server Setup: Windows Man Gone To The Darkside.

• ZFS Snapshots

• Puppet or CFEngine

• Question about online banking security

• PFSense Bandwidth Limiters Don’t Work with Squid Web Cache Package

Round Up:

• Watch Infected Windows Machines Interact with Each Other in a “Virus Farm” – We Can Has The Technology
• Prolexic (owned by Akamai) sounding alarm about IptabLes and IptabLex infections. Attackers are using unmaintained servers to launch large DDoS attacks
• WordPress 4.0 “Benny”
• Stick Figure’s guide to AES encryption
• Twitter now pays bounties for vulnerabilities
• Another WPS flaw, crack some wireless routers in a single try
• IEEE publishes paper “Avoiding the top 10 software security design flaws”
• Technical Difficulties with home delivery by drones
• Microsoft still struggling with last months patch tuesday patches
• Shortage of skilled security people leads to hiring problems for enterprises. Skilled people change jobs every 2-3 years for large pay bumps, leads to a lack of retained ‘institutionalized security’ and ‘operational knowledge’
• NameCheap reports bit russian list of usernames and passwords being used against accounts, some successful logins
• Intel announces new i7-5960x processor and new X99 chipset. 8 cores (16 with hyperthreading), 3ghz (turbo boost to 3.5ghz), 20mb cache, support for up to 64 gigabytes of DDR4 across 4 channels, 40 lanes of PCI-E 3.0, 10 SATA3 ports, 6 USB3 and 8x USB2
• Microsoft to defy federal court order and not turn over emails stored in europe to US authorities

The post Home Depot Credit Repo | TechSNAP 178 first appeared on Jupiter Broadcasting.

Chinese hackers have gained access to the designs of major U.S. weapons systems, a new report claimed on Monday. But we have a few questions about the timing of this announcement, and how it fits into the bigger picture.

And the “March Against Monsanto” protests were held in 52 countries and 436 cities around the world protesting the GMO giant and it’s genetically modified seeds. We’ll dig into the movement’s real goals and see if it has any chance of making a difference.

Plus Why weapons are about to flood into Syria, your feedback, and much much more.

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

HD Feed | Mobile Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

Worldwide Monsanto Protests

• March against Monsanto: Rallying for our future — RT Op-Edge

The worldwide March Against Monsanto this past Saturday was no mere political demonstration. Rather, it was a worldwide mobilization against corporate greed, the assault on our health and environment, and the oppression of small farmers.

• Revealed: Monsanto GM corn caused tumors in rats — RT News

French scientists have revealed that rats fed on GMO corn sold by American firm Monsanto, suffered tumors and other complications including kidney and liver damage. When testing the firm’s top brand weed killer the rats showed similar symptoms.

The French government has asked its health and safety agency to assess the study and had also sent it to the European Union’s food safety agency, Reuters reports.

“Based on the conclusion…, the government will ask the European authorities to take all necessary measures to protect human and animal health, measures that could go as far as an emergency suspension of imports of NK603 maize in the European Union,” the French health, environment and farm ministries said in a joint statement.

Researchers from the University of Caen found that rats fed on a diet containing NK603 – a seed variety made tolerant to amounts of Monsanto’s Roundup weedkiller – or given water mixed with the product, at levels permitted in the United States – died earlier than those on a standard diet.

The research conducted by Gilles-Eric Seralini and his colleagues, said the rats suffered mammary tumors, as well as severe liver and kidney damage. The study was published in the journal of Food and Chemical Toxicology and presented at a news conference in London.

Fifty percent of male and 70 percent of female rats died prematurely, compared with only 30 percent and 20 percent in the control group, said the researchers.

China’s Cyber Heist

• Chinese hackers steal U.S. weapons systems designs, report says – U.S. News

Chinese hackers have gained access to designs of more than two dozen major U.S. weapons systems, a U.S. report said on Monday, as Australian media said Chinese hackers had stolen the blueprints for Australia’s new spy headquarters.

Citing a report prepared for the Defense Department by the Defense Science Board, the Washington Post said the compromised U.S. designs included those for combat aircraft and ships, as well as missile defenses vital for Europe, Asia and the Gulf.

Among the weapons listed in the report were the advanced Patriot missile system, the Navy’s Aegis ballistic missile defense systems, the F/A–18 fighter jet, the V–22 Osprey, the Black Hawk helicopter and the F–35 Joint Strike Fighter

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Tyler T
• Matthew D

• Why I invest in Unfilter – Unfilter is Nurtional for your Mind

Since unfilter is now my favourite JB show I wanted to share the reason why I subscribed just in case it gets you guys a few more subscriptions from this side of the Atlantic.

• Thanks to our 80 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

Syria: The Proxy War

• Russia slams end of EU arms embargo, calls S–300s ‘stabilizing factor’ in Syria — RT News

The EU’s move, which the Russian diplomat branded as an “example
of double standards”, opens the door for Britain and France to
supply weapons to Syrian rebels fighting the regime of President
Bashar Assad.

Criticizing Europe’s decision to open the way for potential arms shipments to Syrian
rebels, Russia insists that its own sale of arms to the Syrian
government helps the international effort to end the
two-year-long conflict, the diplomat added. He was referring to
the delivery of the advanced S–300 long-range air defense
systems, which Russia is carrying out under a contract signed
with Syria several years ago.

“Those systems by definition cannot be used by militant groups
on the battlefield,” Ryabkov said. “We consider this
delivery a factor of stabilization. We believe that moves like
this one to a great degree restrain some hotheads from escalating
the conflict to the international scale, from involving external
forces.”

The S–300 is a series of Russian long-range
surface-to-air missile systems designed to intercept
ballistic missiles, regarded as the most potent weaponry of
its class. The missiles are capable of engaging aerial
targets as far away as 200km, depending on the version used.

However, Russia has neither confirmed, nor denied “the status of
those shipments.”

• Russia Sending Air Defense Missiles to Syria to Deter Foreign ‘Hot Heads’ – ABC News

The S–300, one of the world’s most advanced air defense systems, could make it harder for foreign forces to carry out airstrikes inside Syria, as Israel has done this year, or to impose a no-fly zone, as some members of Congress have called for.

The move is Russia’s biggest and most public step so far to bolster the government of Syria’s beleaguered President Bashar al-Assad, its longtime ally. Rybakov made no attempt to hide the Kremlin’s intention to prevent outside forces from tipping the scales in the long and bloody civil war.

“We believe such steps are to a great extent restraining some ‘hot heads’ from considering scenarios in which the conflict may assume an international scale with the participation of outside forces,” he said, according to RIA Novosti.

• Israel warns Russia over Syria arms delivery – Middle East – Al Jazeera English

Israeli defence minister: "At this stage I can’t say there is an escalation. The shipments have not been sent on their way yet. And I hope that they will not be sent.

“But if, by misfortune, they arrive in Syria, we will know what to do.”

Yaalon’s comments were made before Benjamin Netanyahu, Israel’s prime minister, ordered his cabinet to stay silent on the issue, according to public radio.

• Israel is Pissed, but they are Prepared

Despite Israel’s protests, the S–300 system will not be a large hurdle for that country’s advanced air force. The system can be easily spotted because it sends out a distinctive signal, and Israel may have already tested its own jets against such a system while working with Greece.

• Israel in Moscow talks to halt supply of missiles to Syrian regime | World news | guardian.co.uk

Top-level Israeli intelligence figures flew into Moscow on Tuesday night in a last-ditch attempt to talk the Kremlin out of supplying sophisticated anti-aircraft missiles to the Assad regime, which once installed in Syria would have the range and power to target civilian and military aircraft over Tel Aviv.

Israeli diplomats will continue to work both privately and publicly to prevent the transfer until the shipment sails, but officials attempted to lower the diplomatic temperature, insisting Israel had no intention of fighting Russia on the issue.

Israel has read Moscow’s insistence on pursuing its deal to supply Damascus with the powerful missile systems as part of a “cold war” power struggle between the US and Russia playing out in the theatre of the Syrian civil war in which it wants no part.

• Obama asked Pentagon to prepare Syria no-fly zone plans – report — RT USA

Officials from the Obama administration have revealed that the White House asked the Pentagon to outline plans for a military no-fly zone over Syria, continuing strategy discussions that have been ongoing for more than a year.

If enacted, the no-fly zone would be enforced by the US military
with help from France, Great Britain and other allies.

• Let’s Be Clear: Establishing a ‘No-Fly Zone’ Is an Act of War – Conor Friedersdorf – The Atlantic

“McCain said a realistic plan for a
no-fly zone would include hundreds of planes, and would be most
effective if it included destroying Syrian airplanes on runways, bombing
those runways, and moving U.S. Patriot missile batteries in Turkey
close to the border so they could protect airspace inside northern
Syria,”

Why Are Police So Desperate to Throw Kids in Jail

• Parents Claim Calif. School District Failed to Protect Autistic Son in Drug Sting – ABC News

“Our son went to school the morning of Dec. 11 and he didn’t show up at home after school, because he was arrested in his classroom,” Snodgrass said. “Police went into his classroom armed, and handcuffed our son. We were not notified by anyone, and he was held for two days, and we were not able to see him,” a

• Thanks to jdmulloy in the Unfilter Subreddit

• Increase in the Number of Kids Exposed to Medical Marijuana: Study

Before Colorado passed Medical Marijuana legislation laws the number of kids treated for marijuana exposure was nil. Whereas in the cases examined after, there were 14 cases, out of which eight of those came directly from consuming marijuana food products.

• Prescription Drug Abuse Drives Huge Spike In Poisoning Deaths Among Childrent

From 2000 to 2009, the number of children aged 15 to 19 who died from poisoning increased by 91 percent, the CDC says.

Childhood death from poisoning rose 80 percent over the 10-year time period, owing largely to the huge increase in such deaths among children aged 15 to 19. Prescription drug abuse is to blame, according to the CDC.

• Drug deaths now outnumber traffic fatalities in U.S., Times analysis shows – Los Angeles Times

Propelled by an increase in prescription narcotic overdoses, drug deaths now outnumber traffic fatalities in the United States, a Times analysis of government data has found.

Drugs exceeded motor vehicle accidents as a cause of death in 2009, killing at least 37,485 people nationwide, according to preliminary data from the U.S. Centers for Disease Control and Prevention.

Feedback:

• We made Paul see RED!

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Chase on Twitter

The post China Loves to Cyber | Unfilter 52 first appeared on Jupiter Broadcasting.

We’ve got the answer to life the universe and everything, plus why you need to get upset about ACTA, and patch your Linux Kernel!

All that and more, in this Q&A PACKED edition of TechSNAP!

Pick your code and save:
DOTCO9: .co domain for $17.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
    Subscribe...           --RSS-- TechSNAP HD TechSNAP Large     TechSNAP Mobile      TechSNAP MP3     TechSNAP OGG     --iTunes--     TechSNAP iTunes HD     TechSNAP iTunes Mobile     TechSNAP iTunes Large     TechSNAP iTunes MP3  

Show Notes: