Show Notes: linuxactionnews.com/209

The post Linux Action News 209 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/54

The post Ultimate Off-Site Setup | Self-Hosted 54 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/389

The post Harder Butter Faster Stronger | LINUX Unplugged 389 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/363

The post Return of the Terminal Server | LINUX Unplugged 363 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/362

The post The Hidden Cost of Nextcloud | LINUX Unplugged 362 first appeared on Jupiter Broadcasting.

Show Notes: coder.show/371

The post Absurd Abstractions | Coder Radio 371 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/378

The post Two-Factor Fraud | TechSNAP 378 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Distrustful U.S. allies force spy agency to back down in encryption fight

• Some ISO delegates said much of their skepticism stemmed from the 2000s, when NSA experts invented a component for encryption called Dual Elliptic Curve and got it adopted as a global standard.

• In 2007, mathematicians in private industry showed that Dual EC could hide a back door, theoretically enabling the NSA to eavesdrop without detection. After the Snowden leaks, Reuters reported that the U.S. government had paid security company RSA $10 million to include Dual EC in a software development kit that was used by programmers around the world.

Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

• Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company’s IT systems.

• “The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” Vickery revealed today.

• The Amazon-hosted bucket could be accessed by any netizen stumbling upon it, and contained the passwords and manifests for Viacom’s servers, as well as the access key and private key for the corporation’s AWS account. Some of the data was encrypted using GPG, but that wouldn’t be an issue because the bucket also contained the necessary decryption keys.

Equifax sends customers to wrong website, not theirs, for help

• The credit management company Equifax has been sending customers to a fake “phishing” website for weeks, potentially causing them to hand over their personal data and full financial information to hackers.

• After the data breach was revealed earlier this month, Equifax established the domain www.equifaxsecurity2017.com to handle incoming customer questions and complaints. This website is not connected to Equifax’s main website.

• On Wednesday, a user reached out to Equifax on Twitter asking for assistance. The responding tweet sent the user to www.securityequifax2017.com, which is an impostor site designed to look like the Equifax splash page.

FinFisher government spy tool found hiding as WhatsApp and Skype

• This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by “man in the middle” (MitM) attacks at an ISP level – packaging real downloads with spyware.

• When a target of surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.

• When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.

Feedback

• Stored passwords & Amazon Fire Stick

+Hey Dan. What is a good and inexpensive tape backup drive for LTO tapes? What works for you best? Thx!

Round Up:

• HOW TO HACK A TURNED-OFF COMPUTER

• Passwords For 540,000 Car Tracking Devices Leaked Online

• In spectacular fail, Adobe security team posts private PGP key on blog

Apache Struts Vulnerability: More Than 3,000 Organizations At Risk Of Breach

• Facebook re-licenses React under MIT license after developer backlash

The post Patch Your S3it | TechSNAP 338 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

“Stack Clash” poses threat to Linux, FreeBSD, OpenBSD, and other OSes

• affects Linux, OpenBSD, NetBSD, FreeBSD and Solaris, on i386 and amd64

• The original blog post

• The official advisory

• The following is not a complete list of CVEs found during the research

• The primary CVE

• Some are secondary and directly related CVE

• Some are independently exploitable and related to sudo

The RNC Files: Inside the Largest US Voter Data Leak

• misconfigured database containing the sensitive personal details of over 198 million American voters was left exposed to the internet by a firm working on behalf of the Republican National Committee (RNC)

• names, dates of birth, home addresses, phone numbers, and voter registration details, as well as data described as “modeled” voter ethnicities and religions.

• exposing the personal information of over sixty-one percent of the entire US population

Dan’s DNS setup

• DNS can be thought of as a phone book
• Once ran a single DNS server at home
• Had both internal (non public) and public hosts in the same zone file
• Moved internal hosts to .int subdomain
• had master/slave in public, but went to svn later
• Held zone files in svn, published them directly to servers

Feedback

• Freenas – Transferring files locally see sysutils/fusefs-ntfs

• Password managers filling in credentials

• Episode 323 Yellow dots give you see also https://en.wikipedia.org/wiki/EURion_constellation

• You cannot turn off Windows 10 Telemetry with a Group Policy

Round Up:

• WannaCry computer worm to North
  Korea

• Rooting a Printer

• Travel (Linux) laptop setup

• FreeNAS 11.0 is Now Here

The post DNS Mastery | TechSNAP 324 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Announcing the first SHA1 collision

• Not just Google on this, they worked with CWI

• SHA1 is a Cryptographic hash function

• SHA-1 was developed as part of the U.S. Government’s Capstone project. The original specification of the algorithm was published in 1993

• two PDFs that have identical SHA-1 hashes but different content

• Lifetimes of cryptographic hash functions – by Valerie Aurora

• Git fscked by SHA-1 collision? Not so fast, says Linus Torvalds – Attack is hard, discovery is easy, so fix it right
  rather than right now

• Suggestion: Don’t panic. Things aren’t suddenly going to become vulnerable. Take your time, review your systems looking for SHA-1 usage and evaluate the risk, but best to get it of it all if you have not already.

CloudBleed

• Affects millions of websites, literally.

• Google Project Zero

• Could someone from cloudflare security urgently contact me. – 0011 UTC – 18 Feb 2018 UTC 0011

• bug report on chromium.org – 17:15 UTC – 19 Feb 2017

• Corpus distillation? What is that?

• Incident report on memory leak caused by Cloudflare parser bug 23 Feb 2017

• My work here is done 9:24 PM – 23 Feb 2017

• HIPPA implications

• List of Sites possibly affected by Cloudflare’s #Cloudbleed HTTPS Traffic Leak

Feedback

• Transmission Permission Follow-up (see original question in episode 305

• Dan’s pfSense box

Round Up:

• Hello False Flags! The Art of Deception in Targeted Attack Attribution – see also False Flag and Perfidy

• Researchers exfiltrate data by blinking the LEDs on the hard drives

• ZFS based replication and failover script from bolthole.com – note: ksh required

• FCC reverses net neutrality ISP transparency rules

• security analysis on the most popular Android password manager applications

• AWS service status about s3 outage couldn’t be updated b/c of s3

• Data from connected CloudPets teddy bears leaked and ransomed, exposing kids’ voice messages

The post Cloudy with a Chance of Leaks | TechSNAP 308 first appeared on Jupiter Broadcasting.

Amazon’s success with EC2 and S3 is making them bleed money, as investors start to get nervous we’ll debate if the cloud’s price race to the bottom can lead to anything but awful.

Linus tells it like it is, we bust some Android FUD, and more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Amazon apparently set to launch Square-competitor in August as it develops biometric payment solutions

Amazon could be preparing to launch its own mobile credit card reading hardware in the coming weeks, according to internal Staples documents hinting at such a launch that we’ve obtained. According to the documents, Staples stores will prepare next month to stock a new product called the “Amazon Card Reader” alongside existing card readers from Square, PayPal, and Staples’ own in-house brand. The small hardware, which will likely connect to smartphones to process payments, will cost $9.99, according to the Staples internal sales systems…

An exact launch date for the product is unconfirmed, but Staples has asked its stores to wait until Tuesday, August 12th to put up new signage related to the Amazon Card Reader, so it’s possible that the release is scheduled for that week.

• Amazon may be going after Square with a credit card reader of its own | The Verge

Amazon’s Cloud Is Growing So Fast It’s Scaring Shareholders

Yesterday Amazon said that while its cloud business grew by 90 percent last year, it was significantly less profitable. Amazon’s AWS cloud business makes up the majority of a balance sheet item it labels as “other” (along with its credit card and advertising revenue) and that revenue from that line of business grew by 38 percent. Last quarter, revenue grew by 60 percent. In other words, Amazon is piling on customers faster than it’s adding dollars to its bottom line.

The company’s chief financial officer, Tom Szkutak, blamed the drop on “substantial” price reductions the company has made to products such as its core EC2, storage and database services. “They ranged from 28 percent to 51 percent depending on the service,” he said on a conference call with analysts.

The thing is that even as Amazon’s business matures to the size of a company like VMware, its worrying to investors to see profitability slipping. That’s pretty much the meta-narrative of Amazon as a whole, though, which says it could lose as much as $810 million in the current quarter. The company is taking losses to invest in the future, and Amazon’s 10 percent stock drop today shows that some investors are uncomfortable with that.

Amazon.com Inc. missed analysts’ estimates for a second straight quarter, sending the shares tumbling 11 percent.

Trend Micro backs off Google Play malware claims

In a recent press release, Trend Micro made a fairly bold claim about malware running rampant in the Google Play Store. The release, dated July 15, 2014, began as follows:

Google Play populated with fake apps, with more than half carrying malware

Potentially evil doppelgangers for the most popular apps are inundating the Google Play store, with many carrying malware, according to a new blog post and report by Trend Micro, a global developer of cyber security solutions.

In the report more than 77 percent of the top 50 apps on the Google Play store have repackaged or fake apps associated with them.

It turns out that Trend Micro is guilty of a little over-eager language that obfuscated the nature of some of these threats. While there are indeed fake versions of many popular Android apps available for download, Trend failed to mention in their initial promotion for the report that the apps in question were posted outside the Play Store, and had to be installed manually in what’s commonly known as a side-load. This requires users to download the app in a browser, ignore a standard security warning about APK files, and disable a security option in Android’s main settings menu.

• Trend Micro caught lying about Android security

Linus Torvalds: “GCC 4.9.0 Seems To Be Terminally Broken” – Slashdot

A critique from Linus Torvalds of GCC 4.9.0. after a random panic was discovered in a load balance function in Linux 3.16-rc6. in an email to the Linux kernel mailing list outlining two separate but possibly related bugs, Linus describes the compiler as “terminally broken,” and worse (“pure and utter sh*t,” only with no asterisk).

• A slice:

“Lookie here, your compiler does some absolutely insane things with the spilling, including spilling a *constant. For chrissake, that compiler shouldn’t have been allowed to graduate from kindergarten. We’re talking “sloth that was dropped on the head as a baby” level retardation levels here …. Anyway, this is not a kernel bug. This is your compiler creating completely broken code. We may need to add a warning to make sure nobody compiles with gcc-4.9.0, and the Debian people should probably downgrate their shiny new compiler.”*

The post Cloud Gateway Drug | Tech Talk Today 33 first appeared on Jupiter Broadcasting.

openSUSE’s community manager Jos Poortvliet joins us to discuss openSUSE 13.1, integrating new technologies such as systemd and wayland, his thoughts on staying competitive, and your questions!

Plus the solid details we now know about SteamOS and Steam Machines, the big upset of the week….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Jos Poortvliet from SUSE

Brought to you by: System76

Check out System76 on G+

Jos is the openSUSE community manager since 2010, and a Free Software evangelist for over 10 years. He’s also an active volunteer in the KDE community.

• What are some of the main responsibilities of a community manager?

• Could you describe the role of the openSUSE board?
  • We’ve noticed one of their roles is enforcing “Trademark issues”. To your knowledge has openSUSE ever had a confrontation around branding on third party sites?

• Why do you suppose we don’t see distros built from openSUSE, like we see with Debian, Ubuntu, Arch, and Fedora?

• How has working with systemd been? Don’t you have a developer in-house?

• What are openSUSE’s plans for Wayland?

Viewer Stephan Asks

• How is life in Berlin?

• Do you see a point in the future when openSuSE becomes irrelevant to SuSE GmbH, and they will reduce or stop their sponsorship (much like they have already done with Libre Office)?

Viewer pierre4l Asks

• Regarding the possibility of a Software Center-like experience in openSUSE:

• Do you think this is a fundamental feature lacking in openSUSE compared to other distros, or do you think there are other priorities?

• Two or maybe three years ago plans were unhatched at an openSUSE conference in co-operation with developers from other distros. The back end got worked on but it seems there was never a useful front end created. Are there any developments in this respect?

• Are there any plans to implement such a software center in openSUSE? Would the Bodega idea proposed by Aaron Seigo fit the bill, or would it be more likely that the new Ruby version of YaST sees the existing tools undergo a revamp?

Viewer Martin Asks

• How would you position openSUSE within the Linux ecosystem? (what kind of users does it attract, how does it differentiate itself)
• How do you see openSUSE develop in mindshare and marketshare in the future?

openSUSE 13.1

• YaST has been converted to Ruby for this release? WHU?

• What is the big thing you’re looking forward to in 13.1?

• Has “making a Linux” becoming boring? We’ve noticing you’re promoting a lot of upstream features.

---

– Picks –

Runs Linux:

• A 12 year old boy builds and programs robots, Runs Linux.
• Robotics CEO: 12-Year-Old Whiz As Smart As Ph.Ds

Desktop App Pick

• s3fs

FUSE-based file system backed by Amazon S3

• s3fs – FUSE-based file system backed by Amazon S3

Weekly Spotlight:

• Slackware 14.1 is OUT!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

*

— NEWS —

Steam Update

• Happy Birthday To The Steam Linux Client

– What we know –

• We play with the Steam Machine, Valve’s game console of the future | The Verge

The first Steam Machine is a computer that can fit bog standard parts just like a full-size gaming rig, and yet fit into your entertainment center. Valve’s steel and aluminum chassis measures just over 12 inches on a side and is 2.9 inches tall, making it a little bigger than an Xbox 360 and smaller than any gaming PC of its ilk.

Valve designed the case so the parts can breathe individually. The CPU blows air out the top, the power supply out the side, and the graphics card exhaust out back, and none share any airspace within the case.

a system built into Steam that shows you which games your hardware configuration can actually run, and conversely, what hardware you’d need to buy to play a given game well — based on the real-world data about computer configurations that Valve already collects with its Steam Hardware Survey.

First, circle January on your calendar. That’s when the other shoe will drop; Valve’s hardware and software partners will reveal the actual Steam Machines that will ship to consumers, and the games that will come to the Linux platform, at the 2014 Consumer Electronics Show.

There will be a number of different Steam Machine boxes on sale in 2014, and Valve expects them to arrive mid-year. Some of those boxes will be far smaller and / or cheaper than Valve’s own prototype unit.

Don’t expect Valve to make Half-Life 3 exclusive to SteamOS to help lift the Linux-based operating system off the ground. “It’s against our philosophy to put a game in jail and say it only works on Steam Machines,” says Valve’s Doug Lombardi. Even though the company locked Half-Life 2 to Steam years ago, the team appears to have thought better of that decision. “That may or may not have been a good idea given the condition Steam was in at the moment.”

Valve’s Anna Sweet says she started talking to partners about Linux three years ago, and games will be surprisingly easy to build. “If you’re using the Unity engine, you’re already done… if you’ve done a Mac game, you’re most of the way there.”

SteamOS won’t just be about games: the company plans to add other services for video and music playback. “However, we are not planning support for spreadsheets,” quips Lombardi.

• steamOS “not based on Ubuntu… but entirely custom”

As promised, the OS is built on Linux (not based on Ubuntu, we’re told, but entirely custom), though you’d never know it as the only interactive layer is all Steam.

• Steam Controller Looks Very Useable

Here’s a quick look at some games being played with the prototype version of the Steam Controller – the same version that we’ll be shipping to 300 Steam users later this year.

• Valve Will Announce Steam Machine Partners at CES 2014

Speaking to IGN, Valve’s Greg Coomer explained that no one Steam Machine will be considered the “main” device, and instead a variety of different boxes will be available, each with their own set of unique features.

• Steam Community :: Group :: Steam Universe

Several press web sites are reporting today about SteamOS, Steam Machines, and the Steam Controller. They came to Steam hardware HQ recently and spent some hands-on time with all three. Here is a roundup of their coverage

• Metro Last Light released for Linux

---

• GIMP flees SourceForge over dodgy ads and installer

• Canonical “abused trademark law” to target a site critical of Ubuntu privacy

• Linux Outfit Canonical Launches Campaign to Silence Privacy Critic

• Mark Shuttleworth » Mistakes made and addressed

  – Feedback: –

• testing linux?

— Chris’ Stash —

• New updates to the Chrome and Firefox extensions!

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Replay Cafe in Everett, WA

  — Find us on Google+ —

• Chris

• Matt Hartley

• Jupiter Broadcasting’s Page

— Find us on Twitter —Hang

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post openSUSE's Jos Poortvliet | LAS 29e06 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/38907/easy-as-pi-tor-proxy-las-s27e05/ Sun, 16 Jun 2013 13:11:22 +0000 https://original.jupiterbroadcasting.net/?p=38907 With a Raspberry Pi it’s never been easier to create a Tor Proxy for you entire network. This week we’ll show you how to get off the ground quick, with Torberry

The post Easy As Pi Tor Proxy | LAS s27e05 first appeared on Jupiter Broadcasting.

]]>

With a Raspberry Pi it’s never been easier to create a Tor Proxy for you entire network. This week we’ll show you how to get off the ground quick, with Torberry. A distribution for the Raspberry Pi that will have you up and running on the Tor network in minutes.

Plus what Unity3D has in store for Linux users, how Chris is rolling his own Jungle Disk, some gaming news, your emails…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com Use our code linux249 to score .COM for just $2.49! 35% off your ENTIRE first order just use our code 35off2 until the end of the month!
Ting.com Visit las.ting.com to save $25 off your device or service credits.

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

— Show Notes: —

TOR Proxy Using Torberry on the Raspberry Pi:

Brought to you by: System76

• torberry – Tor gateway for Raspberry Pi – Google Project Hosting

• Are you using Tor?

• Info – torberry – Torberry main info – Tor gateway for Raspberry Pi – Google Project Hosting

Client configuratión must be done manually. Two things that you have to change are gateway and dns servers. Both must be configured with raspberry’s IP.

• In Linux you can:

  sudo route delete default gateway [your.current.gateway]
  sudo route add default gateway [ip.of.raspberry]
  sudo echo “nameserver [ip.of.raspberry]” > /etc/resolv.conf

• Overview | Setting up a Raspberry Pi as a WiFi access point | Adafruit Learning System

Would you like to use your Pi as a WiFi router? Or maybe have it as a special filtering access point?

• Onion Pi Step by Step Guide

This tutorial assumes you have your Pi mostly set up and have followed the “Raspberry Pi as Wifi Access Point” tutorial

Hardware:

[asa]B008XVAVAW[/asa]
[asa]B005OOIS1U[/asa]
[asa]B007RFRHIY[/asa]

---

– Picks –

Runs Linux:

• FireBox – A 3D Internet Browser supporting Oculus Runs Linux

Android Pick:

• OsmAnd Maps & Navigation

• OsmAnd Android App pick

• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• ZSH: Archlinux best companion

• fish shell

• Picks so far

• Madjo

Search our past picks:

• LASAppPicks

This tumblr contains the Linux app picks from the Linux Action Show. Both the Linux apps and the Android apps

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

*

— NEWS —

• Microsoft Said To Give Zero Day Exploits To US Government Before It Patches Them

• NSA gets early access to zero-day data from Microsoft, others

• Mir Still Causing Concerns By Ubuntu Derivatives

• Ardour 3.2 adds video support

• Linux session at Unite 2013 (Unity3D)

• Linux Publishing with Unity 4

• GamingOnLinux – Games Tagged with Unity

In this session, Unity software developer Na’Tosha Bard covers the history of games on Linux, the opportunities this growing platform holds for games developers and the technical steps to exporting content from Unity to Linux.

• Xonotic 0.7 Release | Xonotic

— /etc: Backup to S3 with Duplicity —

Brought to you by: Untangle

• duplicity: Main

Duplicity backs directories by producing encrypted tar-format volumes and uploading them to a remote or local file server. Because duplicity uses librsync, the incremental archives are space efficient and only record the parts of files that have changed since the last backup. Because duplicity uses GnuPG to encrypt and/or sign these archives, they will be safe from spying and/or modification by the server.

• Duplicity – ArchWiki

• Backups with Amazon S3 and Duplicity | user/18915

  – Feedback: –

• LAS s27e24 Question – Games are coming to linux, gamers are not. Why

• Email Server Hardware?

• • WindyPower comments on Email Server Hardware

Running your own mail server is a lot of work. If this is your first time doing it, I strongly advise that you do it for a domain that you don’t already actively use for communication; be ready to accept losing mail for the first week or so, because it will certainly happen

• How’s the Arch Challenge really going for you all?
• Chris struggles with his SD Card Reader not Auto-Mounting.

“this is 2000 and Fing 13 and this does not automount??”

• Zorin OS 7

• Thoughts on Gaming // Slexy 2.0

— Chris’ Stash —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Things to Consider when Purchasing Ubuntu Laptops
• Writing about Linux, sometimes, even asking tough questions
• Hell froze over, Matt’s on Facebook

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Easy As Pi Tor Proxy | LAS s27e05 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/34346/time-to-git-zfs-techsnap-103/ Thu, 28 Mar 2013 16:38:51 +0000 https://original.jupiterbroadcasting.net/?p=34346 How the KDE project avoided a git disaster, the root problem with Java, and the researcher who found many S3 buckets exposed to the public.

The post Time to Git ZFS | TechSNAP 103 first appeared on Jupiter Broadcasting.

]]>

Is your bucket exposed to the public? A security researcher has recently discovered many S3 buckets are publicly available, we’ll share the details.

Plus how the KDE project avoided a git disaster, the root problem with Java, a big batch of your questions, and much much more!

Thanks to:

GoDaddy.com Use our code hostdeal4 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off4 until the end of the month!
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

   

Show Notes:

Get TechSNAP on your Android:

• Callisto – Android App
• Jupiter Broadcasting – Android App by ShaneQful

Browser Affiliate Extension:

• Jupiter Broadcasting Affiliate Extensions for Chrome and Firefox

Amazon S3 buckets unknowingly exposed?

• Security researcher Digininja was watching an old Hak5 episode about Amazon S3 and decided to give the free trial from Amazon a try
• All S3 buckets are accessed as: bucketname.s3-region.amazonaws.com
• An S3 bucket can be marked as Public or Private
• If you access the root of a Public bucket, you are given a list of the files inside that bucket
• Public S3 buckets can contain files that are marked as either Public, or Private
• Attempting to access a file marked private without an access key will return a HTTP 403 error
• While experimenting, he found that if you try to access a bucket that is assigned to a different region, amazon gives you a helpful redirect message
• Based on this, Digininja decided to try a wordlist against the Amazon S3 subdomain, and see what he could find in other peoples’ buckets
• Digininja was surprised to find that many buckets were marked public, rather than private
• While scraping through the results, he found a number of documents that should have been marked private but were not, including a Ministry of Defence training requisition form (containing personal information including SSN), a spreadsheet containing the accounts of a company, and many personal photos and videos
• It seems a lot of people are unknowingly making the contents of the S3 buckets public
• A number of people also appear to be trying to use S3 as a CDN, using it to host the images for their website (S3 is not a CDN, it can be rather slow, Amazon has a separate service to serve the contents of S3 via a CDN, called CloudFront)
• Researcher’s Blog Post
• Researcher’s Findings Post

---

The narrowly avoided Great KDE Disaster of 2013

• On March 22nd, the server that hosts git.kde.org was shut down for security updates, when it restarted there was evidence of file system corruption
• The original cause of the problem was not determined
• The real problem came, when the anongit mirrors of the 1500 KDE repositories mirrored the corrupt data, and there were no uncorrupt mirrors left
• The problem stems from the fact that in the replication strategy, git.kde.org was always considered to be correct
• The system they had in placed relied on the ability to sync an anongit mirror back upstream if there was a problem with the master
• It seems that git –mirror just copies data from the master, without the usual verification and safety measures that happen in git clone
• Luckily, KDE was in the process of replacing the projects.kde.org server, and it happened to have a mirror of the git repo from before the corruption, and they were able to restore git.kde.org from that
• The article goes on to discuss a number of the steps they are taking to make their system more robust in the future
• Update with more information to responses to common comments
• The update addresses the sysops 101 adage “mirrors are not backups”
• It talks about the problems they have with traditional backup systems
• tar: how do you take a tar archive of a live system? keeping .tar files going back 30+ days would take too much space (or cost to much to use S3 etc)
• rsync: same problem with a live system and rsync creates a mirror, which is not a backup
• Any answer? ZFS
• ZFS RAID Z, and ZFS snapshots are STILL not a backup
• But a ZFS snapshot can allow you to take a tar archive of a consistent version of the repo (no files will change with the tar is being made, since snapshots are read only
• Or better yet, you could store the actual ZFS snapshots (via ZFS send), so that you are basically getting ‘incremental’ backups, only the changed blocks are stored in each snapshot (requires that you keep and initial full snapshot and all incremental snapshots since then). Managing this can be difficult
• Backup software such as Bacula, running off the snapshots, would be the best solution

---

The root of the Java problem

• According to research by Websense, 93.77% of all installs of Java that were surveyed are vulnerable to at least one known exploit
• 75% of devices run a version that is at least 6 months old, 50% more than 2 years old
• 79% of devices are using some version of Java 6, which has now reached its End-Of-Live

---

Feedback:

• How can I go about telling my university that it has a vulnerability?

• pfSense question

• Getting started with KDE on FreeBSD?

• Nginx best-practice user setup

• Dump of username attempts for SSH login

• How I feel, as a Linux user, when Allan mentions ZFS.

---

Round Up:

• Apple finally enabled Two-Factor authentication for My Apple ID
• Mastercard hits PayPal and other Intermediaries with new higher per-transaction fee this June, because they do not disclose what you bought
• DHS to start scanning more internet traffic, moving from just Defense Contractors to ‘Infrastructure’ including banks and some transportation companies
• FBI’s top priority in 2013? Real-time spying on Gmail, Dropbox and Skype
• Server Room Cabling Hell: 15 of the Worst Server Wiring Jobs Ever!
• Paypal To Drop VMware From 80,000 Servers and Replace It With OpenStack
• “Perfect storm” pushes Bitcoin to $1b Market Cap Closer Toward the $100 per-coin mark
• Canadian Supreme Court rules that police need a warrent to read your text messages
• Egyptian navy arrests 3 attempting to sabotage undersea internet cable

---

The post Time to Git ZFS | TechSNAP 103 first appeared on Jupiter Broadcasting.

]]>