Google’s datacenter secrets are finally being revealed & we’ll share the best bits. Why The US Government is in no position to teach anyone about Cyber Security, how you can still get hacked offline, A batch of great questions, a huge round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

After years of wondering, we can finally find out about Google’s Data Center Secrets

• “Google has long been a pioneer in distributed computing and data processing, from Google File System to MapReduce to Bigtable and to Borg. From the beginning, we’ve known that great computing infrastructure like this requires great datacenter networking technology.”
• “For the past decade, we have been building our own network hardware and software to connect all of the servers in our datacenters together, powering our distributed computing and storage systems. Now, we have opened up this powerful and transformative infrastructure for use by external developers through Google Cloud Platform.”
• ““We could not buy, for any price, a data-center network that would meet the requirements of our distributed systems,” Vahdat said. Managing 1,000 individual network boxes made Google’s operations more complex, and replacing a whole data center’s network was too disruptive. So the company started building its own networks using generic hardware, centrally controlled by software. It used a so-called Clos topology, a mesh architecture with multiple paths between devices, and equipment built with merchant silicon, the kinds of chips that generic white-box vendors use. The software stack that controls it is Google’s own but works through the open-source OpenFlow protocol.“
• “At the 2015 Open Network Summit, we are revealing for the first time the details of five generations of our in-house network technology.”
• “Our current generation — Jupiter fabrics — can deliver more than 1 Petabit/sec of total bisection bandwidth. To put this in perspective, such capacity would be enough for 100,000 servers to exchange information at 10Gb/s each, enough to read the entire scanned contents of the Library of Congress in less than 1/10th of a second.”
• “We use a centralized software control stack to manage thousands of switches within the data center, making them effectively act as one large fabric, arranged in a Clos topology”
• “We build our own software and hardware using silicon from vendors, relying less on standard Internet protocols and more on custom protocols tailored to the data center”
• “Putting all of this together, our datacenter networks deliver unprecedented speed at the scale of entire buildings. They are built for modularity, constantly upgraded to meet the insatiable bandwidth demands of the latest generation of our servers. They are managed for availability, meeting the uptime requirements of some of the most demanding Internet services and customers. Most importantly, our datacenter networks are shared infrastructure. This means that the same networks that power all of Google’s internal infrastructure and services also power Google Cloud Platform. We are most excited about opening this capability up to developers across the world so that the next great Internet service or platform can leverage world-class network infrastructure without having to invent it.”
• ““The amount of bandwidth that we have to deliver to our servers is outpacing even Moore’s Law,” Vahdat said. Over the past six years, it’s grown by a factor of 50. In addition to keeping up with computing power, the networks will need ever higher performance to take advantage of fast storage technologies using flash and non-volatile memory, he said.”
• “For full details you’ll have to wait for a paper we’ll publish at SIGCOMM 2015 in August”
• Official Google Cloud Platform Blog Post

The US Government is in no position to teach anyone about Cyber Security

• “Why should anyone trust what the US government says on cybersecurity when they can’t secure the systems they have full control over?”
• “IRS employees can use ‘password’ as a password? No wonder they get hacked”
• As I have long said, you have to assume the worst until you can prove otherwise: “The effects of the massive hack of the Office of Personnel Management (OPM) continue to ripple through Washington DC, as it seems every day we get more information about how the theft of millions of government workers’ most private information is somehow worse than it seemed the day before. (New rule: if you read about a hack of a government or corporate database that sounds pretty bad, you can guarantee it be followed shortly thereafter by another story detailing how the same hack was actually much, much “worse than previously admitted.”)”
• “It’d be one thing if this incompetence was exclusively an OPM problem, but despite the government trying to scare private citizens with warnings of a “cyber-Armageddon” or “cyber-Pearl Harbor” for years, they failed to take even the most basic steps to prevent massive data loss on their own systems. As OTI’s Robyn Greene writes, 80-90% of cyber-attacks could be prevented or mitigated with basic steps like “encrypting data, updating software and setting strong passwords.””
• Of course, using Multi-Factor Authentication would help a lot too
• “The agency that has been singled out for some of the worst criticism in recent years is the Department of Homeland Security, the agency that is supposedly in charge of securing all other government systems. The New York Times reported this weekend that the IRS’s systems still allow users to set their passwords to “password,” along with other hilariously terrible mistakes. “
• “Instead of addressing their own problems and writing a bill that would force the government to upgrade all its legacy systems, implement stronger encryption across federal agencies and implement basic cybersecurity best practices immediately, members of both parties have been pushing dangerous “info-sharing” legislation that will end with much more of citizens’ private data in the hands of the government. And the FBI wants tech companies to install “backdoors” that would give the government access to all encrypted communications – thereby leaving everyone more vulnerable to hackers, not less. Two “solutions” that won’t fix any of the glaring problems staring them in the face, and which may make things a lot worse for ordinary people.”
• There are plenty of examples of large networks that are fairly well secured, so it isn’t impossible to secure a large network. However, the number of insecure government and corporate networks suggests that more needs to be done.
• The solution isn’t something sold by a vendor, it is the same stuff security experts have been preaching for decades:
  • Need to know — Only those who actually need data should have access to it. Lets not just store everything in a giant shared network drive with everyone having read/write access to it
  • Patching — Software has flaws. These flaws get fixed and then become public (sometimes the other way around, the dreaded Zero-Day flaw). If you do not patch your software quickly, you increase the chance of the flaw being used against you
  • Strong Authentication — Password complexity requirements can be annoying, because they are often too vague. Requiring a number, a lower case letter, an upper case letter, and a symbol isn’t necessarily as secure as a passphrase which is longer. Worse, many systems do not securely store the passwords, making them less secure
  • Multi-Factor Authentication — Requiring more than one factor, to ensure that if an attacker does shoulder surf, key log, phish, or otherwise gain access to someones password, that they cannot access the secure data
  • Encryption — This one is hard, as many solutions turn out to not be good enough. “The harddrive on my laptop is encrypted”, this is fine, except if the attacker gets access while your machine is powered on and logged in. Sensitive data should be offlined when it is not in use, rather than being readily accessible in its decrypted form
  • Logging — Knowing who accessed what, and when is useful after-the-fact. Having an intelligence system that looks for anomalies in this data can help you detect a breach sooner, and maybe stop it before the baddies make off with your data
  • Auditing — A security appliance like the FUDO to only allow access to secure systems when such access is recorded. This way the actions of all contractors and administrators are recorded on video, and there is no way to access the protected systems except through the FUDO.
• As we discussed before in TechSNAP 214, there are other techniques that can be used to help safeguard systems, including whitelisting software, and only allowing approved applications on sensitive systems. The key is deciding which protections to use where, while generating the least amount of ‘user resistance’

Google Project Zero researcher discloses 15 new vulnerabilities

• Researcher Mateusz Jurczyk has disclosed 15 new remote code execution vulnerabilities
• The most interesting of these including a flaw in Adobe Reader and Windows that appears to get past all known exploit defenses.
• “The extremely powerful primitive provided by the vulnerability, together with the fact that it affected all supported versions of both Adobe Reader and Microsoft Windows (32-bit) – thus making it possible to create an exploit chain leading to a full system compromise with just a single bug – makes it one of the most interesting security issues I have discovered so far.”
• “Any of the 15 vulnerabilities Jurczyk pulled from this old but seemingly unexplored area could trigger remote code execution or privilege escalation in Adobe Reader or the Windows kernel.”
• Researcher Blog
• Video of Exploit
• PDF of Slides
• Project Zero has also published some other interesting vulnerabilities recently
• Owning Internet Printing — A Case Study in Modern Software Exploitation
• Microsoft’s MemoryProtector feature actually counters Microsoft’s new extended ASLR protections
• “It is possible to use a timing attack on MemoryProtector to reveal the offset used by High-Entropy Bottom-Up Randomization, thus completely bypassing it.”
• Analysis and Exploitation of an ESET Vulnerability — Do we understand the risk vs. benefit trade-offs of security software?
  
• In-Console-Able — Developing a sandbox escape chain for Chrome

Feedback:

• Somewhat nervous: how to mitigate Samsung SSD firmware + Linux major corruption risk?

• To delta sync or not to delta sync

• Changing domain registrars and want to maximize email up-time

• Keys

Round Up:

• Samsung deliberately disabling Windows Update
• Adobe issues out-of-band patch for Flash Player after zero-day exploit is discovered being used in the wild
• Google reveals that it was forced to hand over journalist’s data during wikileaks grand jury investigation
• As many as 1 in 3 servers in data centers are powered on but not doing anything
• Chinese may have had access to US Security Clearance data for over a year
• Bruce Schneier: China and Russia Almost Definitely Have the Snowden Docs
• Default Authorized SSH key found in many Cisco security appliances
• Richard Bejtlich: If you can’t keep hackers out, find and remove them faster
• Snowden leak shows NSA and GCHQ attacked security software vendors
• Stealing your GPG private key using a cell phone and an AM radio
• Secunia will block access to vulnerabilities less than 9 months old for non-members after they “frequently encounter organizations engaged in wrongful use of Secunia Advisories”
• Great tool for building regular expressions, better than most in that it supports lookbehind, which most basic javascript implementations do not
• Many Android apps do HTTPS wrong, or not at all
• US Navy Warfare Systems command paid $9.1 million to get security updates for 100,000 Windows XP and 2003 computers. Contract could be worth up to $30 million and extend to 2017
• Sony has killed off the Aibo robots, making replacement parts hard to come by. This raises questions about the next generation of robots. Softbank is soon to release a “Child” robot called Pepper. What will people do when spare parts for their child can only be gotten by cannibalizing other children?
• Google, Mozilla, Webkit, and Microsoft team up to launch ‘Webassembly’ a new binary format for web applications
• HP’s Adventures with the Zero-Day Initiative and bug bounties
• 5 intrusion vectors that cannot be spotted by going offline
• Cryptography jokes

The post Homeland Insecurity | TechSNAP 220 first appeared on Jupiter Broadcasting.

The internet of dangerous things is arriving but what about taking care of the devices we already have? We’ll discuss!

Plus details on critical updates from Adobe, the surprising number of Gas Stations vulnerable to exploitation via the internet, your questions, our answers & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Flash Updates

• On January 22nd Adobe released an emergency patch for Flash Player to resolve the zero day vulnerability that we discussed last week
• Adobe released Flash Player 16.0.0.287 on the 22nd
• It turns out that this fix did not completely close the vulnerability, and the exploit kit quickly worked around the fix and continued to exploit the vulnerability
• Adobe issued a security advisory (different than an bulletin) about the issue
• On January 27th, Adobe released Flash Player 16.0.0.296 in another bulletin
• The latest release, 16.0.0.296 fixes both CVE-2015-0311 and CVE-2015-0311
• The researcher who originally discovered the exploits in the wild, has also pointed out that the 2015-0311 flaw is being used outside of the exploit kit now as well
• FireEye also discovered the 2015-0311 vulnerability being exploited in a different way

Gas Stations vulnerable to exploitation via the internet

• “An attacker with access to the serial port interface of an ATG may be able to shut down the station by spoofing the reported fuel level, generating false alarms, and locking the monitoring service out of the system,” said HD Moore, the chief research officer at security firm Rapid7
• “Tank gauge malfunctions are considered a serious issue due to the regulatory and safety issues that may apply.”
• While doing research, HD Moore found that more than 5000 gas gauge devices are connected to the internet with no authentication. The automated tank gauges generally only have a serial port.
• “Approximately 5,800 ATGs (Automated Tank Gauge) were found to be exposed to the Internet without a password,” Moore said. “Over 5,300 of these ATGs are located in the United States, which works out to about 3 percent of the approximately 150,000 fueling stations in the country.”
• Some of the devices have TCP/IP interfaces, and those that do not can be connected to a serial server, a common device in the IT industry, then be connected to the internet. Most serial servers do offer the ability to require a password to access the port, however this feature is often not enabled, and is not very secure
• “Operators should consider using a VPN [virtual private network] gateway or other dedicated hardware interface to connect their ATGs with their monitoring service,” the researcher said. “Less-secure alternatives include applying source IP address filters or setting a password on each serial port.”
• Another example of taking devices that were not meant to be put on the internet, and then doing so, without taking into account the security implications. Even with a password and source IP filtering, these devices should not be directly connected to the Internet. That is what VPNs are for
• Additional Coverage – ITWorld

The internet of dangerous things

• Krebs talks about the trends in Distributed Denial of Service Attacks
• Krebs cites data from Arbor networks, and their subsidiary Prolexic, which Krebs uses to protect his site, which was under constant attack from various sources throughout December
• The point needs to be raised that a growing number of these attacks are sources from ‘Internet of Things’ type devices, small consumer devices with an embedded operating system that receives no updates after it ships
• The attacks against Sony and Microsoft over Christmas used exploited routers, but a growing number of other devices could be vulnerable, especially in light of things like the new Linux Ghost vulnerability
• We have seen viruses attacking NAS and other types of storage devices, and I am sure it will not be long before the first attack against set-top boxes like the Boxee and Roku.
• “As Arbor notes, some of the biggest attacks take advantage of Internet-based hardware — everything from gaming consoles to routers and modems — that ships with networking features that can easily be abused for attacks and that are turned on by default. Perhaps fittingly, the largest attacks that hit my site in the past four months are known as SSDP assaults because they take advantage of the Simple Service Discovery Protocol — a component of the Universal Plug and Play (UPnP) standard that lets networked devices (such as gaming consoles) seamlessly connect with each other.”
• “Arbor also found that attackers continue to use reflection/amplification techniques to create gigantic attacks.”
• It has been over a year since these amplification vulnerabilities were patches, but there are still many systems being exploited to perform these attacks
• “According to the Open Resolver Project, a site that tracks devices which can be abused to help launch attacks online, there are currently more than 28 million Internet-connected devices that attackers can abuse for use in completely anonymous attacks.”
• “According to Arbor, the top three motivations behind attacks remain nihilism vandalism, online gaming and ideological hacktivism— all of which the company said have been in the top three for the past few years.”
• While analyzing the data from the dump of the Lizard Stresser database, Krebs found that one of the most popular targets for attack were small personal minecraft servers
• Krebs: “Tech pundits and Cassandras of the world like to wring their hands and opine about the coming threat from the so-called “Internet of Things” — the possible security issues introduced by the proliferation of network-aware devices — from fitness trackers to Internet-connected appliances. But from where I sit, the real threat is from The Internet of Things We Already Have That Need Fixing Today.”

Feedback:

• Click to play usefulness?

• Recommendations to Build or to Buy SAN?

• How can I explain password security to others if I am not an expert myself?
  • What is a cryptographic hash

Round Up:

• Highly critical “Ghost” allowing code execution affects most Linux systems
• German data center with no air
• Google Explains Why WebView Vulnerability Will Go Unpatched On Android 4.3
• Making a disk array that will survive 4 years with 99.999% reliability, with no human interaction
• Canada Casts Global Surveillance Dragnet Over File Downloads
• Using gas to blow open an ATM
• Deploying tor relays | Mozilla IT
• NANOG reacts to LizardSquad taking credit for outage at Facebook, Instagram, Hipchat, Tinder, and Myspace
• iTunes Connect Issue Logging Developers Into Other Accounts
• Verizon ends expansion of its FiOS network, will focus on building out existing locations
• Internet Crime Complaint Center issues advisory about business email scam
• Oxford university puzzles over 175 year old dry pile battery that is still ringing a bell

The post Internet of Problems | TechSNAP 199 first appeared on Jupiter Broadcasting.

This week on the show we\’ll be showing you how to set up RAID arrays in FreeBSD. There\’s also an interview with David Chisnall – of the FreeBSD core team – about the switch to Clang and a lot more.

Sit back and enjoy some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you\’ve probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes… and a lot more
• The full list of changes is HUGE, be sure to read through it all if you\’re interested in the details
• If you\’re doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations… especially those OpenSSL ones (some of which still aren\’t fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release – 5.6 is going to be even more awesome with \”Libre\”SSL and lots of other stuff that\’s currently in development

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they\’re spending the money that everyone donates
• \”As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we\’ve done to help FreeBSD become the most innovative, reliable, and high-performance operation system\”
• During this spring, they want to highlight the new UEFI boot support and newcons
• There\’s a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we\’ll get to see what other work is being sponsored

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won\’t have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES (in counter mode) and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys – only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we\’ll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc… would be really cool

BSDMag\’s April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around

Interview – David Chisnall – theraven@freebsd.org

The LLVM/Clang switch, FreeBSD\’s core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• The original BSD podcaster Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest – mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and… much more
• GNN also talks a little about the Precision Time Protocol and how it\’s different than NTP
• Two people we\’ve interviewed talking to each other, awesome
• If you\’re interested in NTP, be sure to see our tutorial too

m2k14 trip reports

• We\’ve got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter, and gave us the screenshots for the OpenBSD desktop tutorial)
• \”Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do\”
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports\’ compatibility with LibreSSL
• Speaking of LibreSSL, there\’s an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• (Spoiler) the 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• The Tor and mailing list tutorials have gotten some fixes and updates
• The OpenBSD router tutorial has also gotten a bit of a makeover, and now includes new scripts for 5.5 and signify
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• If any listeners have a collection of old FreeBSD or OpenBSD CDs, we\’d love for you to send in a picture of the whole set together so we can show it off
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We will be at BSDCan next week – be sure to say hi if you run into us!

The post Let's Get RAID | BSD Now 36 first appeared on Jupiter Broadcasting.