Quantum – Jupiter Broadcasting

openmediavault is the next generation network attached storage (NAS) solution based on Debian Linux. It contains services like SSH, (S)FTP, SMB/CIFS, DAAP media server, RSync, BitTorrent client and many more. Thanks to the modular design of the framework it can be enhanced via plugins.

Wed Mar 18 2015: I’m announcing the release of the 3.19.2 kernel.

— PICKS —

Runs Linux

21K FPS Camera RUNS LINUX!

1:43 – talks about Linux
Sent in by: Big T

Desktop App Pick

Wire

End to end encryption, open source through and through communication

Timed Messages
Audio message with filters
Voice and video calls
Group calls and chats
Apps for desktop
Multiple Devices

Spotlight

Easystroke

Application that allows you to define a mouse gesture for opening an application, executing a command, or even linking to a key such as the Superkey or shift key

OpenYourMouth: Open Source Recipes from the Jupiter Broadcasting community

— NEWS —

Dirty COW was Livepatched in Ubuntu within Hours of Publication

Coincidentally, just before the vulnerability was published, we released the Canonical Livepatch Service for Ubuntu 16.04 LTS. The thousands of users who enabled canonical-livepatch on their Ubuntu 16.04 LTS systems with those first few hours received and applied the fix to Dirty COW, automatically, in the background, and without rebooting!

New Legislation to Tackle Pirate Kodi Box Sellers Rejected

Modified Kodi and other IPTV devices allow users to access valuable content for free. Members of Parliament and industry players say they want to clamp down on such devices, by closing loopholes in copyright law to target sellers. This week, however, their suggestions to change the law in the UK were withdrawn.

DTrace for Linux 2016

Without DTrace on Linux, I began by using what was built in to the Linux kernel, ftrace and perf_events, and from them made a toolkit of tracing tools (_perf-tools). They have been invaluable. But I couldn’t do some tasks, particularly latency histograms and stack trace counting. We needed kernel tracing to be programmatic._

A Quantum Leap for the Web – Mozilla Tech

Project Quantum is about developing a next-generation engine that will meet the demands of tomorrow’s web by taking full advantage of all the processing power in your modern devices. Quantum starts from Gecko, and replaces major engine components that will benefit most from parallelization, or from offloading to the GPU.

(Linux Only) BIOS Update for Windows 10 (64-bit) – Yoga 900-13ISK2 – Lenovo Support

Feedback:

Had website issues due to all the traffic following the #AppleEvent. This year rocks! #Linux #Ubuntu #YearOfTheLinuxDesktop

— System76 (@system76) October 30, 2016

Mail Bag

Name: Name: Dout H

thanks for the great idea!

Subject: JB Suerkey

Message: I’ve heard you talk about the new super key stickers for linux. When can we buy these from JB, I would love to get some!

Name: Andrew L
Subject: CRM Review

Message: This was a great segment. I would like to see more business solution type segments on LAS or even a more business centric show for Noah. As a person that works primarily in a Windows environment, I like to see open source solutions that are business ready so that I can pitch them at work. The only way we will go from a Microsoft shop to a Linux shop is by finding open source applications that can meet the needs of the business. We will be looking to replace our CRM next year so I’ll be setting up a Zurmo server for people to try.

Call in: 1-877-347-0011

New Show: User Error

User Error | Jupiter Broadcasting

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post Slaying the Arch Zombie | LAS 441 first appeared on Jupiter Broadcasting.

Trojan Family Ties | TechSNAP 230

chris — Thu, 03 Sep 2015 06:36:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Rooting your Android device might be more dangerous than you realize, why the insurance industry will take over InfoSec & the NSA prepares for Quantum encryption.

Plus some great questions, a fantastic roundup & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Taking Root – Malware on Mobile Devices

Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.
Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.
Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.
They analyzed the statistics collected from May to August 2015 and identified “Trojan families” that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.
A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.
After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications.
There are popular “families” of Android malware.
Leech Family
This malware family is the most advanced of those described.
Some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google.
The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.
Ztorg family
On the whole, Trojans belonging to this family have the same functionality as the previous described.
The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis.
The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched.
Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.
It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks.

Will the insurance industry take over InfoSec?

“Insurance is a maturity indicator“
When insurance comes, full scale, to the InfoSec industry, maybe that means we have finally gotten to the point where we understand the risks enough to start putting money on it
While I can definitely see the argument that insurance companies are in a position to force their clients into certain minimum security practises, either to qualify for insurance, or for a reduced rate
At the same time, I foresee a bunch of useless certifications, extra bureaucracy, and more things like PCI-DSS audits that miss the point entirely
“People see insurance entering into security as a bad thing, and maybe it is, but it should not be unexpected. If something involves both risk and significant quantities of money, there are likely people trying to buy or sell insurance around it. The car industry is informative here. As is healthcare, and countless other industries.”
The article points points out the three basic requirements for insurance companies to be interested:
Significant risk associated with the space, e.g., dying in surgery, getting into a car wreck, etc.
Adequate money in the form of a population able to pay premiums.
Sufficient actuarial data on which to base the pricing and payout models.
I don’t know that that last measure can be met yet. Unlike with car insurance, it is much harder to predict what a company’s chances of getting breached are.
Considering factors like how high profile they are (fancier cars get stolen more), what infrastructure they use (newer cars are safer), how often they patch (this can be hard to measure, like how often you service your car, it might not work), doesn’t really give you enough information in order to price the insurance
In the end, pretty much every company has a 100% change to be breached, it can come down to how quickly it will be detected, and how much damage will be done
At this point, I don’t think the insurance industry is qualified, and we’ll either see them making so many payouts that they are losing money, or writing loopholes into insurance with vague sentiments like “industry standard security practises”, to weasel out of paying up
Predictions from the article:
Insurance companies will have strict InfoSec standards that will be used to determine how much insurance, of what type, they will extend to a customer, as well as how much they will charge for it
- As you would expect, companies who are deemed to be in poor security health will either pay exorbitant premiums or will be ineligible for coverage altogether
- In this world, auditors become the center of the InfoSec universe. Either working for the insurance companies themselves, or being private contractors that are hired by the insurance companies, these auditors will be paid to thoroughly assess companies’ security posture in order to determine what coverage they’ll be eligible for, and how much it will cost
- Insurance companies become, in other words, a dedicated entity that uses evidence-based decision making to incentivize improved security
- For both internal and audit companies, those certifications will have to be maintained the same way medical professionals have to maintain their knowledge. Not like a CISSP where you lose a credential if you don’t renew it, but where you’re just instantly fired if it lapses
“When you think about it, it’s not really insurance that’s making this happen, it’s industry maturity as a whole. It’s InfoSec becoming just like every other serious profession.”
“Think about a hospital, or an architecture firm. You can’t hire nurses who have an aptitude for caring, and who helped this guy this one time. Nope—have a credential or you can’t work there. Same with accountants, and architects, and electricians, and civil engineers.”
Insurance won’t fix everything (or anything?)
“We also need to accept that the standardization and insurance agencies won’t fix everything. Auditors make mistakes, companies can and will successfully lie about their controls, certifications only get you so far, and the insurance companies have their own interests that are often in conflict with the goal of increased security.”

The NSA books crypto recommendations

The NSA, in its role as the organization that sets cryptography standards used by the entire government, has updated its recommendations on what algorithms and key sizes to use
Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS).
A look at the site from a few months ago highlights some of the differences
- AES 128 was dropped. Former used for ‘SECRET’ with AES 256 for ‘TOP Secret’, AES 256 is recommended for both now
- ECDH and ECDSA P-256 were also dropped for ‘less’ secret information in favour of P-384
- SHA256 was also dropped. Surprisingly, SHA-384 remained the recommendation over SHA-512
- Additionally, new requirements that were not specified before were added
- Diffie-Hellman Key Exchange requires at least 3072-bit keys
- RSA for Key Establishment and Digital Signatures also now requires 3072 bit keys
IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms.
We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.
Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms.
With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability.

Feedback

Round Up:

The post Trojan Family Ties | TechSNAP 230 first appeared on Jupiter Broadcasting.

Torpedos Away! | STOked 48

chris — Tue, 24 Aug 2010 06:38:45 +0000

The boys of STOked dig into the meaty innards of another Engineering Report, and discuss the resumé of a developer newly hired at Cryptic Studios. But hold onto your Starfleet-issued undershorts, cuz they’ve also got a few RANTS in their PANTS regarding the Enterprise J, and time travel in general.

THEN — Have you ever wondered which torpedo belongs in your enemies’ faces? Wonder no longer – Jeremy’s got a MATH segment that will guarantee insight into your all your pwning needs.

PLUS — We’ve got the first batch of Captain Bios ready to receive a community spotlight, as we share the creative side of your fellow STO players.

Direct Download Links

[ad#shownotes]

Our STOked App:

Grab the STOked iPhone/iPod App and download STOked plus bonus content on the go!

Show Notes:

NEWS:

Engineering Report

Less focus on content, more on quality (though content is still mentioned frequently).
Less focus on Big Season Updates, and more on major features regardless of timeline.
- This is a direct departure from the previous (Zinc?) attitude of, “we promise to release on these dates.” The new attitude seems to be, “we promise to release a completely functional feature.”
New/clarified categories:
- “In Development” = Actively being worked on.
- “In Design Discussion” = Designers are meeting about implementing or improving this.
- “On Hold” = Previously in development, but had to get shelved due to technical issues.

Hold on a minute. Enterprise J?
(Insert Jeremy’s Rant)

Tech Support
A hand-picked group of social helpers that have already proven themselves willing and capable of assisting their fellow players in the Tech Support forums.

New user group title: “Helpful User, Tech Support”
Optional. If you’re a frequently helpful poster, you won’t automatically be flagged, you’ll have to turn it on from your account settings. Or you’re welcome to choose not to turn it on.
The forums love it. Despite it being a group of hand-picked players that will have a direct channel to Cryptic…. just like the Advisory Council did, which they hated…

Bill Roper leaves Cryptic

He catches a lot of flack for a few bad moves (Hellgate London, Vibora Bay) but remember that he has also helped produce a wealth of excellent game titles including extensive work on Blizzard’s big three franchises: Warcraft, StarCraft and Diablo.
Also named by IGN as one of the Top 100 Video Game Creators of All Time (#41)
So… Meh? I don’t see this as an issue that will directly effect players of STO. I don’t think he ever even posted on STO’s forums.

This, on the other hand, intrigues me: Jesse Heinig, hired as “Game Designer”

Highlights from his resumé include:
- Fallout and Fallout 2 — Programmer and Feature Designer.
- White Wolf (PnP RPG company) — Developer/Designer for various projects.
- Decipher (PnP) — Lead developer of “Star Trek” RPG system.
- Activision — Production Coordinator for Call of Duty 2.

MATH:

Torpedoes….. AWAY!

Some of you might recall back in Episode 32 I gave you a run-down of the pros and cons of each different type of energy weapon. Well, I’d intended at the same time to talk a bit about projectile weapons, but the segment got WAY too long. But I’ve been getting more and more requests lately to release that information, so that’s exactly what I’m gonna do! I mean, who am I to say no to the people that watch this crap I put on the internet, right?

One other thing about Episode 32… remember how I talked about the efficiency of skill gains, for higher-cost energy types? The same math will apply to projectile weapons, skewing heavily in favor of Photons & Quantums. So keep that in mind as I discuss the individual benefits of each.

Before I get into that though, I wanna give ANOTHER callback to a previous episode of STOked. You see, waaaaaaay back in “Season2 Episode2” which was aka Episode #21, I gave an overview of How Torpedos Work, including how the damage is calculated based on your skill bonuses in-game. It’s really interesting stuff to help you understand more about your weapon skills, and investing and sticking to a uniform damage type. So go watch it!

Ok, that junk’s outta the way. Let’s talk about things that explode, mmkay?

Photon
Consider this your “baseline” torpedo/mine, and all others will be compared to it as necessary.
6.5 sec recharge (fastest available)
– Great choice, if none of the others’ special abilities tickle your fancy. The fast recharge means you’ll launch a lot of these suckers.

Quantum
Slower recharge (8.5 seconds)
Approx 110% of Photon damage (hardest hit per torpedo available)
Fastest travel speed
– Good for long-range attacks. The travel speed makes it slightly more likely that you will impact the shield quadrant you aimed for.
– The higher damage still doesn’t make up for the slower recharge. If you launch torpedos every time they refresh, you’ll do more DPS with Photons.

Plasma
Slower recharge (8.5 seconds)
Approx. 75% of Photon damage
33% chance to proc hull fire (DOT does NOT scale!)
– If High Yield is used, resulting torpedo is MASSIVE and slow moving, but can be shot down.
– The HY version of this torpedo seems to have a very good bleed-thru rate against shields, and applies the DOT nearly 100% of the time.

Transphasic
Very slow recharge (10.5 seconds)
Approx. 70% of Photon damage
20% of damage dealt is applied directly to Hull of enemy (instead of standard 10%)
* Only useful if shields are UP. Otherwise bonus does nothing, and overall damage is relatively weak.
* Here’s some quick math:
10% of 1000dmg = 100 dmg
20% of 700 dmg = 140 dmg
But when shields are down, it’s 1000 vs. 700. Capiche?

Chroniton
Very slow recharge (10.5 seconds)
Approx. 85% of Photon damage
33% chance to severely hinder movement/turn rates
* Potentially deadly in PvP, especially against opponents that like to flee. However, the proc can’t really be relied upon. From personal experience only, seems easily resisted.
* Works better on MINES. Combine with other stationary hazards (Warp Plasma, Tyken’s Rift, etc) to really mess with your enemy.

Tricobalt
(Note: Only available at Mk X and above)
EXTREMELY slow recharge (60 seconds)
Approx. 250% of Photon damage, in about a 2.0 km area.
Also disables your opponent for a few seconds (all systems offline).
* No normal mode attack — always summons a “High Yield” type (HY cannot modify this torp)
* Travels slower than HY Plasma, and can be shot down.
* In order to compete with Photon DPS, the cooldown would need to be less than 20sec. Since the true cooldown is more than 3x this, it simply can’t compete. It’s a fun toy, not a useful weapon. (Note, this would also be assuming full skill investment!)

And that’s the end of your options. I’m going to go ahead and restate the opinion I’ve held since … well, forever I think … Quantums and Photons will always allow your ship captain to get the best bang (literally) for his skill-buck. While each other projectile type has unique benefits that some players may find worthwhile, I’ll forever be in support of the basics. Cuz after all – it’s their job to blow the other guy up in the most efficient way possible, right? So let’s not screw around with shield penetration and hindering movement rates. Just get the job done. BOOM!

MAIL:

We got a MASSIVE amount of submissions, too many to read through in a week. So instead, we’re going to spotlight just a few from what we’ll call the First Batch of submissions. We will do this again next week, as well.

Common story traits:
Every vulcan is broken.

– No Kolinahr, or a mind meld gone wrong, or a physical brain injury. All have emotions.

Famous Trek characters have interacted with EVERYone. Or are related to them.

– Descendants of Kirk, or long-lost time-displaced characters (PIKE!), or sponsored into Starfleet by Admiral Janeway, etc.

Every Trill was joined thru an accident.

– “I was on a shuttle with a symbiont who’s host died, so now I’m joined!”

AzureAlliance:
His bio is pretty straightforward, but deserves special recognition because he is one of the ONLY Captains I’ve met that has an ongoing story via his “Captain’s Logs” in game. Including a very involved and enjoyable personal plotline, in addition to a detailed ‘in character’ account of the Undine’s invasion of Federation space. The moments between him and his wife (a bridge officer which he also ‘voices’ in his logs) are quite touching, and believable.

Daniel Carver:
Noteworthy because he’s been blogging his experience in-character, as an ongoing storyline. His blog is named “The Oath” after the Hippocratic oath common to all modern-day medicine, “First, do no harm.” His character struggles with being a doctor and sticking to this oath, in a time of war and chaos.

Rikturscale:
Born as a Borg Queen Designate within the Collective, but ‘rescued’ by Starfleet and liberated after the ship they were on was destroyed by a Hekaran Rift. Only she and one other Queen Designate survived. After being liberated together, they became friends and eventually married. Awww.
The most interesting part of this character’s bio though, is a portion that paints the Borg in a new and different light — that their ultimate “destiny” (as they see it) is to unite the Galaxy against a coming threat that can only be faced if all are unified. They see assimilation as the most expedient and efficient means to that end, and believe that without unification, all life is doomed. This vast and ancient threat is not mentioned by name in the bio – it’s portrayed as if the character’s time away from the Collective has erased or clouded certain memories, preventing the details from surfacing.

STOked’s One Year Anniversary next episode!!

Download:

The post Torpedos Away! | STOked 48 first appeared on Jupiter Broadcasting.