Show Notes: linuxactionnews.com/176

The post Linux Action News 176 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/373

The post Your New Tools | LINUX Unplugged 373 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/341

The post Long Term Rolling | LINUX Unplugged 341 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/402

The post Snapshot Sanity | TechSNAP 402 first appeared on Jupiter Broadcasting.

##Headlines
###ZFS and DTrace update lands in NetBSD

merge a new version of the CDDL dtrace and ZFS code. This changes the upstream vendor from OpenSolaris to FreeBSD, and this version is based on FreeBSD svn r315983.

• r315983 is from March 2017 (14 months ago), so there is still more work to do

in addition to the 10 years of improvements from upstream, this version also has these NetBSD-specific enhancements:

• dtrace FBT probes can now be placed in kernel modules.
• ZFS now supports mmap().

• This brings NetBSD 10 years forward, and they should be able to catch the rest of the way up fairly quickly

###NetBSD network stack security audit

• Maxime Villard has been working on an audit of the NetBSD network stack, a project sponsored by The NetBSD Foundation, which has served all users of BSD-derived operating systems.

Over the last five months, hundreds of patches were committed to the source tree as a result of this work. Dozens of bugs were fixed, among which a good number of actual, remotely-triggerable vulnerabilities.

Changes were made to strengthen the networking subsystems and improve code quality: reinforce the mbuf API, add many KASSERTs to enforce assumptions, simplify packet handling, and verify compliance with RFCs. This was done in several layers of the NetBSD kernel, from device drivers to L4 handlers.
In the course of investigating several bugs discovered in NetBSD, I happened to look at the network stacks of other operating systems, to see whether they had already fixed the issues, and if so how. Needless to say, I found bugs there too.

• A lot of code is shared between the BSDs, so it is especially helpful when one finds a bug, to check the other BSDs and share the fix.

The IPv6 Buffer Overflow: The overflow allowed an attacker to write one byte of packet-controlled data into ‘packet_storage+off’, where ‘off’ could be approximately controlled too. This allowed at least a pretty bad remote DoS/Crash
The IPsec Infinite Loop: When receiving an IPv6-AH packet, the IPsec entry point was not correctly computing the length of the IPv6 suboptions, and this, before authentication. As a result, a specially-crafted IPv6 packet could trigger an infinite loop in the kernel (making it unresponsive). In addition this flaw allowed a limited buffer overflow – where the data being written was however not controllable by the attacker.
The IPPROTO Typo: While looking at the IPv6 Multicast code, I stumbled across a pretty simple yet pretty bad mistake: at one point the Pim6 entry point would return IPPROTO_NONE instead of IPPROTO_DONE. Returning IPPROTO_NONE was entirely wrong: it caused the kernel to keep iterating on the IPv6 packet chain, while the packet storage was already freed.
The PF Signedness Bug: A bug was found in NetBSD’s implementation of the PF firewall, that did not affect the other BSDs. In the initial PF code a particular macro was used as an alias to a number. This macro formed a signed integer. NetBSD replaced the macro with a sizeof(), which returns an unsigned result.
The NPF Integer Overflow: An integer overflow could be triggered in NPF, when parsing an IPv6 packet with large options. This could cause NPF to look for the L4 payload at the wrong offset within the packet, and it allowed an attacker to bypass any L4 filtering rule on IPv6.
The IPsec Fragment Attack: I noticed some time ago that when reassembling fragments (in either IPv4 or IPv6), the kernel was not removing the M_PKTHDR flag on the secondary mbufs in mbuf chains. This flag is supposed to indicate that a given mbuf is the head of the chain it forms; having the flag on secondary mbufs was suspicious.
What Now: Not all protocols and layers of the network stack were verified, because of time constraints, and also because of unexpected events: the recent x86 CPU bugs, which I was the only one able to fix promptly. A todo list will be left when the project end date is reached, for someone else to pick up. Me perhaps, later this year? We’ll see.
This security audit of NetBSD’s network stack is sponsored by The NetBSD Foundation, and serves all users of BSD-derived operating systems. The NetBSD Foundation is a non-profit organization, and welcomes any donations that help continue funding projects of this kind.

DigitalOcean

###MySQL on ZFS Performance

I used sysbench to create a table of 10M rows and then, using export/import tablespace, I copied it 329 times. I ended up with 330 tables for a total size of about 850GB. The dataset generated by sysbench is not very compressible, so I used lz4 compression in ZFS. For the other ZFS settings, I used what can be found in my earlier ZFS posts but with the ARC size limited to 1GB. I then used that plain configuration for the first benchmarks. Here are the results with the sysbench point-select benchmark, a uniform distribution and eight threads. The InnoDB buffer pool was set to 2.5GB.
In both cases, the load is IO bound. The disk is doing exactly the allowed 3000 IOPS. The above graph appears to be a clear demonstration that XFS is much faster than ZFS, right? But is that really the case? The way the dataset has been created is extremely favorable to XFS since there is absolutely no file fragmentation. Once you have all the files opened, a read IOP is just a single fseek call to an offset and ZFS doesn’t need to access any intermediate inode. The above result is about as fair as saying MyISAM is faster than InnoDB based only on table scan performance results of unfragmented tables and default configuration. ZFS is much less affected by the file level fragmentation, especially for point access type.

ZFS stores the files in B-trees in a very similar fashion as InnoDB stores data. To access a piece of data in a B-tree, you need to access the top level page (often called root node) and then one block per level down to a leaf-node containing the data. With no cache, to read something from a three levels B-tree thus requires 3 IOPS.

The extra IOPS performed by ZFS are needed to access those internal blocks in the B-trees of the files. These internal blocks are labeled as metadata. Essentially, in the above benchmark, the ARC is too small to contain all the internal blocks of the table files’ B-trees. If we continue the comparison with InnoDB, it would be like running with a buffer pool too small to contain the non-leaf pages. The test dataset I used has about 600MB of non-leaf pages, about 0.1% of the total size, which was well cached by the 3GB buffer pool. So only one InnoDB page, a leaf page, needed to be read per point-select statement.

To correctly set the ARC size to cache the metadata, you have two choices. First, you can guess values for the ARC size and experiment. Second, you can try to evaluate it by looking at the ZFS internal data. Let’s review these two approaches.

You’ll read/hear often the ratio 1GB of ARC for 1TB of data, which is about the same 0.1% ratio as for InnoDB. I wrote about that ratio a few times, having nothing better to propose. Actually, I found it depends a lot on the recordsize used. The 0.1% ratio implies a ZFS recordsize of 128KB. A ZFS filesystem with a recordsize of 128KB will use much less metadata than another one using a recordsize of 16KB because it has 8x fewer leaf pages. Fewer leaf pages require less B-tree internal nodes, hence less metadata. A filesystem with a recordsize of 128KB is excellent for sequential access as it maximizes compression and reduces the IOPS but it is poor for small random access operations like the ones MySQL/InnoDB does.

• In order to improve ZFS performance, I had 3 options:
• Increase the ARC size to 7GB
• Use a larger Innodb page size like 64KB
• Add a L2ARC

I was reluctant to grow the ARC to 7GB, which was nearly half the overall system memory. At best, the ZFS performance would only match XFS. A larger InnoDB page size would increase the CPU load for decompression on an instance with only two vCPUs; not great either. The last option, the L2ARC, was the most promising.

ZFS is much more complex than XFS and EXT4 but, that also means it has more tunables/options. I used a simplistic setup and an unfair benchmark which initially led to poor ZFS results. With the same benchmark, very favorable to XFS, I added a ZFS L2ARC and that completely reversed the situation, more than tripling the ZFS results, now 66% above XFS.

• Conclusion

We have seen in this post why the general perception is that ZFS under-performs compared to XFS or EXT4. The presence of B-trees for the files has a big impact on the amount of metadata ZFS needs to handle, especially when the recordsize is small. The metadata consists mostly of the non-leaf pages (or internal nodes) of the B-trees. When properly cached, the performance of ZFS is excellent. ZFS allows you to optimize the use of EBS volumes, both in term of IOPS and size when the instance has fast ephemeral storage devices. Using the ephemeral device of an i3.large instance for the ZFS L2ARC, ZFS outperformed XFS by 66%.

###OpenSMTPD new config

TL;DR:
OpenBSD #p2k18 hackathon took place at Epitech in Nantes.
I was organizing the hackathon but managed to make progress on OpenSMTPD.
As mentioned at EuroBSDCon the one-line per rule config format was a design error.
A new configuration grammar is almost ready and the underlying structures are simplified.
Refactor removes ~750 lines of code and solves _many_ issues that were side-effects of the design error.
New features are going to be unlocked thanks to this.

• Anatomy of a design error

OpenSMTPD started ten years ago out of dissatisfaction with other solutions, mainly because I considered them way too complex for me not to get things wrong from time to time.
The initial configuration format was very different, I was inspired by pyr@’s hoststated, which eventually became relayd, and designed my configuration format with blocks enclosed by brackets.
When I first showed OpenSMTPD to pyr@, he convinced me that PF-like one-line rules would be awesome, and it was awesome indeed.
It helped us maintain our goal of simple configuration files, it helped fight feature creeping, it helped us gain popularity and become a relevant MTA, it helped us get where we are now 10 years later.
That being said, I believe this was a design error. A design error that could not have been predicted until we hit the wall to understand WHY this was an error. One-line rules are semantically wrong, they are SMTP wrong, they are wrong.
One-line rules are making the entire daemon more complex, preventing some features from being implemented, making others more complex than they should be, they no longer serve our goals.
To get to the point: we should move to two-line rules

Anatomy of a design error
OpenSMTPD started ten years ago out of dissatisfaction with other solutions, mainly because I considered them way too complex for me not to get things wrong from time to time.

The initial configuration format was very different, I was inspired by pyr@’s hoststated, which eventually became relayd, and designed my configuration format with blocks enclosed by brackets.

When I first showed OpenSMTPD to pyr@, he convinced me that PF-like one-line rules would be awesome, and it was awesome indeed.

It helped us maintain our goal of simple configuration files, it helped fight feature creeping, it helped us gain popularity and become a relevant MTA, it helped us get where we are now 10 years later.

That being said, I believe this was a design error. A design error that could not have been predicted until we hit the wall to understand WHY this was an error. One-line rules are semantically wrong, they are SMTP wrong, they are wrong.

One-line rules are making the entire daemon more complex, preventing some features from being implemented, making others more complex than they should be, they no longer serve our goals.

To get to the point: we should move to two-line rules

• The problem with one-line rules

OpenSMTPD decides to accept or reject messages based on one-line rules such as:

accept from any for domain poolp.org deliver to mbox

Which can essentially be split into three units:

• the decision: accept/reject
• the matching: from any for domain poolp.org
• the (default) action: deliver to mbox

To ensure that we meet the requirements of the transactions, the matching must be performed during the SMTP transaction before we take a decision for the recipient.
Given that the rule is atomic, that it doesn’t have an identifier and that the action is part of it, the two only ways to make sure we can remember the action to take later on at delivery time is to either:

• save the action in the envelope, which is what we do today
• evaluate the envelope again at delivery
• And this this where it gets tricky… both solutions are NOT ok.

The first solution, which we’ve been using for a decade, was to save the action within the envelope and kind of carve it in stone. This works fine… however it comes with the downsides that errors fixed in configuration files can’t be caught up by envelopes, that delivery action must be validated way ahead of time during the SMTP transaction which is much trickier, that the parsing of delivery methods takes place as the _smtpd user rather than the recipient user, and that envelope structures that are passed all over OpenSMTPD carry delivery-time informations, and more, and more, and more. The code becomes more complex in general, less safe in some particular places, and some areas are nightmarish to deal with because they have to deal with completely unrelated code that can’t be dealt with later in the code path.

The second solution can’t be done. An envelope may be the result of nested rules, for example an external client, hitting an alias, hitting a user with a .forward file resolving to a user. An envelope on disk may no longer match any rule or it may match a completely different rule If we could ensure that it matched the same rule, evaluating the ruleset may spawn new envelopes which would violate the transaction. Trying to imagine how we could work around this leads to more and more and more RFC violations, incoherent states, duplicate mails, etc…

There is simply no way to deal with this with atomic rules, the matching and the action must be two separate units that are evaluated at two different times, failure to do so will necessarily imply that you’re either using our first solution and all its downsides, or that you are currently in a world of pain trying to figure out why everything is burning around you. The minute the action is written to an on-disk envelope, you have failed.

A proper ruleset must define a set of matching patterns resolving to an action identifier that is carved in stone, AND a set of named action set that is resolved dynamically at delivery time.

• Follow the link above to see the rest of the article

Break

##News Roundup
###Backing up a legacy Windows machine to a FreeNAS with rsync

I have some old Windows servers (10 years and counting) and I have been using rsync to back them up to my FreeNAS box. It has been working great for me.

First of all, I do have my Windows servers backup in virtualized format. However, those are only one-time snapshops that I run once in a while. These are classic ASP IIS web servers that I can easily put up on a new VM. However, many of these legacy servers generate gigabytes of data a day in their repositories. Running VM conversion daily is not ideal.

My solution was to use some sort of rsync solution just for the data repos. I’ve tried some applications that didn’t work too well with Samba shares and these old servers have slow I/O. Copying files to external sata or usb drive was not ideal. We’ve moved on from Windows to Linux and do not have any Windows file servers of capacity to provide network backups. Hence, I decided to use Delta Copy with FreeNAS. So here is a little write up on how to set it up. I have 4 Windows 2000 servers backing up daily with this method.

First, download Delta Copy and install it. It is open-source and pretty much free. It is basically a wrapper for cygwin’s rsync. When you install it, it will ask you to install the Server services which allows you to run it as a Rsync server on Windows. You don’t need to do this. Instead, you will be just using the Delta Copy Client application. But before we do that, we will need to configure our Rsync service for our Windows Clients on FreeNAS.

• In FreeNAS, go under Services , Select Rsync > Rsync Modules > Add Rsync Module.
• Then fill out the form; giving the module a name and set the path. In my example, I simply called it WIN and linked it to a user called backupuser.
• This process is much easier than trying to configure the daemon rsyncd.conf file by hand.
• Now, on the Windows Client, start the DeltaCopy Client. You will create a new Profile.
• You will need to enter the IP of the Rsync server (FreeNAS) and specify the module name which will be called “Virtual Directory Name.” When you pull the select menu, the list of Rsync Modules you created earlier in FreeNAS will populate.
• You can set authentication. On the server, you can restrict by IP and do other things to lock down your rsync.
• Next, you will add folders (and/or files) you want to synchronize.
• Once the paths are set up, you can run a sync by right clicking the profile name.
• Here, I made a test sync to a home folder of a virtualized windows box. As you can see, I mounted the rsync volume on my mac to see the progress. The rsync worked beautifully. DeltaCopy did what it was told.
• Once you get everything working. The next thing to do is set schedules. If you done tasks schedules in Windows before, it is pretty straightforward. DeltaCopy has a link in the application to directly create a new task for you. I set my backups to run nightly and it has been working great.

There you have it. Windows rsync to FreeNAS using DeltaCopy.
The nice thing about FreeNAS is you don’t have to modify /etc/rsyncd.conf files. Everything can be done in the web admin.

iXsystems

###How to write ATF tests for NetBSD

I have recently started contributing to the amazing NetBSD foundation. I was thinking of trying out a new OS for a long time. Switching to the NetBSD OS has been a fun change.

My first contribution to the NetBSD foundation was adding regression tests for the Address Sanitizer (ASan) in the Automated Testing Framework(ATF) which NetBSD has. I managed to complete it with the help of my really amazing mentor Kamil. This post is gonna be about the ATF framework that NetBSD has and how to you can add multiple tests with ease.

• Intro

In ATF tests we will basically be talking about test programs which are a suite of test cases for a specific application or program.

• The ATF suite of Commands

There are a variety of commands that the atf suite offers. These include :

• atf-check: The versatile command that is a vital part of the checking process. man page

• atf-run: Command used to run a test program. man page

• atf-fail: Report failure of a test case.

• atf-report: used to pretty print the atf-run. man page

• atf-set: To set atf test conditions.

• We will be taking a better look at the syntax and usage later.

• Let’s start with the Basics

The ATF testing framework comes preinstalled with a default NetBSD installation. It is used to write tests for various applications and commands in NetBSD. One can write the Test programs in either the C language or in shell script. In this post I will be dealing with the Bash part.

• Follow the link above to see the rest of the article

###The Importance of ZFS Block Size

• Warning! WARNING! Don’t just do things because some random blog says so

One of the important tunables in ZFS is the recordsize (for normal datasets) and volblocksize (for zvols). These default to 128KB and 8KB respectively.
As I understand it, this is the unit of work in ZFS. If you modify one byte in a large file with the default 128KB record size, it causes the whole 128KB to be read in, one byte to be changed, and a new 128KB block to be written out.
As a result, the official recommendation is to use a block size which aligns with the underlying workload: so for example if you are using a database which reads and writes 16KB chunks then you should use a 16KB block size, and if you are running VMs containing an ext4 filesystem, which uses a 4KB block size, you should set a 4KB block size
You can see it has a 16GB total file size, of which 8.5G has been touched and consumes space – that is, it’s a “sparse” file. The used space is also visible by looking at the zfs filesystem which this file resides in
Then I tried to copy the image file whilst maintaining its “sparseness”, that is, only touching the blocks of the zvol which needed to be touched. The original used only 8.42G, but the copy uses 14.6GB – almost the entire 16GB has been touched! What’s gone wrong?
I finally realised that the difference between the zfs filesystem and the zvol is the block size. I recreated the zvol with a 128K block size
That’s better. The disk usage of the zvol is now exactly the same as for the sparse file in the filesystem dataset

• It does impact the read speed too. 4K blocks took 5:52, and 128K blocks took 3:20
• Part of this is the amount of metadata that has to be read, see the MySQL benchmarks from earlier in the show
• And yes, using a larger block size will increase the compression efficiency, since the compressor has more redundant data to optimize.
• Some of the savings, and the speedup is because a lot less metadata had to be written
• Your zpool layout also plays a big role, if you use 4Kn disks, and RAID-Z2, using a volblocksize of 8k will actually result in a large amount of wasted space because of RAID-Z padding. Although, if you enable compression, your 8k records may compress to only 4k, and then all the numbers change again.

###Using a Raspberry Pi 2 as a Router on a Stick Starring NetBSD

• Sorry we didn’t answer you quickly enough

A few weeks ago I set about upgrading my feeble networking skills by playing around with a Cisco 2970 switch. I set up a couple of VLANs and found the urge to set up a router to route between them. The 2970 isn’t a modern layer 3 switch so what am I to do?

Why not make use of the Raspberry Pi 2 that I’ve never used and put it to some good use as a ‘router on a stick’.

I could install a Linux based OS as I am quite familiar with it but where’s the fun in that? In my home lab I use SmartOS which by the way is a shit hot hypervisor but as far as I know there aren’t any Illumos distributions for the Raspberry Pi. On the desktop I use Solus OS which is by far the slickest Linux based OS that I’ve had the pleasure to use but Solus’ focus is purely desktop. It’s looking like BSD then!

I believe FreeBSD is renowned for it’s top notch networking stack and so I wrote to the BSDNow show on Jupiter Broadcasting for some help but it seems that the FreeBSD chaps from the show are off on a jolly to some BSD conference or another(love the show by the way).

It looks like me and the luvverly NetBSD are on a date this Saturday. I’ve always had a secret love for NetBSD. She’s a beautiful, charming and promiscuous lover(looking at the supported architectures) and I just can’t stop going back to her despite her misgivings(ahem, zfs). Just my type of grrrl!

Let’s crack on…

• Follow the link above to see the rest of the article

##Beastie Bits

• BSD Jobs
• University of Aberdeen’s Internet Transport Research Group is hiring
• VR demo on OpenBSD via OpenHMD with OSVR HDK2
• patch runs ed, and ed can run anything (mentions FreeBSD and OpenBSD)
• Alacritty (OpenGL-powered terminal emulator) now supports OpenBSD
• MAP_STACK Stack Register Checking Committed to -current
• EuroBSDCon CfP till June 17, 2018

Tarsnap

##Feedback/Questions

• NeutronDaemon – Tutorial request
• Kurt – Question about transferability/bi-directionality of ZFS snapshots and send/receive
• Peter – A Question and much love for BSD Now
• Peter – netgraph state

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Router On A Stick | BSD Now 249 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Tales of an IT professional sailing around the Antarctic loop – sent in by Eric Miller

• CTD device – A CTD or Sonde is an oceanography instrument used to measure the conductivity, temperature, and pressure of seawater (the D stands for “depth,” which is closely related to pressure). The reason to measure conductivity is that it can be used to determine the salinity.

• Had to reinstall software for a winch to get it working

• Registered a new website and webmail and created a custom email solution so scientists would remotely access their email

security.txt – an RFC in the making

• Based on /.well-known/ of RFC5785 and similar in nature to robots.txt

• JSON was discussed, but dismissed

• CWE (Common Weakness Enumeration) will be used

• Versioning of security.txt by third parties

• Generation utilities have been created](https://github.com/EdOverflow/security-txt/issues/10)

Dumping Data from Deep-Insert Skimmers

• Deep-insert skimmers

• Romanian links to US crime

• European data skimmed from cards, then used in US because chip technology is not widely deployed there

• ‘wands’ inserted deep into the ATM to retrieve data

Feedback

• re Database migrations in Episode 332 jungle boogie writes in to mention Sqitch github by David Wheeler. JB says “This is a program written in perl and looks to have support for many databases”. JB also mentioned [pgBackRest](https://www.pgbackrest.org/] github

• Gary Foard writes in about a command line utility called shred. He uses to erase laptops from a live Linux disc. I checked the FreeBSD manual pages to check it’s there also, and it is – although I had to search for gshred instead of shred to find shred which I find weird. – See sysutils/coreutils in the FreeBSD Ports tree. – Dan notes: not recommended for erasing files any more. Not feasible for COW filesystems.

• prime62 mentioned on the TechSNAP sub-reddit mentioned some password hashing/salting resources: Salted Password Hashing – Doing it Right and The definitive guide to form-based website authentication

• Also seen on Reddit: There is no point [on max password lengths] since the field is hashed.

Round Up:

• Mobile operators deploying portable Cell-On-Wheels/Cell-On-Truck units along eclipse path to handle huge data usage of photos and streaming

• Security Keys

• 83601 is a supervisor number

• Brian Krebs Fan Creates New Cryptocurrency Miner for Linux Devices

• Random Thoughts – next release of OpenSSL see Password Strength

• Create randomly insecure VMs

• This algorithm cleverly recreates 3D objects from tiny 2D images

The post Rsync On Ice | TechSNAP 333 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Red alert! Intel patches remote execution hole that’s been hidden in biz, server chips since 2008

• Bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6.

• Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine)

• Are you affected? Read this!

Tarsnap

• Costs about $0.75 a day – storing about 87G total, and adding about 1.6GB / month

• I have not deleted any old backups since I started.

• Dan’s first big backup with Tarsnap

Feedback

• bareos – a bacula fork

• Backing up a Raspberry Pi TB disk photos

  • rdiff-backup
  • rsnapshot
  • duplicity
  • Borg

• mixing HDD batches in raid

Round Up:

• Why use Postgres (Updated for last 5 years) – Craig Kerstiens

• That grumpy BSD guy: Forcing the password gropers through a smaller hole with OpenBSD’s PF queues

• N.S.A. Halts Collection of Americans’ Emails About Foreign Targets – The New York Times

The post Some Fishy Chips | TechSNAP 317 first appeared on Jupiter Broadcasting.

From total beginner to photo pro, we’ll share workflow tips, tools, tricks & backup techniques to super-charge your photography workflow under Linux.

Plus the Pinos project promises to bring PulseAudio to video, how DirectX11 is coming to Linux, the Yotaphone upset, OwnCloud dreams & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Perfect Photo Workflow with Linux

Brought to you by: O’REILLY OSCON

Prepare your Monitor:

• Color management

Getting the photos into Linux:

• Rapid Photo Downloader

Rapid Photo Downloader for Linux is written by a photographer for professional and amateur photographers. Its goal is to be the best photo and video downloader for the Linux Desktop. It is free software, released under the GNU GPL license.

Quick Sorting of Photos:

• gthumb

gThumb is an image viewer and browser for the GNOME Desktop. It also includes an importer tool for transferring photos from cameras.

Tweaking your RAW Pictures:

• RawTherapee Features

HDR Photo Editing:

• LuminanceHDR

Luminance HDR is a graphical user interface (based on the Qt5 toolkit) that provides a complete workflow for HDR imaging.

• HDR Photography on Linux | LAS s30e06

Photo Organization

• darktable | the photo workflow software

darktable is an open source photography workflow application and RAW developer. A virtual lighttable and darkroom for photographers. It manages your digital negatives in a database, lets you view them through a zoomable lighttable and enables you to develop raw images and enhance them.

• Corel AfterShot Pro

Say hello to the world’s fastest RAW photo-editing software. Corel AfterShot Pro 2 is changing the way the world works with RAW, with 64-bit performance that’s 30% faster than AfterShot Pro 1 and up to 4x faster than the competition. AfterShot Pro 2 is the best way to unlock the freedom and flexibility of shooting RAW. With unparalleled speed and power, and a sleek new interface, AfterShot Pro 2 is a RAW converter, non-destructive photo editor and complete high-speed photo manager in one. Whether you’re batch processing thousands of RAW images, or making detailed adjustments to your latest prize-winning shot, AfterShot Pro 2 gives you the tools to quickly take complete control over every aspect of your photo workflow.

Photo Backup Under Linux:

• SpiderOak

SpiderOak ONE is the leading private backup solution and is 100% Zero Knowledge. Get a ton of space for only $12 a month. Plans starting at $7 a month for 30GB and up to 5TB.
Pay monthly or annually. Upgrade, downgrade or cancel at any time.

• Grsync rsync GUI interface frontend for Linux, Windows and Mac OS X

Grsync is a rsync GUI (Graphical User Interface). Rsync is the well-known and powerful command line directory and file synchronization tool.

— PICKS —

Runs Linux

• The NSA XKEYSCORE, Runs Linux

This global Internet surveillance network is powered by a somewhat clunky piece of software running on clusters of Linux servers. Analysts access XKEYSCORE’s web interface to search its wealth of private information, similar to how ordinary people can search Google for public information.

Desktop App Pick

• digiKam

digiKam is an advanced digital photo management application for Linux, Windows, and Mac-OSX.

The people who inspired digiKam’s design are the photographers like you who want to view, manage, edit, enhance, organize, tag, and share photographs under Linux systems.

You can take a look into the digiKam Overview page to take a tour or the Features page to see more advanced information about.

Weekly Spotlight

• OpenMediaVault 2.1

• Using Sencha ExtJS 5.1.1 framework for the WebGUI
• Add a new dashboard and widgets
• Many internal improvements and bugfixes
• Improved the internal network interface backend
• Add Wi-Fi support. Only WPA & WPA2 is supported
• Add VLAN support
• The network interface configuration page has been modified. Now only the configuration values are displayed. Use the dashboard widget to show the state of all network interfaces.
• The public key of the user must now be specified in the RFC 4716 SSH public key file format. It is possible to add multiple keys.
• Option to turn off the collection of system performance statistics.
• Use the browser local storage to store the WebGUI state (e.g. displayed grid columns, column width, …) instead of cookies.

The whole changelog for 2.1 can be viewed here.

— NEWS —

Introducing Pinos

So what is Pinos? One of the original goals of Pinos was to provide the same level of advanced hardware handling for Video that PulseAudio provides for Audio. For those of you who has been around for a while you might remember how you once upon a time could only have one application using the sound card at the same time until PulseAudio properly fixed that. Well Pinos will allow you to share your video camera between multiple applications and also provide an easy to use API to do so.

ownCloud 8.1 Coming Soon

The first release candidate of ownCloud 8.1 is ready for testing. This release will bring many performance improvements, Encryption 2.0 and much more. If you’re an avid ownCloud user, this is the time to test the upcoming release and make sure it can deal with your specific installation. Get the release on the ownCloud website.

Yotaphone Adopts Sailfish – Drops Android

Today the news has it for us as Yota Phone, the recently famous Russian [Android] phone manufacturer with their revolutionary “two-faced” phone has dropped their near-stock Android OS in favor of our beloved Sailfish OS which has raised a fair bit of keyboard warriors to attack the comments section on some websites saying things like “Why dumping the most popular OS in the world for the least popular?” Uh, excuse me as your most popular OS (Which I admit I am an Android user alongside Sailfish) does not care about user’s privacy and wants to send everything directly to that famous and most hated agency in the world! (NSA)

• No, the Yotaphone Isn’t Switching From Android to Sailfish | Ink, Bits, & Pixels

Codeweavers On DX11 in WINE, Steam Machines & Porting

The recent news of WINE/Crossover supporting DX11 is significant, because up until now there were no FOSS solutions to get such support. Sure, the eON wrapper from Virtual Programming was one commercial option for game companies to develop ports for Linux, but it was not available for end users. With WINE supporting DX11, this opens up a whole new library of recent Windows games for the Linux platform.

Feedback:

• https://slexy.org/view/s20WLp24uc

• https://slexy.org/view/s20m3WT5Ht

• https://slexy.org/view/s2id0khdx7

+https://slexy.org/view/s200YWzDGL

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Linux Photography in Focus | LAS 372 first appeared on Jupiter Broadcasting.

Lenovo & Google are victims of DNS hijacking, we’ll share the details, Everyone wants you to secure your data, just not from them & how Turbotax profits from Cyber tax fraud!

Plus a great batch of your questions, a fantastic round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Attackers Hijack Lenovo Domain, Spoof Website and Intercept Company Emails

• The lenovo.com website was replaced with a slideshow of some random person
• The attack was apparently carried about by members of LizardCircle (or LizardSquad)
• The identity of the person in the slideshow is unclear, but reports suggest they are two members of another hacking group (Hack The Planet) that have been trying to undermine LizardSquad for months
• The pictures on the Lenovo site suggest that the webcam of the target may have been compromised
• It seems the Lizard Squad was able to compromise webnic.cc, a large domain name registrar via a remote command injection vulnerability
• They then reported installed a rootkit and took over the registrars infrastructure
• Using this access, they were able to change the authoritative nameservers for the Lenovo.com domain to their own, and post the defacement page
• This allow allowed them to intercept all incoming email sent to @lenovo.com addresses
• They apparently used CloudFlare to host the site, and CloudFlare engineers eventually returned control of the site to Lenovo, while the DNS changes propagated
• The attackers apparently also got access to the ‘auth codes’ required to transfer ownership of the domain to another registrar
• Same attack also compromised google.com.vn domain in Vietnam
• Additional Coverage: Krebs On Security
• Additional Coverage: Ars Technica

Everyone wants you to secure your data, just not from them

• Bruce Schneier writes a blog post about security and privacy
• Google and Facebook was your data to be secure, on their server, so they can analyze it
• Your government wants you to have security communications, as long as they have the magic keys to decrypt it, but other governments do not
• “Governments are no different. The FBI wants people to have strong encryption, but it wants backdoor access so it can get at your data. UK Prime Minister David Cameron wants you to have good security, just as long as it’s not so strong as to keep the UK government out. And, of course, the NSA spends a lot of money ensuring that there’s no security it can’t break.”
• Schneier also quotes Whitfield Diffie (pioneering cryptographer, co-developed the Diffie-Hellman key exchanged used in SSH and TLS): “You can’t have privacy without security, and I think we have glaring failures in computer security in problems that we’ve been working on for 40 years. You really should not live in fear of opening an attachment to a message. It ought to be confined; your computer ought to be able to handle it. And the fact that we have persisted for decades without solving these problems is partly because they’re very difficult, but partly because there are lots of people who want you to be secure against everyone but them. And that includes all of the major computer manufacturers who, roughly speaking, want to manage your computer for you. The trouble is, I’m not sure of any practical alternative.”
• Corporations want access to your data for profit; governments want it security purposes, be they benevolent or malevolent. But Diffie makes an even stronger point: we give lots of companies access to our data because it makes our lives easier.
• Bruce wrote in his recent book: Data and Goliath: “Convenience is the other reason we willingly give highly personal data to corporate interests, and put up with becoming objects of their surveillance. As I keep saying, surveillance-based services are useful and valuable. We like it when we can access our address book, calendar, photographs, documents, and everything else on any device we happen to be near. We like services like Siri and Google Now, which work best when they know tons about you. Social networking apps make it easier to hang out with our friends. Cell phone apps like Google Maps, Yelp, Weather, and Uber work better and faster when they know our location. Letting apps like Pocket or Instapaper know what we’re reading feels like a small price to pay for getting everything we want to read in one convenient place. We even like it when ads are targeted to exactly what we’re interested in. The benefits of surveillance in these and other applications are real, and significant.”
• “Last week, we learned that the NSA broke into the Dutch company Gemalto and stole the encryption keys for billions ­ yes, billions ­ of cell phones worldwide. That was possible because we consumers don’t want to do the work of securely generating those keys and setting up our own security when we get our phones; we want it done automatically by the phone manufacturers. We want our data to be secure, but we want someone to be able to recover it all when we forget our password.”
• “We’ll never solve these security problems as long as we’re our own worst enemy. That’s why I believe that any long-term security solution will not only be technological, but political as well. We need laws that will protect our privacy from those who obey the laws, and to punish those who break the laws. We need laws that require those entrusted with our data to protect our data. Yes, we need better security technologies, but we also need laws mandating the use of those technologies.”
• I think at some level, part of the onus needs to be on the user as well, you are responsible for managing your passwords and security.
• Transcript: NSA Director Mike Rogers vs. Yahoo! on Encryption Back Doors | Just Security

The rise of tax refund fraud

• Fraudsters made billions of dollars last year by filing fake federal tax refund requests in the names of millions of unsuspecting Americans
• The IRS added a number of security measures and better automated screening, which drove the fraudsters to focus on state-level tax fraud
• “Anti-fraud Improvements by IRS Fuel Up To 3700 Percent Rise in Phony State Filings”
• “Earlier this month, TurboTax was forced to briefly suspend state tax refund filings while it investigated the source of the unprecedented fraud spike”
• To learn more about what was going on, Krebs interviewed Indu Kodukula, chief information security officer at Intuit
• “The IRS has gotten much better than a few years ago from the perspective of fighting fraud,” Kodukula said. “We think what’s happening is that as a result the fraudsters are starting to target the states.”
• In the 2014 tax season, the Treasury Inspector General for Tax Administration (TIGTA) found that the IRS identified and confirmed 28,076 fraudulent tax returns involving identity theft. That was down significantly from a year earlier (PDF), when the IRS identified and confirmed 85,385 fraudulent tax returns involving identity theft
• “But there are 46 states in the Union where taxpayers can file what’s called an ‘unlinked return,’ meaning they can file a state return without having a file a federal return at the same time. So when the [tax fraudsters] file an unlinked return, it leaves the state at its own disposal to fight this fraud, and we think that’s what has taken the states by surprise this year.”
• “States allow unlinked returns because most taxpayers owe taxes at the federal level but are due refunds from their state. Thus, unlinked returns allow taxpayers who owe money to the IRS to pay some or all of that off with state refund money.”
• “Unlinked returns typically have made up a very small chunk of Intuit’s overall returns, Kodukula said. However, so far in this year’s tax filing season, Intuit has seen between three and 37-fold increases in unlinked, state-only returns. Convinced that most of those requests are fraudulent, the company now blocks users from filing unlinked returns via TurboTax.”
• “It’s very hard to imagine a fundamental demographic shift that could cause that kind of pattern,” Kodukula said. “Our thought is that the vast majority of this is clearly not legitimate activity.”
• The traditional way that income tax fraud has been perpetrated was to steal the identity of an individual, then create an online tax account on their behalf and file the fraudulent return
• However, there has been a spike in compromised tax accounts, most appear to be because of password reuse
• We have seen many sites being compromised in the last few years, like LinkedIn, and Adobe. When huge piles of passwords like that are dropped on the Internet, the attackers try those same username/email and password combinations on other sites, like tax preparation sites
• “Over the past one-and-a-half years, we started to see much more of this type type of account takeover attack, where a customer’s TurboTax credentials were compromised at another site,” Kodukula said, describing wave after wave of attempts by fraudsters to log in at TurboTax using huge lists of credentials leaked in the wake of breaches at other companies.
• Currently, about 60 percent of the returns flagged as likely fraudulent by Intuit appear to come from SIRF, while the other 40 percent are the result of account takeovers, Kodukula said. But the account takeover attacks are definitely growing in frequency and intensity, he said.
• “From the list validation attacks we’ve seen, we know the credentials came from somewhere else,” he added. “When you look at credentials that have never been used in our system [trying to log in] it’s a pretty good indicator that those are credentials not from our space.”
• Security experts (including Krebs) have long called on TurboTax to implement two-step authentication for customers to help address the account takeover the problem of password re-use by consumers. Earlier this month, Intuit announced it would be implementing this very feature, although the company’s choice of approaches may fall short of what many security experts think of when they talk about real two-step or two-factor authentication.
• Krebs’ article also has some links and guidance for those who fall victim to this type of attack
• A week after the above interview, Krebs interviewed Robert Lee, a security business partner at Intuit’s consumer tax group until his departure from the company in July 2014
• Kreb’s 2nd Interview
• Lee said that he and his team at Intuit developed sophisticated fraud models to help Intuit quickly identify and close accounts that were being used by crooks to commit massive amounts of SIRF fraud.
• But Lee said he was mystified when Intuit repeatedly refused to adopt some basic policies that would make it more costly and complicated for fraudsters to abuse the company’s service for tax refund fraud, such as blocking the re-use of the same Social Security number across a certain number of TurboTax accounts, or preventing the same account from filing more than a small number of tax returns
• “If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said in an interview with KrebsOnSecurity. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
• “The Federal Trade Commission (FTC) said it received 332,646 identity theft complaints in the calendar year 2014, and that almost one-third of them — the largest portion — were tax-related identity theft complaints. Tax identity theft has been the largest ID theft category for the last five years.”
• Lee said the scammers who hijack existing TurboTax accounts most often will use stolen credit cards to pay the $25-$50 TurboTax fee for processing and sending the refund request to the IRS.
• But he said the crooks perpetrating SIRF typically force the IRS — and, by extension, U.S. taxpayers — to cover the fee for their bogus filings. That’s because most SIRF filings take advantage of what’s known in the online tax preparation business as a ‘refund transfer’, which deducts TurboTax’s filing fee from the total amount of the fraudulent refund request. If the IRS then approves the fraudulent return, TurboTax gets paid.
• “The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” Lee said. “What’s really going on here is that the fraud business is actually profitable for Intuit.”
• Lee confirmed Kodukula’s narrative that Intuit is an industry leader in sending the IRS regular reports about tax returns that appear suspicious. But he said the company eventually scaled back those reports after noticing that the overall fraud the IRS was reporting wasn’t decreasing as a result of Intuit’s reporting: Fraudsters were simply taking their business to Intuit’s competitors.
• “We noticed the IRS started taking action, and because of this, we started to see not only our fraud numbers but also our revenue go down before the peak of tax season a couple of years ago,” Lee recalled. “When we stopped or delayed sending those fraud numbers, we saw the fraud and our revenue go back up.”
• “Then, there was a time period where we didn’t deliver that information at all,” he said. “And then at one point there was a two-week delay added between the time the information was ready and the time it was submitted to the IRS. There was no technical reason for that delay, but I can only speculate what the real justification for that was.”
• KrebsOnSecurity obtained a copy of a recording made of an internal Intuit conference call on Oct. 14, 2014, in which Michael Lyons, TurboTax’s deputy general counsel, describes the risks of the company being overly aggressive — relative to its competitors — in flagging suspicious tax returns for the IRS.
• “As you can imagine, the bad guys being smart and savvy, they saw this and noticed it, they just went somewhere else,” Lyons said in the recording. “The amount of fraudulent activity didn’t change. The landscape didn’t change. It was like squeezing a balloon. They recognized that TurboTax returns were getting stopped at the door. So they said, ‘We’ll just go over to H&R Block, to TaxSlayer or TaxAct, or whatever.’ And all of a sudden we saw what we call ‘multi-filer activity’ had completely dropped off a cliff but the amount that the IRS reported coming through digital channels and through their self reported fraud network was not changing at all. The bad guys had just gone from us to others.”
• That recording was shared by Shane MacDougall, formerly a principal security engineer at Intuit. MacDougall resigned from the company last week and filed an official whistleblower complaint with the U.S. Securities and Exchange Commission, alleging that the company routinely placed profits ahead of ethics. MacDougall submitted the recording in his filing with the SEC.
• “Complainant repeatedly raised issues with managers, directors, and even [a senior vice president] of the company to try to rectify ongoing fraud, but was repeatedly rebuffed and told Intuit couldn’t do anything that would ‘hurt the numbers’,” MacDougall wrote in his SEC filing. “Complainant repeatedly offered solutions to help stop the fraud, but was ignored.”
• Robert Lanesey, Inuit’s chief communications officer, said Intuit doesn’t make a penny on tax filings that are ultimately rejected by the IRS.
• “Revenue that comes from reports included in our suspicious activity reports to the IRS has dropped precipitously as we have changed and improved our reporting mechanisms,” Lanesey said. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return. We’ve gotten better and we’ve gotten more accurate, but it’s not about money.”
• Williams added that it is not up to Intuit to block returns from being filed, and that it is the IRS’s sole determination whether to process a given refund request.
• “We will flag them as suspicious, but we do not get to determine if a return is fraud,” Williams said. “It’s the IRS’s responsibility and ultimately they make that decision. What I will tell you is that of the ones we report as suspicious, the IRS rejects a very high percentage, somewhere in the 80-90 percent range.”
• It will be interesting to see how this story develops

Feedback:

• pfSense “advanced” routing question

• Transfer a huge files while it is being created (Linux shell scripting?)

• Lets encrypt

• PHK on HTTP/2

• Allan’s Tetris lamps are driving me crazy.

Round Up:

• Intel Security warns of six Social Engineering techniques being used against businesses
• Remote Code Execution (as root) vulnerability in all versions of Samba (windows file sharing daemon for UNIX-like operating systems)
• SSL-busting code that threatened Lenovo users found in a dozen more apps
• Some of todays hackers are more sophisticated than you think
• Replacing my 10+ years old home router
• Ad blocking software PrivDog, may actually be worse than Superfish
• Moxie Marlinspike – GPG, with its old technology, bad design, and small userbase, is dead; it’s time for a more usable encryption system
• The most vulnerable operating systems and applications of 2014
• FCC approves net neutrality rules, reclassifies broadband as a utility
• Tens of thousands of home routers all using the same SSH private key, defeating the security provided by the private key
• Intel To Rebrand Atom Chips Along Lines of Core Processors
• Facebook posts results of its research into SSL Interception against Facebook visitors

The post TurboHax | TechSNAP 203 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.

Synology’s Linux powered DS412+ is a powerful server, wrapped in a ultra compact near silent enclosure. How does this unit stack up to a FreeNAS server you could build? Is the lack of ZFS support a hindrance? Our answers might surprise you.

Plus: Did Mark Shuttleworth shift the tone of the community dialog by labeling his opposition the open source Tea Party? It’s our blow-by-blow guide to the big stink over the weekend, that we will be smelling for weeks….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Support the Show: