Show Notes: linuxunplugged.com/396

The post How Linux Got to Mars | LINUX Unplugged 396 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/70

The post The Resilience of the Voyagers | Jupiter Extras 70 first appeared on Jupiter Broadcasting.

Show Notes: extras.show/57

The post Brunch with Brent: Heather Ellsworth | Jupiter Extras 57 first appeared on Jupiter Broadcasting.

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

— Show Notes: —

Hoopla

Update on Mike’s Move

Part of me really wants to jump on a skateboard or BMX bike, pump the Blink-182 / Greenday and try to capture my mispent youth.

— Michael Dominick (@dominucco) July 6, 2017

• Jody wrote in asking :

I’d like to hear how you’re transitioning your software business to FL?

Mike’s Special Project in FL

If you’re near the Tampa / Plant City FL area are a student or recent grad looking to get into the development space, drop me a line. I am looking for some interns / entry level folks for a new venture in the bot space. I need developers, QA, and BizDev.

System 76 PopOS Conversation Cont.

Botched Sega Forever launch blighted by poor emulation

Sega’s performance issues stem from the use of a new emulator based in Unity. Older mobile versions of retro Sega games were either direct ports—as in the case of Sonic the Hedgehog and Sonic CD—or used a native emulator, instead of one passed through Unity.

Outside of AI, Companies are doing less Research and more Dev

RD for Developers

• Is there value in trying purely speculative technologies?
• What does a longshot really offer?
• How do you balance the benefits of experimentation with the need for focus

Feedback

Should one get punished for working more effectively than his co-workers?

Xamarin Contract work

I had terrible RSI

The post Toxic Licensing | CR 264 first appeared on Jupiter Broadcasting.

Lenovo & HP are caught injecting malware even after you format the drive, Ubiquiti Networks is socially engineered out of 46 million & are we entering the era of Security Research Prohibition? We debate.

Plus a great batch of your questions, our answers, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Lenovo and HP caught injecting Malware even after your wipe the machine

• A user on the Ars Technica forums discovered the malware being installed on his freshly re-formatted computer
• How is that possible, the entire disk was erased…
• Well, it turns out Microsoft has a solution for that, the “Windows Platform Binary Table
• Details on Microsoft’s “Windows Platform Binary Table”
• An area in the bios where you can stick some files, and they will be run with ‘SYSTEM’ privileges, after Windows (8+) starts
• They have access to the file system, even if the disk is encrypted with bitlocker, because the code is run after the file system is mounted
• “Microsoft’s Windows Platform Binary Table WPBT feature allows PC manufacturers and corporate IT to inject drivers, programs and other files into the Windows operating system from the motherboard firmware. The WPBT is stored in the firmware, and tells Windows where in memory it can find an executable called a platform binary to run. Said executable will take care of the job of installing files before the operating system starts.”
• “During operating system initialization, Windows will read the WPBT to obtain the physical memory location of the platform binary,” Microsoft’s documentation states. “The binary is required to be a native, user-mode application that is executed by the Windows Session Manager during operating system initialization. Windows will write the flat image to disk, and the Session Manager will launch the process.”
• “The LSE (Lenovo Service Engine) makes sure C:\Windows\system32\autochk.exe is Lenovo’s variant of the autochk.exe file; if Microsoft’s official version is there, it is moved out of the way and replaced. The executable is run during startup, and is supposed to check the computer’s file system to make sure it’s free of any corruption.”
• “Lenovo’s variant of this system file ensures LenovoUpdate.exe and LenovoCheck.exe are present in the operating system’s system32 directory, and if not, it will copy the executables into that directory during boot up. So if you uninstall or delete these programs, the LSE in the firmware will bring them back during the next power-on or reboot.”
• In the Microsoft documentation, they try to make it clear:
• “The primary purpose of WPBT is to allow critical software to persist even when the operating system has changed or been reinstalled in a “clean” configuration … Because this feature provides the ability to persistently execute system software in the context of Windows, it becomes critical that WPBT-based solutions are as secure as possible and do not expose Windows users to exploitable conditions.”
• Which is funny, because the entire WPBT feature, “exposes Windows users to exploitable conditions”
• “Secure as possible? Not in this case: security researcher Roel Schouwenberg found and reported a buffer-overflow vulnerability in the LSE that can be exploited to gain administrator-level privileges.”
• “After Lenovo learned of this bug in April, it dawned on the company that its LSE was falling foul of Microsoft’s security guidelines for using the powerful WPBT feature. Two months later, in June, it pulled the whole thing: the LSE software is no longer included in new laptops.”
• Luckily, if you are not running Windows 8 or higher, your computer is not affected
• Note: This has been observed on desktop computers too, not just laptops
• Note Well: This is a “feature” of Windows, so every computer with Windows 8 or higher is actually vulnerable to having malicious code injected, there just might not be any code in your firmware, currently.
• Microsoft say: “If partners intentionally or unintentionally introduce malware or unwanted software though the WPBT, Microsoft may remove such software through the use of anti-malware software. Software that is determined to be malicious may be subject to immediate removal without notice.”
• However, since the file that gets executed only ever exists in memory, Microsoft’s malware scanner won’t find the WPBT binary, only the malware it drops into your system
• Lenovo used Windows anti-theft feature to install persistent crapware
• Lenovo Busted For Stealthily Installing Crapware Via BIOS On Fresh Windows Installs

Ubiquiti Networks loses 46 million in cyber bank heist

• “Networking firm Ubiquiti Networks Inc. disclosed this week that cyber thieves recently stole $46.7 million using an increasingly common scam in which crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers”
• So, pretend to be the boss, and get a secretary, or the finance department to approve expenses or transfers
• The attack was disclosed as part of the company’s quarterly filings with the SEC
• “This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” Ubiquiti wrote. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions. As a result of these efforts, the Company has recovered $8.1 million of the amounts transferred.”
• “The swindle that hit Ubiquiti is a sophisticated and increasingly common one targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments”
• “Ubiquiti didn’t disclose precisely how it was scammed, but CEO fraud usually begins with the thieves either phishing an executive and gaining access to that individual’s inbox, or emailing employees from a look-alike domain name that is one or two letters off from the target company’s true domain name. For example, if the target company’s domain was “example.com” the thieves might register “examp1e.com” (substituting the letter “L” for the numeral 1) or “example.co,” and send messages from that domain.”
• “The FBI’s advisory on these scams urges businesses to adopt two-step or two-factor authentication for email, where available, and/or to establish other communication channels — such as telephone calls — to verify significant transactions. Businesses are also advised to exercise restraint when publishing information about employee activities on their Web sites or through social media, as attackers perpetrating these schemes often will try to discover information about when executives at the targeted organization will be traveling or otherwise out of the office.”
• “Unlike traditional phishing scams, spoofed emails used in CEO fraud schemes are unlikely to set off spam traps, because these are targeted phishing scams that are not mass e-mailed. Also, the crooks behind them take the time to understand the target organization’s relationships, activities, interests and travel and/or purchasing plans.”
• These won’t be your typical phishing emails for of broken english and bad punctuation
• These will be highly researched scams designed to make you think you are communicating with the real person
• “On the surface, business email compromise scams may seem unsophisticated relative to moneymaking schemes that involve complex malicious software, such as Dyre and ZeuS. But in many ways, the BEC attack is more versatile and adept at sidestepping basic security strategies used by banks and their customers to minimize risks associated with account takeovers. In traditional phishing scams, the attackers interact with the victim’s bank directly, but in the BEC scam the crooks trick the victim into doing that for them.”
• Even two factor auth can be defeated here, because you are tricking someone into doing the transfer for you

We may be entering the era of Security Research Prohibition

• As if the Oracle nonsense last week was not bad enough, the Wassenaar Arrangement threatens to send us into the dark ages
• “The U.S. implementation of the rules, which govern the export of so-called intrusion software among other things, has been criticized sharply by lawyers, security researchers, and software vendors, who say that the proposed rules are too vague and threaten to chill legitimate security research and other activities.”
• “The rules that we got on May 20 are confusing to say the least. The Commerce Department didn’t have any experience with these kind of rules,” Nate Cardozo, a staff attorney at the EFF, said during a panel on Wassenaar at the Black Hat conference here Thursday. “They are really horrendously vague.”
• “The Bureau of Industry and Security at the Commerce Department proposed the rules in May and opened up a 60-day comment period. Many security researchers and attorneys submitted comments, and the BIS has said it will revise the rules and open them up for public comment again, a somewhat unusual move.“
• “The Wassenaar rules have been compared in many circles to the export controls on encryption software that came into effect in the 1990s in the U.S. There is an important lesson to be drawn from the way the crypto controls were handled.“ “We should learn how much those controls did the opposite of what was intended, which is weakening the security of the Internet as a whole”
• “Because the BIS rules as currently written are so vague about what constitutes intrusion software, things such as Metasploit and other common offensive tools could be regulated. And even sharing information about your own security research with a co-worker in another country could cause issues. Researchers are quite wary of these vagaries and worry that their day-to-day work may be restricted.“

Feedback:

• ICMP Traffic

• LVM -> ZFS follow-up

• Loading FreeBSD on a TP-Link Router with Serial Port
  • FreeBSD Wifi Build

• ZFS checksum errors don’t add up

Round Up:

• Snapdragon 820 is official: A look at its GPU
• Ad publishing networks purposely making sites slower to let ad slot auctions run longer, so they make more money
• Design flaw in Intel processors opens door to rootkits, researcher says
• RowHammer.js – most ingenious hack ever?
• MIT Researchers claim Gallium Nitride chips could cut energy consumption by 20%
• Samsung v-NAND claims 5,500 MB/s read, 1,800 MB/s write, 1,000,000 read IOPS, and 120,000 write IOPS, a 6.4 TB capacity rated for 32 TB/day of writes for 5 years
• US Decides how to retaliate against China’s hacking
• Comparing Expert and non-Expert security practices
• European Central Bank announces it was the victim of an attack
• Microsoft releases patch for actively exploited USB bug. Includes a tool to log when the exploit is attempted against you
• Defcon: How to fake death records – Kill anyone, online
• Defcon: 115 stupid things that have been put online
• Battery Status API could be used to track you online
• Multipath TCP used in Mobile networks in Korea allows devices to reach up to 1 gigabit/sec
• A final word

The post Export Grade Vulnerabilities | TechSNAP 228 first appeared on Jupiter Broadcasting.

Could Netflix be classified as a cyber security threat, or is this being overblown? Having Dynamic DNS problems? You can thank Microsoft, they played cowboy and shut down the No-IP service.

Plus Newegg starts accepting Bitcoin, another big open source adoption and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

Netflix Could Be Classified As a ‘Cybersecurity Threat’ Under New CISPA Rules | Motherboard

The cybersecurity bill making its way through the Senate right now is so broad that it could allow ISPs to classify Netflix as a “cyber threat,” which would allow them to throttle the streaming service’s delivery to customers.

“A ‘threat,’ according to the bill, is anything that makes information unavailable or less available. So, high-bandwidth uses of some types of information make other types of information that go along the same pipe less available,” Greg Nojeim, a lawyer with the Center for Democracy and Technology, told me. “A company could, as a cybersecurity countermeasure, slow down Netflix in order to make other data going across its pipes more available to users.”

The general uproar surrounding the bill could have led to the postponement of its markup—it was originally set to be discussed by Feinstein’s Intelligence Committee last week, but was pushed back. No word on when it’ll be taken up by the committee, but considering that the bill has been in the works behind closed doors for several months now, don’t expect it to die without first getting some very serious consideration on Capitol Hill.

Millions of dynamic DNS users suffer after Microsoft seizes No-IP domains

Millions of legitimate servers that rely on dynamic domain name services from No-IP.com suffered outages on Monday after Microsoft seized 22 domain names it said were being abused in malware-related crimes against Windows users.

Microsoft enforced a federal court order making the company the domain IP resolver for the No-IP domains. Microsoft said the objective of the seizure was to identify and reroute traffic associated with two malware families that abused No-IP services. Almost immediately, end-users, some of which were actively involved in Internet security, castigated the move as heavy handed, since there was no evidence No-IP officially sanctioned or actively facilitated the malware campaign, which went by the names Bladabindi (aka NJrat) and Jenxcus (aka NJw0rm).

In a complaint Microsoft filed under seal on June 19, Microsoft attorneys said No-IP is “functioning as a major hub for 245 different types of malware circulating on the Internet.” The document said abuse of the service has been the subject of recent blog posts by both OpenDNS and Cisco Systems.

Monday’s seizure was the tenth major malware disruption Microsoft has participated in. The actions typically combine surprise technical and legal procedures that eradicate or significantly disrupt major botnets.

South Korea gives up on Microsoft – Giving Open Sauce a chance

According to a government statement, South Korea wants to break from its Microsoft dependency and move to open source software by 2020″

In a statement the government said that it will invigorate open source software in order to solve the problem of dependency on certain software. The government has invested in Windows 7 to replace XP, but it does not want to go through the same process in 2020 when the support of the Windows 7 service is terminated.

Facebook Added ‘Research’ To User Agreement 4 Months After Emotion Manipulation Study

The study came to light recently when he and his two co-researchers from Cornell University and University of California-SF published their study describing how users’ moods changed when Facebook curated the content of their News Feeds to highlight the good, happy stuff (for the lucky group) vs. the negative, depressing stuff

Four months after this study happened, in May 2012, Facebook made changes to its data use policy, and that’s when it introduced this line about how it might use your information: “For internal operations, including troubleshooting, data analysis, testing, research and service improvement.”

Newegg.com – BITCOIN ACCEPTED

• Twitter / Newegg: We’re proud to announce…

We're proud to announce our acceptance of @Bitcoin via @BitPay. Learn more at https://t.co/2jxwhQQ92U #neweggbitcoin https://t.co/tRD4VO0MIU

— Newegg (Official) (@Newegg) July 1, 2014

We’re proud to announce our acceptance of @Bitcoin via @BitPay. Learn more at https://bit.ly/1qcn4Jo #neweggbitcoin

• 1-800-FLOWERS.COM Partners with Coinbase to Accept Bitcoin

Beginning this fall, 1-800-FLOWERS will be adding bitcoin as a payment option across its extensive family of gifting sites, including 1-800-FLOWERS.COM, FannieMay.com, Cheryl’s.com, ThePopcornFactory.com, 1-800-Baskets.com, FruitBouquets.com, and Stockyards.com.

Time Machine:

Today in Tech:

23 Years ago In 1991 — Finnish Prime Minister Harri Holkeri made the world’s first GSM call over a privately operated network to Vice Mayor Kaarina Suonio in Tampere. The Prime Minister used Nokia gear on GSM’s original 900MHz band.

The post Microsoft Cyber Terrorism | Tech Talk Today 18 first appeared on Jupiter Broadcasting.

Facebook admits to manipulating users emotions for research, the first review of the privacy protecting Blackphone hits the web and how you can create your own secure phone today.

Plus a quick review of The Internet’s Own Boy: The Story of Aaron Swartz and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

Facebook Manipulated 689,003 Users’ Emotions For Science – Forbes

A recent study shows Facebook playing a whole new level of mind gamery with its guinea pigs users. As first noted by The New Scientist and Animal New York, Facebook’s data scientists manipulated the News Feeds of 689,003 users, removing either all of the positive posts or all of the negative posts to see how it affected their moods. If there was a week in January 2012 where you were only seeing photos of dead dogs or incredibly cute babies, you may have been part of the study.

The researchers, led by data scientist Adam Kramer, found that emotions were contagious. “When positive expressions were reduced, people produced fewer positive posts and more negative posts; when negative expressions were reduced, the opposite pattern occurred,”

“These results indicate that emotions expressed by others on Facebook influence our own emotions, constituting experimental evidence for massive-scale contagion via social networks.”

The experiment ran for a week — January 11–18, 2012 — during which the hundreds of thousands of Facebook users unknowingly participating may have felt either happier or more depressed than usual, as they saw either more of their friends posting ’15 Photos That Restore
Our Faith In Humanity’ articles or despondent status updates about losing jobs, getting screwed over by X airline, and already failing to live up to New Year’s resolutions. “Probably nobody was driven to suicide,” tweeted one professor linking to the study, adding a “#jokingnotjoking” hashtag.

In it’s initial response to the controversy around the study — a statement sent to me late Saturday night — Facebook doesn’t seem to really get what people are upset about, focusing on privacy and data use rather than the ethics of emotional manipulation and whether Facebook’s TOS lives up to the definition of “informed consent” usually required for academic studies like this.

“This research was conducted for a single week in 2012 and none of the data used was associated with a specific person’s Facebook account,” says a Facebook spokesperson. “We do research to improve our services and to make the content people see on Facebook as relevant and engaging as possible.

Serious Android crypto key theft vulnerability affects 10% of devices

The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers.

By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets.

There are several technical hurdles an attacker must overcome to successfully exploit the vulnerability. Android is fortified with modern software protections, including data execution prevention and address space layout randomization, both of which are intended to make it much harder for hackers to execute code when they identify security bugs.

Exclusive: A review of the Blackphone, the Android for the paranoid

The Blackphone is the first consumer-grade smartphone to be built explicitly for privacy. It pulls together a collection of services and software that are intended to make covering your digital assets simple—or at least more straightforward. The product of SGP Technologies, a joint venture between the cryptographic service Silent Circle and the specialty mobile hardware manufacturer Geeksphone, the Blackphone starts shipping to customers who preordered it sometime this week. It will become available for immediate purchase online shortly afterward.

• A two-year subscription to Silent Circle’s secure voice and video calling and text messaging services, plus three one-year “Friend and Family” Silent Circle subscriptions that allow others to install the service on their existing smartphones;
• Two years of 1GB-per-month Disconnect virtual private network service, plus Disconnect’s anonymizing search as part of the phone’s web browser;
• Two years of SpiderOak cloud file storage and sharing, with a limit of five gigabytes a month.

PrivatOS’ main innovation is its Security Center, an interface that allows the user to explicitly control just what bits of hardware functionality and data each application on the phone has access to. It even provides control over the system-level applications—you can, if you wish for some reason, turn off the Camera app’s access to the camera hardware and turn off the Browser app’s access to networks.

The good

• Excellent Security Center feature of PrivatOS does what stock Android should do, giving you fine control over app permissions.
• Bundled Silent Voice and Silent Text services anonymize and encrypt communications so no one can eavesdrop on voice, video, and text calls at all.
• Bundled Kismet Smart Wi-Fi Manager keeps phone from connecting to unfriendly networks.
• Disconnect VPN and Search keep web trackers away from your phone, anonymize your searches and Internet traffic.

The bad

• The phone’s performance, while acceptable, is mediocre (even though it isn’t the phone’s selling point).
• Silent Phone calling ran into trouble when network switched between calls, and the user interface may baffle some users.

The ugly

• A custom OS means no Google Play library or any of the other benefits of the Google ecosystem, spotty support for sideloaded apps, and reliance on Amazon or other third-party app stores. Such is the price of privacy.

The first units of the $629 handset to ship are for European LTE users, and U.S. units will follow. In both cases, preorder production runs come first, then units for those who have not already ordered the device.

M66B/XPrivacy

XPrivacy – The ultimate, yet easy to use, privacy manager

https://www.xprivacy.eu/

Xposed Installer | Xposed Module Repository

Xposed is a framework for modules that can change the behavior of the system and apps without touching any APKs. That’s great because it means that modules can work for different versions and even ROMs without any changes (as long as the original code was not changed too much). It’s also easy to undo. As all changes are done in the memory, you just need to deactivate the module and reboot to get your original system back. There are many other advantages, but here is just one more: Multiple modules can do changes to the same part of the system or app. With modified APKs, you to decide for one. No way to combine them, unless the author builds multiple APKs with different combinations.

Smarter Wi-Fi Manager – Android Apps on Google Play

Smarter Wi-Fi Manager improves the security and privacy of your device by only enabling Wi-Fi in locations where you actually use it. Instead of letting your device advertise the name of your home network or try to connect to anyone who has left an access point set to the default name just because you once used a friends network who didn’t configure it, Smarter Wi-Fi Manager will turn it off when you’re not near somewhere you’ve used Wi-Fi before.

The Internet’s Own Boy: The Story of Aaron Swartz

The Internet’s Own Boy depicts the life of American computer programmer, writer, political organizer and Internet activist Aaron Swartz. It features interviews with his family and friends as well as the internet luminaries who worked with him. The film tells his story up to his eventual suicide after a legal battle, and explores the questions of access to information and civil liberties that drove his work.

The post Facebook Manipulates YOU! | Tech Talk Today 17 first appeared on Jupiter Broadcasting.

If you have a Barracuda device, it’s time to put it behind a real firewall. We’ll blow your minds with the horrible state of security on many popular Barracuda products.

Plus why a long password is not necessarily mean a more secure password, a big batch of your questions, and a great roundup!

All that and a lot more, on this week’s TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go20off5 to save 20% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: