Show Notes: linuxunplugged.com/432

The post Three Tumbleweed Temptations | LINUX Unplugged 432 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/405

The post Distro in the Rough | LINUX Unplugged 405 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/426

The post Storage Stories | TechSNAP 426 first appeared on Jupiter Broadcasting.

Show Notes: chooselinux.show/24

The post What We Wish We'd Known Earlier | Choose Linux 24 first appeared on Jupiter Broadcasting.

Show Notes: chooselinux.show/13

The post Qubes OS + Plex vs Kodi | Choose Linux 13 first appeared on Jupiter Broadcasting.

Episode Links:

linuxactionnews.com/85

The post Linux Action News 85 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links:

linuxactionnews.com/71

The post Linux Action News 71 first appeared on Jupiter Broadcasting.

##Headlines
###ZFS and DTrace update lands in NetBSD

merge a new version of the CDDL dtrace and ZFS code. This changes the upstream vendor from OpenSolaris to FreeBSD, and this version is based on FreeBSD svn r315983.

• r315983 is from March 2017 (14 months ago), so there is still more work to do

in addition to the 10 years of improvements from upstream, this version also has these NetBSD-specific enhancements:

• dtrace FBT probes can now be placed in kernel modules.
• ZFS now supports mmap().

• This brings NetBSD 10 years forward, and they should be able to catch the rest of the way up fairly quickly

###NetBSD network stack security audit

• Maxime Villard has been working on an audit of the NetBSD network stack, a project sponsored by The NetBSD Foundation, which has served all users of BSD-derived operating systems.

Over the last five months, hundreds of patches were committed to the source tree as a result of this work. Dozens of bugs were fixed, among which a good number of actual, remotely-triggerable vulnerabilities.

Changes were made to strengthen the networking subsystems and improve code quality: reinforce the mbuf API, add many KASSERTs to enforce assumptions, simplify packet handling, and verify compliance with RFCs. This was done in several layers of the NetBSD kernel, from device drivers to L4 handlers.
In the course of investigating several bugs discovered in NetBSD, I happened to look at the network stacks of other operating systems, to see whether they had already fixed the issues, and if so how. Needless to say, I found bugs there too.

• A lot of code is shared between the BSDs, so it is especially helpful when one finds a bug, to check the other BSDs and share the fix.

The IPv6 Buffer Overflow: The overflow allowed an attacker to write one byte of packet-controlled data into ‘packet_storage+off’, where ‘off’ could be approximately controlled too. This allowed at least a pretty bad remote DoS/Crash
The IPsec Infinite Loop: When receiving an IPv6-AH packet, the IPsec entry point was not correctly computing the length of the IPv6 suboptions, and this, before authentication. As a result, a specially-crafted IPv6 packet could trigger an infinite loop in the kernel (making it unresponsive). In addition this flaw allowed a limited buffer overflow – where the data being written was however not controllable by the attacker.
The IPPROTO Typo: While looking at the IPv6 Multicast code, I stumbled across a pretty simple yet pretty bad mistake: at one point the Pim6 entry point would return IPPROTO_NONE instead of IPPROTO_DONE. Returning IPPROTO_NONE was entirely wrong: it caused the kernel to keep iterating on the IPv6 packet chain, while the packet storage was already freed.
The PF Signedness Bug: A bug was found in NetBSD’s implementation of the PF firewall, that did not affect the other BSDs. In the initial PF code a particular macro was used as an alias to a number. This macro formed a signed integer. NetBSD replaced the macro with a sizeof(), which returns an unsigned result.
The NPF Integer Overflow: An integer overflow could be triggered in NPF, when parsing an IPv6 packet with large options. This could cause NPF to look for the L4 payload at the wrong offset within the packet, and it allowed an attacker to bypass any L4 filtering rule on IPv6.
The IPsec Fragment Attack: I noticed some time ago that when reassembling fragments (in either IPv4 or IPv6), the kernel was not removing the M_PKTHDR flag on the secondary mbufs in mbuf chains. This flag is supposed to indicate that a given mbuf is the head of the chain it forms; having the flag on secondary mbufs was suspicious.
What Now: Not all protocols and layers of the network stack were verified, because of time constraints, and also because of unexpected events: the recent x86 CPU bugs, which I was the only one able to fix promptly. A todo list will be left when the project end date is reached, for someone else to pick up. Me perhaps, later this year? We’ll see.
This security audit of NetBSD’s network stack is sponsored by The NetBSD Foundation, and serves all users of BSD-derived operating systems. The NetBSD Foundation is a non-profit organization, and welcomes any donations that help continue funding projects of this kind.

DigitalOcean

###MySQL on ZFS Performance

I used sysbench to create a table of 10M rows and then, using export/import tablespace, I copied it 329 times. I ended up with 330 tables for a total size of about 850GB. The dataset generated by sysbench is not very compressible, so I used lz4 compression in ZFS. For the other ZFS settings, I used what can be found in my earlier ZFS posts but with the ARC size limited to 1GB. I then used that plain configuration for the first benchmarks. Here are the results with the sysbench point-select benchmark, a uniform distribution and eight threads. The InnoDB buffer pool was set to 2.5GB.
In both cases, the load is IO bound. The disk is doing exactly the allowed 3000 IOPS. The above graph appears to be a clear demonstration that XFS is much faster than ZFS, right? But is that really the case? The way the dataset has been created is extremely favorable to XFS since there is absolutely no file fragmentation. Once you have all the files opened, a read IOP is just a single fseek call to an offset and ZFS doesn’t need to access any intermediate inode. The above result is about as fair as saying MyISAM is faster than InnoDB based only on table scan performance results of unfragmented tables and default configuration. ZFS is much less affected by the file level fragmentation, especially for point access type.

ZFS stores the files in B-trees in a very similar fashion as InnoDB stores data. To access a piece of data in a B-tree, you need to access the top level page (often called root node) and then one block per level down to a leaf-node containing the data. With no cache, to read something from a three levels B-tree thus requires 3 IOPS.

The extra IOPS performed by ZFS are needed to access those internal blocks in the B-trees of the files. These internal blocks are labeled as metadata. Essentially, in the above benchmark, the ARC is too small to contain all the internal blocks of the table files’ B-trees. If we continue the comparison with InnoDB, it would be like running with a buffer pool too small to contain the non-leaf pages. The test dataset I used has about 600MB of non-leaf pages, about 0.1% of the total size, which was well cached by the 3GB buffer pool. So only one InnoDB page, a leaf page, needed to be read per point-select statement.

To correctly set the ARC size to cache the metadata, you have two choices. First, you can guess values for the ARC size and experiment. Second, you can try to evaluate it by looking at the ZFS internal data. Let’s review these two approaches.

You’ll read/hear often the ratio 1GB of ARC for 1TB of data, which is about the same 0.1% ratio as for InnoDB. I wrote about that ratio a few times, having nothing better to propose. Actually, I found it depends a lot on the recordsize used. The 0.1% ratio implies a ZFS recordsize of 128KB. A ZFS filesystem with a recordsize of 128KB will use much less metadata than another one using a recordsize of 16KB because it has 8x fewer leaf pages. Fewer leaf pages require less B-tree internal nodes, hence less metadata. A filesystem with a recordsize of 128KB is excellent for sequential access as it maximizes compression and reduces the IOPS but it is poor for small random access operations like the ones MySQL/InnoDB does.

• In order to improve ZFS performance, I had 3 options:
• Increase the ARC size to 7GB
• Use a larger Innodb page size like 64KB
• Add a L2ARC

I was reluctant to grow the ARC to 7GB, which was nearly half the overall system memory. At best, the ZFS performance would only match XFS. A larger InnoDB page size would increase the CPU load for decompression on an instance with only two vCPUs; not great either. The last option, the L2ARC, was the most promising.

ZFS is much more complex than XFS and EXT4 but, that also means it has more tunables/options. I used a simplistic setup and an unfair benchmark which initially led to poor ZFS results. With the same benchmark, very favorable to XFS, I added a ZFS L2ARC and that completely reversed the situation, more than tripling the ZFS results, now 66% above XFS.

• Conclusion

We have seen in this post why the general perception is that ZFS under-performs compared to XFS or EXT4. The presence of B-trees for the files has a big impact on the amount of metadata ZFS needs to handle, especially when the recordsize is small. The metadata consists mostly of the non-leaf pages (or internal nodes) of the B-trees. When properly cached, the performance of ZFS is excellent. ZFS allows you to optimize the use of EBS volumes, both in term of IOPS and size when the instance has fast ephemeral storage devices. Using the ephemeral device of an i3.large instance for the ZFS L2ARC, ZFS outperformed XFS by 66%.

###OpenSMTPD new config

TL;DR:
OpenBSD #p2k18 hackathon took place at Epitech in Nantes.
I was organizing the hackathon but managed to make progress on OpenSMTPD.
As mentioned at EuroBSDCon the one-line per rule config format was a design error.
A new configuration grammar is almost ready and the underlying structures are simplified.
Refactor removes ~750 lines of code and solves _many_ issues that were side-effects of the design error.
New features are going to be unlocked thanks to this.

• Anatomy of a design error

OpenSMTPD started ten years ago out of dissatisfaction with other solutions, mainly because I considered them way too complex for me not to get things wrong from time to time.
The initial configuration format was very different, I was inspired by pyr@’s hoststated, which eventually became relayd, and designed my configuration format with blocks enclosed by brackets.
When I first showed OpenSMTPD to pyr@, he convinced me that PF-like one-line rules would be awesome, and it was awesome indeed.
It helped us maintain our goal of simple configuration files, it helped fight feature creeping, it helped us gain popularity and become a relevant MTA, it helped us get where we are now 10 years later.
That being said, I believe this was a design error. A design error that could not have been predicted until we hit the wall to understand WHY this was an error. One-line rules are semantically wrong, they are SMTP wrong, they are wrong.
One-line rules are making the entire daemon more complex, preventing some features from being implemented, making others more complex than they should be, they no longer serve our goals.
To get to the point: we should move to two-line rules

Anatomy of a design error
OpenSMTPD started ten years ago out of dissatisfaction with other solutions, mainly because I considered them way too complex for me not to get things wrong from time to time.

The initial configuration format was very different, I was inspired by pyr@’s hoststated, which eventually became relayd, and designed my configuration format with blocks enclosed by brackets.

When I first showed OpenSMTPD to pyr@, he convinced me that PF-like one-line rules would be awesome, and it was awesome indeed.

It helped us maintain our goal of simple configuration files, it helped fight feature creeping, it helped us gain popularity and become a relevant MTA, it helped us get where we are now 10 years later.

That being said, I believe this was a design error. A design error that could not have been predicted until we hit the wall to understand WHY this was an error. One-line rules are semantically wrong, they are SMTP wrong, they are wrong.

One-line rules are making the entire daemon more complex, preventing some features from being implemented, making others more complex than they should be, they no longer serve our goals.

To get to the point: we should move to two-line rules

• The problem with one-line rules

OpenSMTPD decides to accept or reject messages based on one-line rules such as:

accept from any for domain poolp.org deliver to mbox

Which can essentially be split into three units:

• the decision: accept/reject
• the matching: from any for domain poolp.org
• the (default) action: deliver to mbox

To ensure that we meet the requirements of the transactions, the matching must be performed during the SMTP transaction before we take a decision for the recipient.
Given that the rule is atomic, that it doesn’t have an identifier and that the action is part of it, the two only ways to make sure we can remember the action to take later on at delivery time is to either:

• save the action in the envelope, which is what we do today
• evaluate the envelope again at delivery
• And this this where it gets tricky… both solutions are NOT ok.

The first solution, which we’ve been using for a decade, was to save the action within the envelope and kind of carve it in stone. This works fine… however it comes with the downsides that errors fixed in configuration files can’t be caught up by envelopes, that delivery action must be validated way ahead of time during the SMTP transaction which is much trickier, that the parsing of delivery methods takes place as the _smtpd user rather than the recipient user, and that envelope structures that are passed all over OpenSMTPD carry delivery-time informations, and more, and more, and more. The code becomes more complex in general, less safe in some particular places, and some areas are nightmarish to deal with because they have to deal with completely unrelated code that can’t be dealt with later in the code path.

The second solution can’t be done. An envelope may be the result of nested rules, for example an external client, hitting an alias, hitting a user with a .forward file resolving to a user. An envelope on disk may no longer match any rule or it may match a completely different rule If we could ensure that it matched the same rule, evaluating the ruleset may spawn new envelopes which would violate the transaction. Trying to imagine how we could work around this leads to more and more and more RFC violations, incoherent states, duplicate mails, etc…

There is simply no way to deal with this with atomic rules, the matching and the action must be two separate units that are evaluated at two different times, failure to do so will necessarily imply that you’re either using our first solution and all its downsides, or that you are currently in a world of pain trying to figure out why everything is burning around you. The minute the action is written to an on-disk envelope, you have failed.

A proper ruleset must define a set of matching patterns resolving to an action identifier that is carved in stone, AND a set of named action set that is resolved dynamically at delivery time.

• Follow the link above to see the rest of the article

Break

##News Roundup
###Backing up a legacy Windows machine to a FreeNAS with rsync

I have some old Windows servers (10 years and counting) and I have been using rsync to back them up to my FreeNAS box. It has been working great for me.

First of all, I do have my Windows servers backup in virtualized format. However, those are only one-time snapshops that I run once in a while. These are classic ASP IIS web servers that I can easily put up on a new VM. However, many of these legacy servers generate gigabytes of data a day in their repositories. Running VM conversion daily is not ideal.

My solution was to use some sort of rsync solution just for the data repos. I’ve tried some applications that didn’t work too well with Samba shares and these old servers have slow I/O. Copying files to external sata or usb drive was not ideal. We’ve moved on from Windows to Linux and do not have any Windows file servers of capacity to provide network backups. Hence, I decided to use Delta Copy with FreeNAS. So here is a little write up on how to set it up. I have 4 Windows 2000 servers backing up daily with this method.

First, download Delta Copy and install it. It is open-source and pretty much free. It is basically a wrapper for cygwin’s rsync. When you install it, it will ask you to install the Server services which allows you to run it as a Rsync server on Windows. You don’t need to do this. Instead, you will be just using the Delta Copy Client application. But before we do that, we will need to configure our Rsync service for our Windows Clients on FreeNAS.

• In FreeNAS, go under Services , Select Rsync > Rsync Modules > Add Rsync Module.
• Then fill out the form; giving the module a name and set the path. In my example, I simply called it WIN and linked it to a user called backupuser.
• This process is much easier than trying to configure the daemon rsyncd.conf file by hand.
• Now, on the Windows Client, start the DeltaCopy Client. You will create a new Profile.
• You will need to enter the IP of the Rsync server (FreeNAS) and specify the module name which will be called “Virtual Directory Name.” When you pull the select menu, the list of Rsync Modules you created earlier in FreeNAS will populate.
• You can set authentication. On the server, you can restrict by IP and do other things to lock down your rsync.
• Next, you will add folders (and/or files) you want to synchronize.
• Once the paths are set up, you can run a sync by right clicking the profile name.
• Here, I made a test sync to a home folder of a virtualized windows box. As you can see, I mounted the rsync volume on my mac to see the progress. The rsync worked beautifully. DeltaCopy did what it was told.
• Once you get everything working. The next thing to do is set schedules. If you done tasks schedules in Windows before, it is pretty straightforward. DeltaCopy has a link in the application to directly create a new task for you. I set my backups to run nightly and it has been working great.

There you have it. Windows rsync to FreeNAS using DeltaCopy.
The nice thing about FreeNAS is you don’t have to modify /etc/rsyncd.conf files. Everything can be done in the web admin.

iXsystems

###How to write ATF tests for NetBSD

I have recently started contributing to the amazing NetBSD foundation. I was thinking of trying out a new OS for a long time. Switching to the NetBSD OS has been a fun change.

My first contribution to the NetBSD foundation was adding regression tests for the Address Sanitizer (ASan) in the Automated Testing Framework(ATF) which NetBSD has. I managed to complete it with the help of my really amazing mentor Kamil. This post is gonna be about the ATF framework that NetBSD has and how to you can add multiple tests with ease.

• Intro

In ATF tests we will basically be talking about test programs which are a suite of test cases for a specific application or program.

• The ATF suite of Commands

There are a variety of commands that the atf suite offers. These include :

• atf-check: The versatile command that is a vital part of the checking process. man page

• atf-run: Command used to run a test program. man page

• atf-fail: Report failure of a test case.

• atf-report: used to pretty print the atf-run. man page

• atf-set: To set atf test conditions.

• We will be taking a better look at the syntax and usage later.

• Let’s start with the Basics

The ATF testing framework comes preinstalled with a default NetBSD installation. It is used to write tests for various applications and commands in NetBSD. One can write the Test programs in either the C language or in shell script. In this post I will be dealing with the Bash part.

• Follow the link above to see the rest of the article

###The Importance of ZFS Block Size

• Warning! WARNING! Don’t just do things because some random blog says so

One of the important tunables in ZFS is the recordsize (for normal datasets) and volblocksize (for zvols). These default to 128KB and 8KB respectively.
As I understand it, this is the unit of work in ZFS. If you modify one byte in a large file with the default 128KB record size, it causes the whole 128KB to be read in, one byte to be changed, and a new 128KB block to be written out.
As a result, the official recommendation is to use a block size which aligns with the underlying workload: so for example if you are using a database which reads and writes 16KB chunks then you should use a 16KB block size, and if you are running VMs containing an ext4 filesystem, which uses a 4KB block size, you should set a 4KB block size
You can see it has a 16GB total file size, of which 8.5G has been touched and consumes space – that is, it’s a “sparse” file. The used space is also visible by looking at the zfs filesystem which this file resides in
Then I tried to copy the image file whilst maintaining its “sparseness”, that is, only touching the blocks of the zvol which needed to be touched. The original used only 8.42G, but the copy uses 14.6GB – almost the entire 16GB has been touched! What’s gone wrong?
I finally realised that the difference between the zfs filesystem and the zvol is the block size. I recreated the zvol with a 128K block size
That’s better. The disk usage of the zvol is now exactly the same as for the sparse file in the filesystem dataset

• It does impact the read speed too. 4K blocks took 5:52, and 128K blocks took 3:20
• Part of this is the amount of metadata that has to be read, see the MySQL benchmarks from earlier in the show
• And yes, using a larger block size will increase the compression efficiency, since the compressor has more redundant data to optimize.
• Some of the savings, and the speedup is because a lot less metadata had to be written
• Your zpool layout also plays a big role, if you use 4Kn disks, and RAID-Z2, using a volblocksize of 8k will actually result in a large amount of wasted space because of RAID-Z padding. Although, if you enable compression, your 8k records may compress to only 4k, and then all the numbers change again.

###Using a Raspberry Pi 2 as a Router on a Stick Starring NetBSD

• Sorry we didn’t answer you quickly enough

A few weeks ago I set about upgrading my feeble networking skills by playing around with a Cisco 2970 switch. I set up a couple of VLANs and found the urge to set up a router to route between them. The 2970 isn’t a modern layer 3 switch so what am I to do?

Why not make use of the Raspberry Pi 2 that I’ve never used and put it to some good use as a ‘router on a stick’.

I could install a Linux based OS as I am quite familiar with it but where’s the fun in that? In my home lab I use SmartOS which by the way is a shit hot hypervisor but as far as I know there aren’t any Illumos distributions for the Raspberry Pi. On the desktop I use Solus OS which is by far the slickest Linux based OS that I’ve had the pleasure to use but Solus’ focus is purely desktop. It’s looking like BSD then!

I believe FreeBSD is renowned for it’s top notch networking stack and so I wrote to the BSDNow show on Jupiter Broadcasting for some help but it seems that the FreeBSD chaps from the show are off on a jolly to some BSD conference or another(love the show by the way).

It looks like me and the luvverly NetBSD are on a date this Saturday. I’ve always had a secret love for NetBSD. She’s a beautiful, charming and promiscuous lover(looking at the supported architectures) and I just can’t stop going back to her despite her misgivings(ahem, zfs). Just my type of grrrl!

Let’s crack on…

• Follow the link above to see the rest of the article

##Beastie Bits

• BSD Jobs
• University of Aberdeen’s Internet Transport Research Group is hiring
• VR demo on OpenBSD via OpenHMD with OSVR HDK2
• patch runs ed, and ed can run anything (mentions FreeBSD and OpenBSD)
• Alacritty (OpenGL-powered terminal emulator) now supports OpenBSD
• MAP_STACK Stack Register Checking Committed to -current
• EuroBSDCon CfP till June 17, 2018

Tarsnap

##Feedback/Questions

• NeutronDaemon – Tutorial request
• Kurt – Question about transferability/bi-directionality of ZFS snapshots and send/receive
• Peter – A Question and much love for BSD Now
• Peter – netgraph state

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Router On A Stick | BSD Now 249 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cultivating cybersecurity talent

• Unit 8200 dates back to 1952

Theresa may to create new internet that would be controlled and regulated by government

• Theresa May is planning to introduce huge regulations on the way the internet works, allowing the government to decide what is said online.

new SMB worm using 7 NSA tools not 2

• New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Feedback

• WannaCry – an overlooked defense

• user feedback on why no autofill for password managers

• Finnish developer shows how browser autofill profiles can be exploited to leak information

• DVL might want to remove webring

Round Up:

• The new normal?

• Congress introduces bill to stop US from stockpiling cyber-weapons

• The increased use of powershell in attacks

• Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware

• Comcast tries to censor pro-net neutrality website calling for investigation of fake FCC comments potentially funded by cable lobby

• What is astroturfing? vs grassroots movements

The post A Burrito Stole My Money | TechSNAP 321 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show

• GitHub – dzhou121/gonvim
• Jelly, The Smallest 4G Smartphone by Unihertz — Kickstarter

Follow Up / Catch Up

7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely

CVE-2017-7494) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010.

• Samba – opening windows to a wider world

In order to better support the Samba community, this page
contains recommended patches for the most recent production
releases. These patches have been integrated into the
main Samba development trees for the next version of Samba.

Guide: How to Control CasterSoundboard Using Your Phone or Tablet · JupiterBroadcasting/CasterSoundboard Wiki · GitHub

Due to the inclusion of Open Sound Control (OSC) support into CasterSoundboard, you can now control your soundboards remotely by using an app on a smartphone or tablet that supports two-way OSC communication over a network.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Wimpy’s e-GPU first take

• Razer Core
• Superposition benchmark | UNIGINE Benchmarks
• https://www.gamingonlinux.com/forum/topic/2683/page=1

Standard Notes is an Open-Source Encrypted Notes App

• AES-256 encryption
• Easy to use apps on Mac, Windows, iOS, Android, and Linux
• Open source
• Automatic sync with no limit on data capacity
• Web access
• Offline access
• Extended account unlocks additional features

Focusli – GNOME Shell Extensions

Improve focus and increase your productive by listening to different sounds

• Focusli – Play Nature Sounds from the GNOME Shell

Focusli also allows you to play multiple sounds at a time, thereby allowing you to come out with your unique ambient noise configurations to suite your ears.

postmarketOS: Aiming for a 10 year life-cycle for smartphones

postmarketOS, a touch-optimized, pre-configured Alpine Linux with own packages, that can be installed on smartphones.

Here is the solution: Bend an existing GNU/Linux distribution to run on smartphones.

Chaos: A social coding experiment that updates its own code democratically.

A social coding experiment that updates its own code democratically

Some things it could do

• Provide some useful service to people.
• Be malicious.
• Recreate itself in a different programming language.
• Break itself and die.
• There is no set purpose. What ChaosBot makes itself into is entirely up to the imagination of the open source community.

TING

• Ting – mobile that makes sense

KDE Plasma 5.10 Released, This Is What’s New!

release announcement says, aims to “give users an experience which lives up to our tagline: simple by default, powerful when needed.”

• kdeneon/all – Docker Hub

Linux Academy

• Linux Academy | Linux and AWS Online Training

Kitematic on Linux

Kitematic is a simple application for managing Docker containers on Mac, Linux and Windows.

• Complete post install steps for Kitematic
• Start the docker service
• Run kitematic with sudo

Looks like the #docker hub site is having issues. 404 for all images. Still able to pull from CLI. @Docker

— Aaron Brongersma (@Abrongersma) May 30, 2017

• kitematic.wiki-my/Linux-Install.md at master · max-devjs/kitematic.wiki-my

kitematic and kitematic-git (also docker-bin and docker-git) are available in AUR.
Assuming that Docker and relative missing dependencies are already installed,
install the preferred kitematic version and follow the Post-installation steps for Linux
section if needed.

• ArchWiki Docker documentation.

The post No Samba No Cry | LINUX Unplugged 199 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

• Timeline of the attach

• Don’t tell people to turn off Windows Update, just don’t

• U.K. Hospitals Hit in Widespread Ransomware Attack

+The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack

+ Microsoft Issues WanaCrypt Patch for Windows 8, XP

• Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far

• Tim Cook’s refusal to help FBI hack iPhone is validated by ‘WannaCry’ ransomware attack

• WCry/WanaCry Ransomware Technical Analysis

• Stopping the malware by registering a domain

Keylogger Found in Audio Driver of HP Laptops

• HP issues fix for ‘keylogger’ found on several laptop models

Feedback

• Budget switches By request, some of Dan’s 10G stuff two zpools

• Password Manager – Why No Autofill?

Round Up:

• Fastmail’s https://blog.fastmail.com/2017/05/13/nyi-datacentre-move/

• Debugging Under Fire: Keep your Head when Systems have Lost their Mind • Bryan Cantrill

The post When IT Security Cries | TechSNAP 319 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Vim text editor turns 25

Over 25 years ago, when some of your professional colleagues were still toddlers, Bram Moolenaar started working on a text editor for his Amiga. He was a user of vi on Unix, but the Amiga didn’t have anything quite like it. On November 2, 1991, after three years in development, he released the first version of the “Vi IMitation” editor, or _Vim._

Zotac crams AMD’s Radeon RX 480 into a tiny gaming mini-PC that’s built for VR

Zotac’s selling the new mini PC in three models: _barebones, Plus, and Windows 10. The barebones version is what you’d expect in a kit like this. It comes with a 2.2GHz Intel “Skylake” Core i5-6400T CPU and the aforementioned Radeon RX 480, but lacks RAM, storage, and an operating system._

Official Ubuntu Flavor Mythbuntu Linux Is Dead, What About My TV Shows?

The developers of the Mythbuntu Linux distribution have announced that the development of the official Ubuntu flavor will come to an end in the coming future. The reason stated is the lack of manpower of work on updates and bug fixing. For MythTV, the users can install Xubuntu and add Mythbuntu repository.

ChrisLAS Rocks Cali

Great dumplings, no not Chris. The Shandong restaurant.

TING

• Ting – mobile that makes sense

Cinnamon 3.2 Desktop Environment Now Available with Support for Vertical Panels

Cinnamon 3.2 also comes with workspace switcher improvements, simplified background manager, keyboard navigation fo__r context menus, updated appindicators and settings, support for displaying percentage next to the volume slider, vfade effect by default, as well as hover delay functionality to hot corners.

Freeing my tablet (Android hacking, SW and HW)

I wanted to run a Debian chroot in my tablet; and there was no open-source rooting
process for it. That triggered me enough to have a deeper look at Android,
and eventually completely dominate my tablet.

FileZilla Secure – Dedicated to keeping your FTP passwords secure.

tl;dr FileZilla does not encrypt your saved FTP passwords and I got hacked. FileZilla Secure will encrypt your saved FTP passwords with a master password.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Please explain NFS to me before I destroy something

Are you planning (or have you already) to make a guide/tutorial/segment on setting up NFS at home?

I realize NFS spans a wide range of use cases, but I am interested from the perspective of a desktop Linux user, how to share media and documents with my family on our (W)LAN.

• Arch Wiki: NFS

Linux Academy

• Linux Academy | Linux and AWS Online Training

New Releases:

• AWS Certified DevOps Engineer – Professional Level
• The SysAdmins Guide To Bash Scripting
• Cloud Essentials Certification Prep Course
• Running Container Clusters With Kubernetes
• Apache Spark Essentials
• Red Hat Certified Engineer Prep Course
• AWS Certified SysOps Administrator – Course Refresh
• Docker Deep Dive – Course Refresh

Coming This Fall:

• AWS Concepts
• Linux KVM Virtualization Essentials
• Git – Quick Start
• VIM – The Improved Editor
• Docker – Quick Start
• Ansible – Quick Start
• Git – Quick Start
• Jenkins – Quick Start
• LPIC-2 201* LPIC-2 202
• Big Data Essentials
• Learning Python Development
• Linux on Azure Certification Prep

5 terminal commands every Linux newbie should know

Sometimes you’ll need to use the terminal, but it’s not as scary as you think. We come up with the basic commands new users might want to learn.

Post Show

RedHat Redneck Internationalization

The post Nano Users Unite | LINUX Unplugged 170 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Krebs hit with record breaking DDoS attack

• “On Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the engineers at Akamai/Prolexic, the company that protects my site from such digital sieges. But according to Akamai, it was nearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet has ever witnessed.”
• “The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”
• “Martin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously clocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and the previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised systems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.”
• Almost all of the previous large scale DDoS attacks were the result of ‘reflection’ and ‘amplification’ attacks
• That is, exploiting DNS, NTP, and other protocols to allow the attackers to send a small amount of data, while spoofing their IP address to that of the victim, and cause the reflection server to send a larger amount of data.
• Basically, have your bots send spoofed packets of a few bytes, and the reflector send as much as 15 times the amount of data to the victim. This attack harms both the victim and the reflector.
• Thanks to the hard work of many sysadmins, most DNS and NTP servers are much more locked down now, and reflection attacks are less common, although there are still some protocols vulnerable to amplification that are not as easy to fix
• “In contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very large botnet of hacked devices. According to Akamai, none of the attack methods employed in Tuesday night’s assault on KrebsOnSecurity relied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate connection between the attacking host and the target, including SYN, GET and POST floods.”
• “There are some indications that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords.”
• “I’ll address some of the challenges of minimizing the threat from large-scale DDoS attacks in a future post. But for now it seems likely that we can expect such monster attacks to soon become the new norm.”
• “Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.”
• “I can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of this 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.”

The shot heard round the world

• In this followup post, Krebs discusses “The Democratization of Censorship”
• You no longer need to be a nation state to censor someone, you just need a big enough botnet
• “Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.”
• “Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.”
• This poses a huge problem. The bad guys now know the magic number, 650 gbps, at which point even the most expensive DDoS protection service will boot you off and shutdown your site.
• “Nevertheless, Akamai rather abruptly informed me I had until 6 p.m. that very same day — roughly two hours later — to make arrangements for migrating off their network. My main concern at the time was making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all traffic destined for KrebsOnSecurity.com into a giant black hole.”
• “Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.”
• This raises another question, what happens when the bad guys perform an attack large enough to disrupt Google?
• This was the topic of the closing keynote at EuroBSDCon last weekend, sadly no video recordings are available.
• “Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.”
• “In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.”
• “Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.”
• “Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”
• “Furthermore, the size and scale of these probes — and especially their persistence — points to state actors. It feels like a nation’s military cyber command trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US’s Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.”
• “What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week? Was it a space-based weapon of mass disruption built and tested by a rogue nation-state, or an arch villain like SPECTRE from the James Bond series of novels and films? If only the enemy here was that black-and-white.”
• “No, as I reported in the last blog post before my site was unplugged, the enemy in this case was far less sexy. There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.”
• “Some readers on Twitter have asked why the attackers would have “burned” so many compromised systems with such an overwhelming force against my little site. After all, they reasoned, the attackers showed their hand in this assault, exposing the Internet addresses of a huge number of compromised devices that might otherwise be used for actual money-making cybercriminal activities, such as hosting malware or relaying spam. Surely, network providers would take that list of hacked devices and begin blocking them from launching attacks going forward, the thinking goes.”
• While we’d like to think that the hacked devices will be secured, the reality is that they probably won’t be. Even if there was a firmware update, how often do people firmware update their IP Cameras? Their DVRs?
• The cable companies might be able to help by pushing firmware updates, and they have some incentive to do so, as the attacks use up their bandwidth
• In the end, even if ISPs notified their customers that they were part of the attack, how is a regular person supposed to determine which of the IoT devices was used as part of the attack?
• If you don’t know how to use a protocol analyzer, and the attack is not ongoing right now, how do you tell if it was your DVR, your SmartTV, your Thermostat, or your refrigerator that was attacking Krebs?
• And if we thought that 650 gbps was enough to make almost any site neel to an attacker, OVH.net reports a botnet of 150,000 CCTV/Camera/DVR units, each with 1 – 30 mbps of upload capacity, attacking their network with a peak of 1.1 terabits (1100gbps) of traffic, but they estimate the capacity of the botnet at over 1.5 terabits
• “I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.”
• “The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.”
• The possible solutions presented at EuroBSDCon were even scarier. Breaking the Internet up along national borders, and only allowing traffic to pass between countries on regulated major services like Facebook and Google.
• Additional Coverage: Forbes
• Additional Coverage: Ars Technica

Firefox preparing to block Certificate Authority for violating rules

• “The organization that develops Firefox has recommended the browser block digital credentials issued by a China-based certificate authority for 12 months after discovering it cut corners that undermine the entire transport layer security system that encrypts and authenticates websites.”
• “The browser-trusted WoSign authority intentionally back-dated certificates it has issued over the past nine months to avoid an industry-mandated ban on the use of the SHA-1 hashing algorithm, Mozilla officials charged in a report published Monday. SHA-1-based signatures were barred at the beginning of the year because of industry consensus they are unacceptably susceptible to cryptographic collision attacks that can create counterfeit credentials. To satisfy customers who experienced difficulty retiring the old hashing function, WoSign continued to use it anyway and concealed the use by dating certificates prior to the first of this year, Mozilla officials said. They also accused WoSign of improperly concealing its acquisition of Israeli certificate authority StartCom, which was used to issue at least one of the improperly issued certificates.”
• “Taking into account all the issues listed above, Mozilla’s CA team has lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA,” Monday’s report stated. “Therefore we propose that, starting on a date to be determined in the near future, Mozilla products will no longer trust newly issued certificates issued by either of these two CA brands.”
• So, existing certificates will continue to work, to avoid impact on those who paid for certificates, but Mozilla will not trust any newly issued certificates
• “WoSign’s practices came under scrutiny after an IT administrator for the University of Central Florida used the service to obtain a certificate for med.ucf.edu. He soon discovered that he mistakenly got one for www.ucf.edu. To verify that the error wasn’t isolated, the admin then used his control over the github subdomains schrauger.github.com and schrauger.github.io to get certificates for github.com, github.io, and www.github.io. When the admin finally succeeded in alerting WoSign to the improperly issued Github certificates, WoSign still didn’t catch the improperly issued www.ucf.edu certificate and allowed it to remain valid for more than a year. For reasons that aren’t clear, Mozilla’s final report makes no explicit mention the certificates involving the Github or UCF domains, which were documented here in August.”
• Some other issues highlighted in the Mozilla report:
  • “WoSign has an “issue first, validate later” process where it is acceptable to detect mis-issued certificates during validation the next working day and revoke them at that point. (Issue N)”
  • “If the experience with their website ownership validation mechanism is anything to go by, It seems doubtful that WoSign keep appropriately detailed and unalterable logs of their issuances. (Issue L)”
  • “The level of understanding of the certificate system by their engineers, and the level of quality control and testing exercised over changes to their systems, leaves a great deal to be desired. It does not seem they have the appropriate cultural practices to develop secure and robust software. (Issue V, Issue L)”
  • “For reasons which still remain unclear, WoSign appeared determined to hide the fact that they had purchased StartCom, actively misleading Mozilla and the public about the situation. (Issue R)”
  • “WoSign’s auditors, Ernst & Young (Hong Kong), have failed to detect multiple issues they should have detected. (Issue J, Issue X)”
• Mozilla Report
• Mozilla Wiki: WoSign issues
• WoSign incident report

Feedback:

• Backups

• A Little Salty

• Salt SSH

• FreeNAS

• FreeNAS(found a bug), and ZFS stripe with 4-SSD use case question

• Content Filtering HTTPS on pfSense with no proxy

• NFS vs Samba

Round Up:

• macOS Sierra Addresses Dropbox Security Concerns by Explicitly Asking for Accessibility User Permission
• How to crash systemd in one tweet
• How the Seattle Police Secretly—and Illegally—Purchased a Tool for Tracking Your Social Media Posts
• Hacking Tesla cars, locally and remotely
• A Pokemon Go guide infected thousands of phones
• New 2.5 and 5 gbps ethernet standards approved. Allows 2.5 gbps over standard cat 5e cables, and 5gbps over cat6
• Apple Logs Your iMessage Contacts — and May Share Them With Police
• Money Mules now using Bitcoin ATMs
• Firefox is eating your SSD – here is how to fix it
• Disassembly of Super Mario Bros.
• Heads up: CentOS 5 goes end-of-life in 6 months
• What happens when you don’t test your backups
• Russia Bans Pornhub, YouPorn – Tells Citizens To Meet Someone In Real Life

The post Botnet of Things | TechSNAP 286 first appeared on Jupiter Broadcasting.

Find out why everyone’s just a little disappointed in Badlock, the bad security that could be connected to the Panama Papers leak & the story of a simple delete command that took out an entire hosting provider.

Plus your batch of networking questions, our answers & a packed round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Badlock vulnerability disclosed

• The badlock vulnerability was finally disclosed on Tuesday after 3 weeks of hype
• It turns out to not have been as big a deal as we were lead to believe
• The flaw was not in the SMB protocol itself, but in the related SAM and LSAD protocols
• The flaw itself is identified as https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
• It affects all versions of Samba clear back to 3.0
• “Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available”
• “Please be aware that Samba 4.1 and below are therefore out of support, even for security fixes. There will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA). We strongly advise users to upgrade to a supported release.”
• See the Samba Release Planning page for more details about support lifetime for each branch
• Microsoft releases MS16-047 but rated it only “Important”, not “Critical”
• The patch fixes an “elevation of privilege bug in both SAM and LSAD that could be exploited in a man-in-the-middle attack, forcing a downgrade of the authentication level of both channels. An attacker could then impersonate an authenticated user”
• Microsoft was also careful to note: “Only applications and products that use the SAM or LSAD remote protocols are affected by this issue. The SMB protocol is not vulnerable.”
• It seems most of the “badlock” bugs were actually in Samba itself, rather than the protocol as we were lead to believe
• “There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrary Samba network calls using the context of the intercepted user. Impact examples of intercepting administrator network traffic:”
• Samba AD server – view or modify secrets within an AD database, including user password hashes, or shutdown critical services.
• standard Samba server – modify user permissions on files or directories.
• There were also a number of related CVEs that are also fixed:
  • CVE-2015-5370 3.6.0 to 4.4.0: Errors in Samba DCE-RPC code can lead to denial of service (crashes and high cpu consumption) and man in the middle attacks. It is unlikely but not impossible to trigger remote code execution, which may result in an impersonation on the client side.
  • CVE-2016-2110 3.0.0 to 4.4.0: The feature negotiation of NTLMSSP is not downgrade protected. A man in the middle is able to clear even required flags, especially NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL. Which has implications on encrypted LDAP traffic.
  • CVE-2016-2111 3.0.0 to 4.4.0: When Samba is configured as Domain Controller it allows remote attackers to spoof the computer name of a secure channel’s endpoints, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic.
  • CVE-2016-2112 3.0.0 to 4.4.0: A man in the middle is able to downgrade LDAP connections to no integrity protection. It’s possible to attack client and server with this.
  • CVE-2016-2113 4.0.0 to 4.4.0: Man in the middle attacks are possible for client triggered LDAP connections (with ldaps://) and ncacn_http connections (with https://).
  • CVE-2016-2114 4.0.0 to 4.4.0: Due to a bug Samba doesn’t enforce required smb signing, even if explicitly configured. In addition the default for the active directory domain controller case was wrong.
  • CVE-2016-2115 3.0.0 to 4.4.0: The protection of DCERPC communication over ncacn_np (which is the default for most the file server related protocols) is inherited from the underlying SMB connection. Samba doesn’t enforce SMB signing for this kind of SMB connections by default, which makes man in the middle attacks possible.
• Additional Coverage: Threadpost – Badlock vulnerability falls flat against its type
• “As it turns out, Badlock was hardly the remote code execution monster many anticipated. Instead, it’s a man-in-the-middle and denial-of-service bug, allowing an attacker to elevate privileges or crash a Windows machine running Samba services.”
• “Red Hat security strategist Josh Bressers said Badlock could have been much worse, especially if it had turned out to be a memory corruption issue in SMB as some had surmised. Such a scenario would have cleared a path for remote code execution, for example.”
• Additional Coverage: sadlock.org

Panama Papers: Mossack Fonseca

• Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca.
• They show how Mossack Fonseca has helped clients launder money, dodge sanctions and avoid tax.
• The documents show 12 current or former heads of state and at least 60 people linked to current or former world leaders in the data.
• Eleven million documents held by the Panama-based law firm Mossack Fonseca have been passed to German newspaper Sueddeutsche Zeitung, which then shared them with the International Consortium of Investigative Journalists. BBC Panorama is among 107 media organisations – including UK newspaper the Guardian – in 76 countries which have been analysing the documents.
• There are many conspiracy theories about the source of the Panama Papers leak. One of the more prominent theories today blames the CIA.
• Bradley Birkenfeld is “the most significant financial whistleblower of all time,” and he has opinions about who’s responsible for leaking the Panama Papers rattling financial and political power centers around the world.
• Wikileaks is also getting attention today for blaming USAID and George Soros for the leaks.
• What little is known about the source of the leak comes from details published by German newspaper Suddeutsche Zeitung. Communicating via encrypted chat in late 2014, the source warned his or her life was “in danger” but that they had data from law firm Mossack Fonseca that they wanted to share. When asked how much data they had, the source replied “more than you have ever seen,” according to the newspaper.
• Regardless, the front-end computer systems of Mossack Fonseca are outdated and riddled with security flaws, analysis has revealed.
• Mossack Fonseca’s client portal is also vulnerable to the DROWN attack, a security exploit that targets servers supporting the obsolete and insecure SSL v2 protocol. The portal, which runs on the Drupal open source CMS, was last updated in August 2013, according to the site’s changelog.
• On its main website Mossack Fonseca claims its Client Information Portal provides a “secure online account” allowing customers to access “corporate information anywhere and everywhere”. The version of Drupal used by the portal has at least 25 vulnerabilities, including a high-risk SQL injection vulnerability that allows anyone to remotely execute arbitrary commands. Areas of the portal’s backend can also be accessed by guessing the URL structure, a security researcher noted.
• Mossack Fonseca’s webmail system, which runs on Microsoft’s Outlook Web Access, was last updated in 2009, while its main site runs a version of WordPress that is three months out of date. A further vulnerability makes it possible to easily access files uploaded to the backend of Mossack Fonseca’s site simply by guessing the URL.
• Mossack Fonseca’s emails were also not transport encrypted, according to privacy expert Christopher Soghoian who noted the company did not use the TLS security protocol.
• Who leaked the Panama Papers? A famous financial whistleblower says: CIA. / Boing Boing
• Wikileaks Accuses US Of Funding Panama Papers Putin Expose | The Daily Caller
• Panama Papers: The security flaws at the heart of Mossack Fonseca (Wired UK)
• Additional Coverage: The Register – Mossack Fonseca website found vulnerable to SQL injection
• Additional Coverage: Forbes
• Additional Coverage: WordFence
• Additional Coverage: Slashdot
• In general, it seems there were so many flaws in the website we may never know which one was used to compromise the server

I accidently rm -rf /’d, and destroyed my entire company

• “I run a small hosting provider with more or less 1535 customers and I use Ansible to automate some operations to be run on all servers. Last night I accidentally ran, on all servers, a Bash script with a rm -rf {foo}/{bar} with those variables undefined due to a bug in the code above this line.”
• “All servers got deleted and the offsite backups too because the remote storage was mounted just before by the same script (that is a backup maintenance script).
  How I can recover from a rm -rf / now in a timely manner?”
• There is not usually any easy way to recover from something like this
• That is why you need backups. Backups are not just a single copy of your files in another location, you need time series data, in case you need to go back more than the most recent backup
• It is usually best to not have your backups mounted directly, for exactly this reason
• Even if you will never rm -rf /, an attacker might run rm -rf /backup/*
• While cleaning up after an attacker attempted to use a Linux kernel exploit against my FreeBSD machine in 2003, I accidently rm -rf /’d in a roundabout way, Trying to remove a symlink to / that had a very funky name (part of the exploit iirc), i used tab complete, and instead of: rm -rf badname, it did rm -rf badname/, which deletes the target of the symlink, which was /.
• Obviously this was my fault for using -r for a symlink, since I only wanted to delete one thing
• When the command took too long, I got worried, and when I saw ‘can’t delete /sbin/init’, I panicked and aborted it with control+c
• Luckily, I had twice daily backups with bacula, to another server. 30 minutes later, everything was restored, and the server didn’t even require a reboot. The 100+ customers on the machine never noticed, since I stopped the rm before it hit /usr/home
• There are plenty of other examples of this same problem though
• Steam accidently deletes ALL of your files
• Bryan Cantrill tells a similiar story from the old SunOS days
• Discussion continues and talks about why rm -rf / is blocked by on SunOS and FreeBSD
• Additional Coverage: ServerFault
• When told to dd the drive to a file, to use testdisk to try to recover files, the user reports accidentally swapping if= and of=, which likely would just error out if the input file didn’t exist, but it might also mean that this entire thing is just a troll. Further evidence: rm -rf / usually doesn’t work on modern linux, without the –no-preserve-root flag

Feedback:

• NAS or SAN?
• Full SSD ZFS array

Round Up:

• “FreeBSD Mastery: Advanced ZFS” has been released as ebook for $9.99, print version in a few weeks
• Book features a fancy “Wrap Around” cover, the secret art not revealed yet
• How to not get pwned on Windows: Don’t run any virtual machines, open any web pages, Office docs, hyperlinks
• OpenWhisperSystems has integrated its Signal Protocol public key encryption systems into WhatsApp, now fully end-to-end encrypted with identity verification
• FBI bought previously undisclosed zeroday to crack the iPhone 5c
• After Apple claims to have fixed iOS 1970 bug in February, researchers demo a new remote version, bricks your device 20 minutes after connecting to their rouge WiFi, if your battery doesn’t catch fire first…
• 0-day exploits more than double as attackers prevail in security arms race
• Proving apps don’t take data security seriously, new website uses Tinder’s official API to let you spy on other users
• Google’s monthly Android update fixes Linux kernel flaw from 2014 that was being used to root Android devices
• Nest pulls the plug on the Resolv Hub, leaving owners who were promised a lifetime service subscription with a $299 paperweight
• The entire Turkish citizenship database appears to have been hacked and leaked online
• Python, Go, and PHP (before 5.6), failed to check for self-signed, expired, or worse revoked SSL certificates, also older versions may still accept RC4 and weak DH (logjam)
• Cellebrite, the company originally rumoured to have helped the FBI crack the iPhone, set to release a road side ‘textalyzer’, to determine if you were using your cell phone at the time of an accident
• Google’s new “BeyondCorp” security model, all networks are untrusted, users earn trust with good behaviour, devices earn trust with known good state
• All the resources in the world are not use if you don’t know how to use them

The post rm -rf $ALLTHETHINGS/ | TechSNAP 262 first appeared on Jupiter Broadcasting.

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

• “TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
• “In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
• That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
• Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
• “We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
• So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
• “A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
• “It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
• With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
• Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
• “Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
• “It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
• Additional Coverage — The Independant
• Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
• Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
• Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
• Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
• Video from TalkTalk CEO
• If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
• New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
• “Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

• “Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
• “This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
• Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
• “Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
• “The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
• “The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
• US Regulators grant DMCA exemption to legalize vehicle software tinkering
• Additional Coverage: NPR
• The ruling uses the terms “good faith security research” and “lawful modification.”
• “The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
• “The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
• Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

• “Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
• Google’s Blog Post
• Symantec Report
• “Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
• It seems like Symantec was trying to downplay the incident, and gloss over its failings
• “Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
• “The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
• This brings up serious questions about the management and oversight of the Symantec certificate authority
• “It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
• “More immediately, we are requesting of Symantec that they further update their public incident report with:”
• A post-mortem analysis that details why they did not detect the additional certificates that we found.
• Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
• “We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
• “Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
• It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

• Running a file server on Debian

• ZFS repairing capabilities

• Episode 237 comments and suggestions

Round up:

• 13 million plaintext passwords belonging to webhost users leaked online
• New banking trojan steals 20 million British Pounds from online bank accounts
• DOJ: Apple owns your iPhone’s software, so it should have a backdoor
• IBM tops the list of worst offenders for hosting spam, as it acquires Softlayer, which had previously acquired ThePlanet, which was known for being especially bad
• Joomla bug puts millions of websites at risk of remote takeover
• EFF Finds over 100 license plate readers that are accessible on the public internet
• Wall Street Journal subscriber base information may have been compromised
• WWII CIA (OSS) Simple Sabotage Field Manual (Field Manual #3)
• NSA issues warning about quantum cryptography, sparks concerns of secret advance in technology
• Debate over the depreciation of the leap second at the World Radiocommunication Conference Full ACM Article by Poul-Henning Kamp
  

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

Browse your local network and share files with Windows computers by following our Samba tutorial. Get some tips on how to easily read the Samba configuration file.

Plus an update about the future format of HowTo Linux.

Thanks to:

Direct Download:

HD Video | Video | HD Torrent | MP3 Audio | OGG Audio | YouTube

RSS Feeds:

HD Video Feed | HD Torrent Feed | MP3 Feed | OGG Feed

Show Notes:

File Manager not show your network shares?

Install Samba:

Samba is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to NFS. Some users say that Samba is easily configured and that operation is very straight-forward. However, many new users run into problems with its complexity and non-intuitive mechanism.

• Install Samba

sudo apt-get update

sudo apt-get install samba samba-common system-config-samba python-glade2 gksu nautilus-share

• Enable your user account as a Samba user

smbpasswd -e chase

Having troubles resolving computer names?

• Check your DNS settings

• Add the following stanza to smb.conf:

name resolve order = lmhosts bcast host wins

• testparm

testparm — check an smb.conf configuration file for
internal correctness

Bonus: Going through these steps will also make your Windows network file browsing work under your file manager too!

Further Reading:

• Setup your file share in /etc/samba/smb.conf or use system-config-samba

• Ubuntu 14.04 LTS: File Sharing With Samba | UbuntuHandbook

• Sharing files in LAN through Samba or SSH – Ask Ubuntu
• Samba/SambaServerGuide – Community Help Wiki
• Samba – ArchWiki

The post File sharing on Linux | HowTo Linux 4 first appeared on Jupiter Broadcasting.

Easily share files between Windows and Linux, and we’ll solve some common network browsing challenges under Linux.

Plus a quick look at Linux Mint 17 KDE edition, the huge new features coming to OwnCloud, a new hacker event….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Easy Windows File Sharing from Linux:

Brought to you by: System76

File Manager not show your network shares?

Install Samba:

Samba is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to NFS. Some users say that Samba is easily configured and that operation is very straight-forward. However, many new users run into problems with its complexity and non-intuitive mechanism.

• Install Samba

sudo apt-get update

sudo apt-get install samba samba-common system-config-samba python-glade2 gksu nautilus-share

• Enable your user account as a Samba user

smbpasswd -e chase

Having troubles resolving computer names?

• Check your DNS settings

• Add the following stanza to smb.conf:

name resolve order = lmhosts bcast host wins

• testparm

testparm — check an smb.conf configuration file for
internal correctness

Bonus: Going through these steps will also make your Windows network file browsing work under your file manager too!

Further Reading:

• Setup your file share in /etc/samba/smb.conf or use system-config-samba

• Ubuntu 14.04 LTS: File Sharing With Samba | UbuntuHandbook

• Sharing files in LAN through Samba or SSH – Ask Ubuntu
• Samba/SambaServerGuide – Community Help Wiki
• Samba – ArchWiki

— Picks —

Runs Linux

Raspberry Pi Controlled Aquaponics

This build uses the IBC method of Aquaponics, with modifications to include a Raspberry Pi for controlling a pump, solenoid drain, and temperature probes for water and air temperatures. The relays and timing is controlled with python scripting. Temperature and control data is collected every minute and sent to plot.ly for graphing, and future expansion will include sensors for water level and PH values for additional control.

All of my scripts are available at github.com

Desktop App Pick

beets: the music geek’s media organizer

The purpose of beets is to get your music collection right once and for all. It
catalogs your collection, automatically improving its metadata as it goes using
the MusicBrainz database. Then it provides a bouquet of tools for
manipulating and accessing your music.

Weekly Spotlight

Unix & Linux Stack Exchange

— NEWS —

ownCloud 7 Community Edition Enhances, Extends and Simplifies Control of Sensitive Data

ownCloud 7 Community Edition server-to-server sharing enables users on one ownCloud instance to seamlessly share files with a user on a different ownCloud installation without using share links — enhancing sharing and collaboration while maintaining security and privacy.

ownCloud 7 Community Edition also gives end users a “Dropbox-like” experience — complementing the security and privacy on the back end — with an entirely new web interface, mobile web browser support, file notifications in email or activity stream, and significant performance improvements.

“ownCloud 7 Community Edition enables greater collaboration even across ownCloud instances, as well as greater admin control, updated user management and improved external storage control,” said Frank Karlitschek, founder and leader of the ownCloud project. “And at the same time, added or improved installation and configuration wizards, completely overhauled sharing, and a new user interface significantly simplifies the ownCloud experience.”

Russia to ditch Intel, AMD in favor of homegrown ‘Baikal’ chips; will use GNU/Linux

According to a Russian business newspaper, state departments and state-run companies have no plans to buy PCs built around Intel or AMD processors. Instead, beginning in 2015, the government will order some 700,000 personal computers annually worth $500 million and 300,000 servers worth $800 million based on the Baikal chip.

• Ъ-Газета – Минпромторг включился в процессоры

Where KDE is going – Part 1 | KDE.news

GNOME 3.13.3 | Goings on

The Linux Mint Blog » Blog Archive » Linux Mint 17 “Qiana” KDE released!

Dad’s computer lady and “The Linux” by Chad Seaman

ToorCamp | the five day, open air, tech camping event

NEAH BAY, WA
JULY 9-13, 2014

Feedback:

• Patreon for JB as a whole?

• Support Jupiter Broadcasting on Patreon

• SELF2014: The Linux Game Industry – YouTube

• Linux without internet?

— Chris’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged
• Switching to Ubuntu: User Tips
• Broforce – Part 3 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Sharing with Samba | LAS 319 first appeared on Jupiter Broadcasting.

Chase makes the decision to switch to Linux and Chris helps him get started. Learn how to install Linux from a thumb drive using Windows.

Plus we answer some basic fundamental differences between Windows and Linux.

Thanks to:

Direct Download:

HD Video | Video | HD Torrent | MP3 Audio | OGG Audio | YouTube

RSS Feeds:

HD Video Feed | HD Torrent Feed | MP3 Feed | OGG Feed

Become a HowTo Linux supporter on Patreon:

Show Notes:

Links:

Rufus – Create bootable USB drives the easy way

Rufus is an utility that helps format and create bootable USB flash drives, such as USB keys/pendrives, memory sticks, etc.

• It can be especially useful for cases where:

• you need to create USB installation media from bootable ISOs (Windows, Linux, UEFI, etc.)

• you need to work on a system that doesn\’t have an OS installed
• you need to flash a BIOS or other firmware from DOS
• you want to run a low-level utility

Support HowTo Linux on Patreon

The post Switching to Linux | HowTo Linux 1 first appeared on Jupiter Broadcasting.

Michael Christen the creator and maintainer of YaCy search joins us to discuss his free search engine that anyone can use to build a search portal for their intranet or to help search the public internet using a unique Peer-to-peer technology.

Plus who’s building Linux, the big Docker news, a look ahead at the next big Gnome release…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Michael Christen YaCy Maintainer:

Brought to you by: System76

YaCy is a free search engine that anyone can use to build a search portal for their intranet or to help search the public internet. When contributing to the world-wide peer network, the scale of YaCy is limited only by the number of users in the world and can index billions of web pages. It is fully decentralized, all users of the search engine network are equal, the network does not store user search requests and it is not possible for anyone to censor the content of the shared index. We want to achieve freedom of information through a free, distributed web search which is powered by the world’s users.

• YaCy – The Peer to Peer Search Engine: AWESOME Visualization

Questions

• What’s the key reason you believe decentralized search is important?

• How does YaCy help combat censorship?

• Can I use YaCy on my school/work network to index all of the material on our intranet?

• I want to run YaCy on a VPS, can it be configured to crawl faster than my home PC since it has a faster connection?

• How would I know that some YaCy machine in the globe does not collect all the requests it gets?

• Could YaCy be used to index the TOR network?

• And more in show, not documented here.

Installing YaCY

• Install YaCy On Debian/Ubuntu

• Install YaCy on Arch

q5ys’s Kickstarter

• YaCyPi – Turnkey Raspberry Pi based Internet Search Engine by Obsidian Security Services

– Picks –

Runs Linux:

• The Cew of Despicable Me 2, Run Linux

• Martin Gräßlin – Google+ – Just watched the extras on the “Despicable Me 2” Blu-Ray…

• KDE Plasma at Gravity VFX Shop

• Despicable Me 2 – Steve Carell Explains 3D Animation – YouTube

Desktop App Pick

• linux-dash · GitHub

Weekly Spotlight

• BlackArch

— NEWS —

• Who’s Writing Linux?

About once a year, the Linux Foundation analyzes the online repository that holds the source code of the kernel, or core, of the Linux operating system.

As well as tracking the increasing complexity of the ever-evolving kernel over a series of releases from versions 3.0 to 3.10

The report also reveals who is contributing code, and the dominant role corporations now play in what began as an all-volunteer project in 1991.

Over 80 percent of code is contributed by people who are paid for their work

The Linux Foundation notes that contributions have been increasing from companies that make mobile and embedded systems, such as Linaro, Samsung, and Texas Instruments.
Contributions from individual developers must have sign-offs before being incorporated into the official kernel code.

Corporate employees truly dominate, with just over 5 percent of approvals by volunteers.

The increasing size of the Linux kernel is due to the incorporation of significant new features, including a file system optimized for solid-state drives and support for the 64-bit ARM microprocessors used in embedded and mobile devices.

• Docker 0.8: Quality, new builder features, btrfs, OSX support
• Docker Raises $15M For Its Open-Source Platform That Helps Developers Build Apps In The

That’s evident in today’s news that the company has raised $15 million in a Series B round led by Greylock Partners, with minority participation from Insight Venture Partners and existing investors Benchmark Capital and Trinity Ventures. Also participating is Yahoo! Co-Founder Jerry Yang, who has participated in previous

Docker will use the funding to push toward the general availability of the Docker environment, develop commercial services that pair with the open-source technology and build a team to support the growing community.

• A quick glance at GNOME 3.11.5

• GEdit Strikes Again | Popovers This Time!

• Shell 3.12 Introducing Jumplists!

• GNOME Sound Recorder Icons, From Sam Hewitt?

• Northeast GNU/Linux Fest – Bringing Linux And Free Software To The Northeast

– Feedback: –

• Jolla Mobile Phone

• suggest: On to the Bacon Festival

— Chris’ Stash —

• Good sirs… I would like a howto! Form

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post YaCy Creator Interview | LAS s30e09 first appeared on Jupiter Broadcasting.

The best gadgets at CES this year were running Linux. We round-up the highlights of these Linux powered goodies, and speculate about the future of the expo.

Plus Blizzard’s big Linux bombshell, the sunset of WebcamStudio, why you might see a Firefox OS powered smartphone soon, and is Samba less relevant these days?

Plus: Your feedback, our picks of the week, and so much more!

All this week on, The Linux Action Show!

Use our code linux295 to get a .COM for $2.95.

Expires 1-31-13!

20% off your ENTIRE order just use our code go20off6.

Download:

HD Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show: