servers – Jupiter Broadcasting

Swap that Space | BSD Now 314

Wes Payne — Wed, 04 Sep 2019 19:00:20 +0000

Show Notes/Links: https://www.bsdnow.tv/314

The post Swap that Space | BSD Now 314 first appeared on Jupiter Broadcasting.

Our Trip to Dell | LAS 464

chris — Sun, 09 Apr 2017 14:42:41 +0000

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

— PICKS —

Runs Linux

The Briggo Coffee Robot, Runs Linux

View the beast on imgur.com

The stories center on an Austin, Texas-based startup called Briggo, which has created a fully automated, one-stop coffee kiosk that churns out what it believes is a superior cup of joe. You can order and pay by smartphone, customize the brewing process to your precise specifications, and schedule it to be ready for pickup the minute you arrive. And it really doesn’t care if you say “venti” instead of “large.”

Desktop App Pick

GitHub – JannikHv/gydl: gydl (Graphical Youtube-dl) is a GUI wrapper around the already existing youtube-dl program.

Gydl (Graphical Youtube-dl) is a GUI wrapper around the already existing youtube-dl program.

— NEWS —

Ubuntu’s Drops Unity for Gnome

Ubuntu Unity is dead: Desktop will switch back to GNOME next year

We will continue to produce the most usable open source desktop in the world, to maintain the existing LTS releases, to work with our commercial partners to distribute that desktop, to support our corporate customers who rely on it, and to delight the millions of IoT and cloud developers who innovate on top of it.

Our efforts were seen fragmentation not innovation. And industry has not rallied to the possibility, instead taking a ‘better the devil you know’ approach to those form factors, or investing in home-grown platforms.

We will shift our default Ubuntu desktop back to GNOME for Ubuntu 18.04 LTS

Welcoming Ubuntu to GNOME and Wayland | Christian Schaller

am personally happy to see this convergence of efforts happening because I have for a long time felt that the general level of investment in the Linux desktop has not been great enough to justify the plethora of Linux desktops out there, so by now having reached a position where Canonical, Endless, Red Hat and Suse again share one desktop technology stack

Canonical Elimniating Jobs

Reportedly 30 to 60% of staff could be let go depending upon what comes of these outside investments. But the headcounts are going up in areas of security, cloud, and other money-making enterprise efforts.

Staff, projects shed as Ubuntu maker Canonical tries to lure investors • The Register

In the best-case scenario, The Reg understands, departments would suffer a 30 per cent headcount reduction but in the worst it was 60 per cent. It’s not clear how many staff have gone, but Canonical is believed to have a workforce of 700.

Drop MIR/Unity for Wayland/Gnome (351 weight)

Release/GA Unity 8 (15 weight)
Easily, the most heavily requested, major change in this thread was for Ubuntu to drop MIR/Unity in favor of Wayland/Gnome. And that’s exactly what Mark Shuttleworth announced in an Ubuntu Insights post here today. There were a healthy handful of Unity 8 fans, calling for its GA, and more than a few HackerNews comments lamenting the end of Unity in this thread.

Welcome to Gnome and Wayland

Unity will Continue as a Fork

Lightworks 14 Released

Like a sequel to the Expendables, Lightworks 14.0 is packed to the rafters with cameos from features you always knew were there, but had sort of forgotten all about.

Part of the ‘old dog, new tricks‘ vibe is thanks to the top-to-toe redesign the non-linear editor is sporting. Lightworks’ new look (called “Fixed”, funnily enough) addresses the software’s most oft cited criticism: that it’s hard to use. Thew new layout aims to offer a “more organised” workspace, and help you discover, learn, and use the editor’s various features.

Light works supports Ubuntu 16.10 or later — sorry LTS users. You won’t be able to export to MP4 or MOV; you can’t import WMV; and there’s no FX plugin-support.

Feedback

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Twitter

The post Our Trip to Dell | LAS 464 first appeared on Jupiter Broadcasting.

2016 Review | Unfilter 219

chris — Wed, 28 Dec 2016 16:17:35 +0000

RSS Feeds:

Become an Unfilter supporter on Patreon:

— Show Notes —

Links

The post 2016 Review | Unfilter 219 first appeared on Jupiter Broadcasting.

Best of 2016 | TechSNAP 298

chris — Thu, 22 Dec 2016 10:37:02 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Links

The post Best of 2016 | TechSNAP 298 first appeared on Jupiter Broadcasting.

The Bourne Avalanche | TechSNAP 297

chris — Thu, 15 Dec 2016 20:17:34 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Malvertising campaign targets routers with: DNSChanger EK

“Proofpoint researchers have reported frequently this year on the decline in exploit kit (EK) activity. EKs, though, are still vital components of malvertising operations, exposing large numbers of users to malware via malicious ads. Since the end of October, we have seen an improved version of the “DNSChanger EK” [1] used in ongoing malvertising campaigns. DNSChanger attacks internet routers via potential victims’ web browsers; the EK does not rely on browser or device vulnerabilities but rather vulnerabilities in the victims’ home or small office (SOHO) routers. Most often, DNSChanger works through the Chrome browser on Windows desktops and Android devices. However, once routers are compromised, all users connecting to the router, regardless of their operating system or browser, are vulnerable to attack and further malvertising.”
“The router attacks appear to happen in waves that are likely associated with ongoing malvertising campaigns lasting several days. Attack pattern and infection chain similarities led us to conclude that the actor behind these campaigns was also responsible for the “CSRF (Cross-Site Request Forgery) Soho Pharming” operations in the first half of 2015”
“The way this entire operation works is by crooks buying ads on legitimate websites. The attackers insert malicious JavaScript in these ads, which use a WebRTC request to a Mozilla STUN server to determine the user’s local IP address.”
“Based on this local IP address, the malicious code can determine if the user is on a local network managed by a small home router, and continue the attack. If this check fails, the attackers just show a random legitimate ad and move on.”
“For the victims the crooks deem valuable, the attack chain continues. These users receive a tainted ad which redirects them to the DNSChanger EK home, where the actual exploitation begins.”
“The next step is for the attackers to send an image file to the user’s browser, which contains an AES key embedded inside the photo using steganography.”
“The malicious ad uses this AES key to decrypt further traffic it receives from the DNSChanger exploit kit. Crooks encrypt their operations to avoid the prying eyes of security researchers.”
“There are now 166 fingerprints, some working for several router models, versus 55 fingerprints in 2015. For example, some like the exploit targeting “Comtrend ADSL Router CT-5367/5624″ were a few weeks old (September 13, 2016) when the attack began around October 28.”
“When possible (in 36 cases) the exploit kit modifies the network rules to make the administration ports available from external addresses, exposing the router to additional attacks like those perpetrated by the Mirai botnets”
“The malvertising chain is now accepting Android devices as well.”
“The attack chain ensnares victim networks though legitimate web sites hosting malicious advertisements unknowingly distributed via legitimate ad agencies. The complete attack chain is shown in Figure 1.”
So, after you see the malicious ad, it decides if you are an interesting victim or not. If not, the ad slot is resold for money
If you are interesting, you get a different ad, which contains a URL to the exploit kit
This results in a redirect, that sends you to a different PNG, that has an AES key hidden in it, used to decrypt the payload, so that it is not spotted by virus scanners or the advertising agencies
It then examines your router, and decides if it is exploitable
If it is another AES encrypted payload is sent, that tries default username/password combinations to compromise your router from the LAN side using CSRF
It then changes your DNS servers in the settings of your router, and if it is able to, allows administrative access on the WAN interface.
“Once the attack has gained control over the router, he can use it to replace legitimate ads with his own, or add advertisements on websites that didn’t feature ads. While previous malvertising campaigns usually targeted users of Internet Explorer, this campaign focused on Chrome users, on both desktop and mobile devices. Ad replacement and insertion also takes place on traffic to mobile devices, not just desktops.”
“Updating router firmware is the recommended course of action”
Additional Coverage: Bleeping Computer

Avalanche crime ring leader eludes justice

“The accused ringleader of a cyber fraud gang that allegedly rented out access to a criminal cloud hosting service known as “Avalanche” is now a fugitive from justice following a bizarre series of events in which he shot at Ukrainian police, was arrested on cybercrime charges and then released from custody.”
“On Nov. 30, authorities across Europe coordinated the arrest of five individuals thought to be tied to the Avalanche crime gang, in an operation that the FBI and its partners abroad described as an unprecedented global law enforcement response to cybercrime.”
“According to Ukrainian news outlets, the alleged leader of the gang — 33-year-old Russian Gennady Kapkanov — did not go quietly. Kapkanov allegedly shot at officers with a Kalashnikov assault rifle through the front door as they prepared to raid his home, and then attempted to escape off of his 4th floor apartment balcony.”
“Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge in the city of Poltava, Ukraine later ordered Kapkanov released, saying the prosecution had failed to file the proper charges (including charges of shooting at police officers), charges which could have allowed authorities to hold him much longer. Ukrainian media reports that police have since lost track of Kapkanov.”
“Ukraine’s Prosecutor General Yuri Lutsenko is now calling for the ouster of the prosecutor in charge of the case. Meanwhile, the Ukranian authorities are now asking the public for help in re-arresting Kapkanov.”
It seems that the cybercrime charges were not considered “serious” enough to include pretrial confinement. However, had the prosecutor also charged Kapkanov with shooting at the police etc, they could have held him.
It will be interesting to see what else comes of this case

Krebs Mini Roundup:

Operation: Tarpit — Targetting customers of online attack-for-hire services
- “Federal investigators in the United States and Europe last week arrested nearly three-dozen people suspected of patronizing so-called “booter” services that can be hired to knock targeted Web sites offline. The global crackdown is part of an effort by authorities to weaken demand for these services by impressing upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.”
- “As part of a coordinated law enforcement effort dubbed “Operation Tarpit,” investigators here and abroad also executed more than 100 so-called “knock-and-talk” interviews with booter buyers who were quizzed about their involvement but not formally charged with crimes.”
- “According to Europol, the European Union’s law enforcement agency, the operation involved arrests and interviews of suspected DDoS-for-hire customers in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the U.S. Europol said investigators are only warning one-time users, but aggressively pursuing repeat offenders who frequented the booter services.”
- “The arrests stemmed at least in part from successes that investigators had infiltrating a booter service operating under the name “Netspoof.” According to the U.K.’s National Crime Agency, Netspoof offered subscription packages ranging from £4 (~USD $5) to £380 (~USD $482) – with some customers paying more than £8,000 (> USD $10,000) to launch hundreds of attacks. The NCA said twelve people were arrested in connection with the Netspoof investigation, and that victims included gaming providers, government departments, internet hosting companies, schools and colleges.”
- “I applaud last week’s actions here in the United States and abroad, as I believe many booter service customers patronize them out of some rationalization that doing so isn’t a serious crime. The typical booter service customer is a teenage male who is into online gaming and is seeking a way to knock a rival team or server offline — sometimes to settle a score or even to win a game. One of the co-proprietors of vDos, for example, was famous for DDoSsing the game server offline if his own team was about to lose — thereby preserving the team’s freakishly high ‘win’ ratios.”
- “But this is a stereotype that glosses over a serious, costly and metastasizing problem that needs urgent attention. More critically, early law enforcement intervention for youths involved in launching or patronizing these services may be key to turning otherwise bright kids away from the dark side and toward more constructive uses of their time and talents before they wind up in jail. I’m afraid that absent some sort of “road to Damascus” moment or law enforcement intervention, a great many individuals who initially only pay for such attacks end up getting sucked into an alluring criminal vortex of digital extortion, easy money and online hooliganism.”
1 billion more Yahoo accounts hacked
My yahoo account was hacked, now what?
Q: I’m not sure if I have a Yahoo account. How do I find out?
A: This is a surprisingly complex question. Thanks to the myriad mergers and business relationships that Yahoo has forged over the years, you may have a Yahoo account and not realize it. That’s because many accounts that are managed through Yahoo don’t actually end in “yahoo.com” (or yahoo. insert country code here). For example, British telecom giant BT uses Yahoo for their customer email, as did/do SBCGlobal, AT&T and BellSouth. Also, Verizon.net email addresses were serviced by Yahoo until AOL took over. Up in Canada, Rogers.net customers may also have Yahoo email addresses. I’m sure there are plenty of others I’m missing, but you get the point: Your Yahoo account may not include the word “yahoo” at all in the address.
Q: So if using hashing methods like MD5 is such a lame security idea, why is Yahoo still doing this?
A: Yahoo says this breach dates back to 2013. To its credit, Yahoo began moving away from using MD5s for new accounts in 2013 in favor of Bcrypt, far more secure password hashing mechanism. But yeah, even by 2013 anyone with half a clue in securing passwords already long ago knew that storing passwords in MD5 format was no longer acceptable and altogether braindead idea. It’s one of many reasons I’ve encouraged my friends and family to ditch Yahoo email for years.
Q: Yahoo said in some cases encrypted or unencrypted security questions and answers were stolen. Why is this a big deal?
A: Because for years security questions have served as convenient backdoors used by criminals to defraud regular, nice people whose only real crime is that they tend to answer questions honestly. But with the proliferation of data that many people post online about themselves on social media sites — combined with the volume of public records that are indexed by various paid and free services — it’s never been easier for a stranger to answer your secret question, “What was the name of your elementary school?” Don’t feel bad if you naively answered your secret questions honestly. Even criminals get their accounts hacked via easily-guessed secret questions, as evidenced by this story about the San Francisco transit extortionist who last month had his own account hacked via weak secret questions.

All the talks from: Systems We Love

Systems We Love is a one day conference where sysadmins and developers come together and describe some system that they love. Some new, some old, all interesting.
The first one I decided to watch was: “Life of an Airline Flight: What Systems Get You From Here to There via the Air”
“This talk was a very enjoyable overview of the scheduling, inventory management, reservation and other systems that coordinate behind the scenes to enable us to fly commercially. It was particularly interesting to see that systems like SABRE were so ahead of their time, enough so that they’ve been able to avoid much innovation for the last five or so decades! I’m looking forward to reading Adam’s book recommendation Hard Landing.”
It goes into great detail about how the Airline reservation system works, and how it has evolved from the original creation of SABRE in the late 50s/early 60s
Did you know that 6 letter reservation code you get, was originally a block pointer to exactly where your reservation was stored on disk? They literally just printed out the pointer and gave it to you.
It talks about where your data is stored, and who has access to it (including the DHS)
Roger’s /proc by Ryan Zezeski
Man, ‘splained: 40-Plus Years of Man Page History by Breanne Boland
Persistent Virtual Memory in the Great New Operating System In the Sky by James Larkby-Lahet
7074 says Hello World by Marianne Bellotti (apparently not recorded?)
Less Ado About NTP by Bryan Fink
Weenix: The system that inspired generations of systems lovers by Jordan Hendricks
The Charming Genius of the Apollo Guidance Computer by Brian Troutwine
I. Love. BGP. by Richard Kiene
Interrupts, that which scared Djikstra by Irfan Ahmad
Lessons from the Cell: What Software Developers Can Learn From Biochemical Systems by Sarah Lohmeier
The Design of the UNIX Terminal by Jesse Hathaway
A Race Detector Unfurled by Kavya Joshi
Down memory lane: Two decades with the slab allocator by Bryan Cantrill
DNS and the Art of Making Systems “Just Complex Enough” by Alex Wilson
“You are Not Expected to Understand This”, But You Will by Arun Thomas
An AWK love story by Cody Mello
UTF-8 by Daniel Morsing
Card-Based Systems: On the Complex, Tactile, and Material Qualities of Cards in Computing by Amelia Abreu

Feedback:

Round Up:

The post The Bourne Avalanche | TechSNAP 297 first appeared on Jupiter Broadcasting.

Open Source Botnet | TechSNAP 287

chris — Thu, 06 Oct 2016 20:19:14 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Source Code for IoT Botnet ‘Mirai’ Released

“The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.”
“The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.”
“Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.”
A quote from the person who released the code: “When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”
“Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.”
“According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.”
“Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.”
It is surprising that the botnets are not changing the default passwords to prevent reinfection by competing botnets. Of course, if you are scanning using the new secret password, every honeypot is going to get that password and be able to recapture your devices
“In the days since the record 620 Gbps DDoS on KrebsOnSecurity.com, this author has been able to confirm that the attack was launched by a Mirai botnet. As I wrote last month, preliminary analysis of the attack traffic suggested that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself. One security expert who asked to remain anonymous said he examined the Mirai source code following its publication online and confirmed that it includes a section responsible for coordinating GRE attacks.”
“My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.”
“On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates.”

A tale of a dns packet

“BIND is the most used DNS server on the internet. It is the standard system for name resolutions on UNIX platforms and is used in 10 of the 13 root servers of the Name Domain System on the internet. Basically, it is one of the main function of the entire Internet.”
“The tests done by ISC (Internet Systems Consortium) discovered a critical error when building a DNS response.”
“This assertion can be triggered even if the apparent source address isn’t allowed to make queries (i.e. doesn’t match ‘allow-query’)”
“Following the tradition of having errors in the necessary software for the survival of humanity, CVE-2016-2776 came to light. With details of the problem basically nowhere to be found, nor what was the mysterious “Specifically Constructed Request”, we decided to see what exactly was modified in the repository of Bind9.”
“Now that we are convinced that msg->reserved is potentially dangerous when 500 < msg->reserved <= 512, it is time to see how we can manipulate this variable. Tracking the use of dns_message_renderreserve() in lib/dns/message.c we find that msg->reserved is used to track how many bytes will be necessary to write the Additional RR (OPT, TSIG y SIG(0)) once the response is finished rendering on dns_message_renderend().”
“The most direct way we’ve found of manipulating an Additional RR included on the response is sending a query with a TSIG RR containing an invalid signature. When this happens, the server echoes practically all the record when responding.”
“The following script sends a query A to the server with a TSIG large enough so as to make the server reserve 501 bytes on msg->reserved when writing the response.”
“When it gets to dns_message_renderbegin() we have the context we’ve looked for: msg->reserved on 501 and r.length on 512. The if condition which should throw ISC_R_NOSPACE in the patch is not triggered.”
And BIND crashes
“We can see now with the instruction immediately after the validation why it was so important to consider DNS_MESSAGE_HEADERLEN. Immediately after validating that the buffer has the sufficient space to store msg->reserved bytes, it allocates DNS_MESSAGE_HEADERLEN (12) bytes in it. In other words it didn’t check if after reserving msg->reserved, there is enough space to store 12 bytes more. What happens in the end is that when returning from the function, the available space on buffer is of 500 bytes (buffer->length – buffer->used = 512 – 12 = 500) but we’re reserving 501.”
“This leaves the integrity of the isc_buffer_t msg->buffer structure corrupt: now msg->buffer->used is BIGGER than msg->buffer->length. All the ingredients are here, we just need to put them in the oven.”
“Publishing a fix about a lethal bug where you would have to patch the whole internet, doesn’t leave a lot of time to find elegant solutions. So if you review the fix it’s possible that a new similar bug appears in dns_message_renderbegin(). while the use of msg->reserved is quite limited. It continues being a complex software. Meanwhile msg->reserved is still being used, the existence of a bug like CVE-2016-2776 is quite probable.”

4 ways to hack ATMs

“We have already told you about a number of hacker groups jackpotting money from ATMs. Now you can see it with your own eyes! Our experts shot four videos of ATM hack demos.”
Method 1: Fake processing center

Disconnect the network cable for the ATM, and connect it to your rogue device (a Raspberry Pi will do)
When the ATM asks “the bank” (your rpi) if it is ok you give the person money, always say yes
“The box is used to control the cash trays and send commands to the ATM, requesting money from the chosen tray. It’s as simple as that: The attacker can now use any card or input any PIN code, and the rogue transactions will look legitimate.”

Method 2: A remote attack on several ATMs

“This method involves an insider working in the target bank. The criminal purchases a key from the insider that opens the ATM chassis. The key does not give an attacker access to the cash trays, but it exposes the network cable. The hacker disconnects the ATM from the bank’s network and plugs in a special appliance that sends all of the data to their own server.”
“Networks connecting ATMs are often not segmented (separated for security), and ATMs themselves can be configured incorrectly. In that case, with such a device a hacker could compromise several ATMs at once, even if the malicious device is connected to only one of them.”
This method works when the network cables are not exposed
Then the rest is the same as Method 1

Method 3: The black box attack

In this attack, the bad guys directly connect their black box to the cash trays, and send them the commands to spit out the money
“As previously described, the attacker obtains the key to the ATM chassis and accesses it, but this time puts the machine into maintenance mode. Then the hacker plugs a so-called black box into the exposed USB port. A black box in this case is a device that allows an attacker to control the ATM’s cash trays.”
“While the attacker tampers with the ATM, its screen displays a service message like “Maintenance in progress” or “Out of service,” although in reality the ATM can still draw cash. Moreover, the black box can be controlled wirelessly via a smartphone. The hacker just taps a button on the screen to get the cash and then disposes of the black box to hide the evidence that the machine was compromised.”

Method 4: Malware attack

“There are two ways to infect a target ATM with malware: by inserting a malware-laced USB drive into the port (requiring the key to the ATM chassis) or by infecting the machine remotely, having first compromised the bank’s network.”
“If the target ATM is not protected against malware or does not employ whitelisting, a hacker can run malware to send commands to the ATM and make it dispense cash, repeating the attack until the cash trays are empty.”
“Of course, not all ATMs are hackable. The attacks described above are feasible only if something is misconfigured. It could be that the bank’s network is not segmented, or authentication is not required when the ATM’s software exchanges data with the hardware, or there is no whitelist for apps, or the network cable is easily accessible.”

So there are a number of ways to address these issues
Method 1 and 2 should normally be defeated by proper use to SSL/TLS. Of course you want the messages exchanged with the bank’s processing center to be encrypted, integrity checked (guaranteed not to have been modified by the bad guy), but TLS also provides authentication, assurance that the remote end is actually the trusted bank, not a bad guy. The ATM should have a list of trusted certificates, and refuse to process transactions with any other party.
Method 3 requires some way to establish trust between the ATM software, and the cash box hardware. Even if the messages between the computer and the cash box were encrypted, authenticated, and integrity checked, the issue is that the private key used to ‘sign’ the messages to the cashbox would need to be stored on the ATM computer. Maybe the commands to the cash box should be signed by the bank’s processing center.
To solve Method 4 will require software whitelisting. If the ATM will only run software signed by the trusted certificates of the bank or ATM manufacturer, then it is much harder for the bad guys to get their malware to work on the ATM

Feedback:

Round Up:

The post Open Source Botnet | TechSNAP 287 first appeared on Jupiter Broadcasting.

The Shadow Knows | TechSNAP 282

chris — Thu, 01 Sep 2016 18:18:08 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Shadow Brokers steal hacking tools from NSA linked Equation Group

“On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA.”
“The previously unknown group said that it broke into the cyberespionage organization known as the Equation Group and has now put the hacking tools that it acquired up for auction”
“In addition to selling the hacking tools to whoever would end up as the highest bidder, the Shadow Brokers said that if it will be paid 1 million bitcoins, which currently carries a value of about $568 million, the cyberweapons will be publicly released”
“To back up its claims, the Shadow Brokers uploaded what looks like attack code that focuses on the security systems of routers that direct computer traffic online. According to security experts, the code looks legitimate, affecting routers manufactured by three United States companies and two Chinese companies. Specifically, the companies involved are Cisco Systems, Fortinet, Juniper Networks, Shaanxi Networkcloud Information Technology and Beijing Topsec Network Security Technology.”
“Last year, researchers from Kaspersky Lab described the Equation Group as one of the most advanced hacking groups in the world. The compressed data that accompanied the post by the Shadow Brokers had a size of just over 256 MB and is said to contain hacking tools that are dated as early as 2010 belonging to the Equation Group”
Additional Coverage: The Intercept: The NSA Leak Is Real, Snowden Documents Confirm
“Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.”
This does not necessarily mean that the tools were stolen directly from the NSA, just that Shadow Brokers stole them from someone who had them. Maybe the Equation Group stole them, or maybe the NSA stole them from the Equation Group.
“The provenance of the code has been a matter of heated debate this week among cybersecurity experts, and while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.”
“The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.”
“SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.”
“SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware. SECONDDATE’s existence was first reported by The Intercept in 2014, as part of a look at a global computer exploitation effort code-named TURBINE. The malware server, known as FOXACID, has also been described in previously released Snowden documents.”
“Snowden, who worked for NSA contractors Dell and Booz Allen Hamilton, has offered some context and a relatively mundane possible explanation for the leak: that the NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. In a series of tweets, he pointed out that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files and the opportunity to embarrass the agency.”
Additional Coverage: SoftPedia: List of Equation Group Files Leaked by Shadow Brokers
The list of names is quite amusing, likely computer generated by sticking two random words together. Reminds me of a domain-name generator I wrote when I was a teenager
Additional Coverage: Wired: Of Course Everyone’s Already Using the Leaked NSA Exploits
“All of which means anyone—curious kids, petty criminals, trolls—can now start hacking like a spy. And it looks like they are.”
“Curious to learn if anyone was indeed trying to take advantage of the leak, Brendan Dolan-Gavitt—a security researcher at NYU—set up a honeypot. On August 18 he tossed out a digital lure that masqueraded as a system containing one of the vulnerabilities. For his experiment, Dolan-Gavitt used a Cisco security software bug from the leak that people have learned to fix with workarounds, but that doesn’t have a patch yet.”
“Within 24 hours Dolan-Gavitt saw someone trying to exploit the vulnerability, with a few attempts every day since. “I’m not surprised that someone tried to exploit it,” Dolan-Gavitt says. Even for someone with limited technical proficiency, vulnerable systems are relatively easy to find using services like Shodan, a search engine of Internet-connected systems. “People maybe read the blog post about how to use the particular tool that carries out the exploit, and then either scanned the Internet themselves or just looked for vulnerable systems on Shodan and started trying to exploit them that way,” Dolan-Gavitt says. He explains that his honeypot was intentionally very visible online and was set up with easily guessable default passwords so it would be easy to hack.”
“The findings highlight one of the potential risks that come with hoarding undisclosed vulnerabilities for intelligence-gathering and surveillance. By holding on to bugs instead of disclosing them so they can be patched, spy agencies like the NSA create a potentially dangerous free-for-all if their exploits are exposed.”
Additional Coverage: Softpedia: Computer Science Professor Gives Failing Grade to Newly Leaked NSA Hacking Tool
Additional Coverage: Stephen Checkoway: Equation Group Initial Impressions
Additional Coverage: @musalbas: NSA’s BENIGNCERTAIN sends IKE packets to Cisco VPNs, then parses config and private keys from the response
Additional Coverage: @thegrugq: speculation that the ShadowBrokers leak was from another Snowden is “completely wrong”
Additional Coverage: Matt Blaze

Google Login Issue Allows Credential Theft

Attackers can add an arbitrary page to the end of a Google login flow that can steal users’ credentials. or alternatively, send users an arbitrary file any time a login form is submitted, due to a bug in the login process.
A researcher in the UK identified the vulnerability recently and notified Google of it, but Google officials said they don’t consider it a security issue. The bug results from the fact that the Google login page will take a specific, weak GET parameter.
“Google’s login page accepts a vulnerable GET parameter, namely ‘continue’. As far as I can determine, this parameter undergoes a basic check,” Aidan Woods, the researcher who discovered the bug, wrote in an explanation of the flaw.
The login page checks to ensure that the parameter points to .google.com/, but doesn’t determine which Google service the parameter is pointing to.
“The application fails to verify the type of Google service that has been specified. This means that is is possible to seamlessly insert any Google service at the end of the login process.”
Using this bug, an attacker could add an extra step to the end of the login flow that could steal a user’s credentials.
For example, the page could mimic an incorrect password dialog and ask the user to re-enter the password. Woods said an attacker also could send an arbitrary file to the target’s browser any time the login form is submitted.
Exploiting the flaw should be simple, an “Attacker would not need to intercept traffic to exploit – they only need to get the user to click a link that they have crafted to exploit the bug in the continue parameter,”
Woods opened three separate reports with Google about the vulnerability, but to no avail.
In a message to Woods, Google representatives said they saw phishing as the only attack vector, and didn’t consider this a security problem.
“The simplest action Google can take to address this would be to remove the redirect feature at login. If they want to retain that feature and also address this problem, they need to properly validate the contents of the parameter: Google needs to make sure the values they allow can’t be abused, and validate the allowed values are also safe themselves,” Woods said.
“This could be done by building a whitelist of [sub-]domains, (including paths if necessary) that they wish to redirect to.”
Aidan Woods: Google’s Faulty Login Pages

Researchers map the Netflix content delivery network, find 4669 servers

“When you open Netflix and hit “play,” your computer sends a request to the video-streaming service to locate the movie you’d like to watch. The company responds with the name and location of the specific server that your device must access in order for you to view the film.”
“For the first time, researchers have taken advantage of this naming system to map the location and total number of servers across Netflix’s entire content delivery network, providing a rare glimpse into the guts of the world’s largest video-streaming service.”
“A group from Queen Mary University of London (QMUL) traced server names to identify 4,669 Netflix servers in 243 locations around the world. The majority of those servers still reside in the United States and Europe at a time when the company is eager to develop its international audience. The United States also leads the world in Netflix traffic, based on the group’s analysis of volumes handled by each server. Roughly eight times as many movies are watched there as in Mexico, which places second in Netflix traffic volume. The United Kingdom, Canada, and Brazil round out the top five.”
“In March, Netflix did publish a blog post outlining the overall structure of its content delivery network, but did not share the total number of servers or server counts for specific sites.”
“Last January, Netflix announced that it would expand its video-streaming service to 190 countries, and IHS Markit recently predicted that the number of international Netflix subscribers could be greater than U.S. subscribers in as few as two years.”
“Steve Uhlig, the networks expert at Queen Mary University of London who led the mapping project, says repeating the analysis over time could track shifts in the company’s server deployment and traffic volumes as its customer base changes.”
“Traditionally, content delivery services have chosen one strategy or the other. Akamai, for example, hosts a lot of content with Internet service providers, while Google, Amazon, and Limelight prefer to store it at IXPs. However, Uhlig’s group found that Netflix uses both strategies, and varies the structure of its network significantly from country to country.”
“Timm Böttger, a doctoral student at QMUL who is a member of the research team, says he was surprised to find two Netflix servers located within Verizon’s U.S. network. Verizon and other service providers have argued with Netflix over whether they would allow Netflix to directly connect servers to their networks for free. In 2014, Comcast required Netflix to pay for access to its own network.”
“Tellingly, the group did not find any Netflix servers in Comcast’s U.S. network. As for the mysterious Verizon servers? “We think it is quite likely that this is a trial to consider broader future deployment,” Böttger says. Netflix did not respond to a request for comment.”
“Their search revealed that Netflix’s server names are written in a similar construction: a string of numbers and letters that include traditional airport codes such as lhr001 for London Heathrow to mark the server’s location and a “counter” such as c020 to indicate the number of servers at that location. A third element written as .isp or .ix shows whether the server is located within an Internet exchange point or with an Internet service provider.”
“To study traffic volumes, the researchers relied on a specific section of the IP header that keeps a running tally of data packets that a given server has handled. By issuing multiple requests to these servers and tracking how quickly the values rose, the team estimated how much traffic each server was processing at different times of the day. They tested the servers in 1-minute intervals over a period of 10 days.”
That counter is only 32 bit, and the larger Netflix servers push 80 gigabits per second (enough to wrap a 32 bit counter every 24 seconds)
“The U.K. has more Netflix servers than any other European country, and most of those servers are deployed within Internet service providers. All French customers get their films streamed through servers stationed at a single IXP called France-IX. Eastern Europe, meanwhile, has no Netflix servers because those countries were only just added to the company’s network in January.”
The researchers expected to see a lot more servers embedded in ISPs rather than at Internet exchanges. There are two reasons why this is not so: It would require more hardware, since machines at a specific ISP cannot service a second ISP, and: many ISPs like Comcast are resisting accepting Netflix CDN boxes
“In March, the company said it delivers about 125 million total hours of viewing to customers per day. The researchers learned that Netflix traffic seems to peak just before midnight local time, with a second peak for IXP servers occurring around 8 a.m., presumably as Netflix uploads new content to its servers.”
See Netflix and Fill – BSDNow 157 for more on how Netflix runs their FreeBSD powered CDN.

Feedback:

Round Up:

The post The Shadow Knows | TechSNAP 282 first appeared on Jupiter Broadcasting.

Metaphorically Exploited | TechSNAP 258

chris — Thu, 17 Mar 2016 16:40:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The theoretical Android flaw becomes reality, a simple phishing scam hits some major companies & why your PIN has already been leaked.

Plus great questions, our answers, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

W2 Phishing scams hit a number of companies

“Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists”
“Seattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”
“Moneytree was apparently targeted by a scam in which the scammer impersonated me (the company co-founder) and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.”
Why that would even be a reasonable request, I don’t know
“Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”
Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February. Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees.
“On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam. The information was sent by an employee who believed the phishing email was a legitimate internal company request.”
“W2 information is highly prized by fraudsters involved in tax refund fraud, a multi-billion dollar problem in which thieves claim a large refund in the victim’s name, and ask for the funds to be electronically deposited into an account the crooks control.”
“For better or worse, most companies that have notified employees about a W2 phish this year are offering employees the predictable free credit monitoring, which is of course useless to prevent tax fraud and many other types of identity theft. But in a refreshing departure from that tired playbook, Moneytree says it will be giving employees an extra $50 in their next paycheck to cover the initial cost of placing a credit freeze (for more information on the different between credit monitoring and a freeze and why a freeze might be a better idea, check out Credit Monitoring vs. Freeze and How I Learned to Stop Worrying and Embrace the Security Freeze).”
““When something like this happens, the right thing to do is to disclose what you know as soon as possible, take care of the people affected, and learn from what went wrong. To make good on that last point, we will be ramping up our information security efforts company-wide, because we never want to have to write an email like this to you again”.”

New exploit developed for Android Stagefright

“Security researchers have successfully exploited the Android-based Stagefright bug and remotely hacked a phone, which may leave millions devices vulnerable to attack.”
“Israeli software research company NorthBit claimed it had “properly” exploited the Android bug that was originally described as the “worst ever discovered”.”
“The exploitation, called Metaphor, is detailed in a research paper (PDF) from NorthBit and also a video showing the exploit being run on a Nexus 5. NorthBit said it had also successfully tested the exploit on a LG G3, HTC One and Samsung Galaxy S5.”
“The Stagefright vulnerability was first highlighted by security firm Zimperium in July 2015. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices.”
“A second critical vulnerability exploited issues in .mp3 and .mp4 files, which when opened were claimed to be able to remotely execute malicious code, was dubbed Stagefright 2.0 in October.”
The flaws were originally thought to not be easily exploitable, but this new research provides a simple remote exploit case
“The researchers from NorthBit say they have been able to create an exploit that can be used against Stagefright on Android 2.2, 4.0, 5.0 and 5.1. Other versions are not affected.”
Android 5.0 and above are protected by ASLR, however “Dabah claims the exploit “depicts a way to bypass” address space layout randomisation (ASLR)”
“”We managed to exploit it to make it work in the wild,” Dabah said. The research paper reads: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations.”
“”I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem”.”
Researcher PDF
I am glad my phone runs Android 6.0.1 with the March 2016 Security Updates applied

PIN analysis

“There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?”
“People are notoriously bad at generating random passwords. I hope this article will scare you into being a little more careful in how you select your next PIN number. Are you curious about what the least commonly used PIN number might be?”
“I was able to find almost 3.4 million four digit passwords. Every single one of the of the 10,000 combinations of digits from 0000 through to 9999 were represented in the dataset”
“A staggering 26.83% of all passwords could be guessed by attempting the top 20 combinations”
“The first “puzzling” password I encountered was 2580 in position #22. What is the significance of these digits? Why should so many people select this code to make it appear so high up the list?”
This turns out to be straight down the middle of a telephone style number pad. Not the same as on on a computer, but most ABMs use the telephone style
“Another fascinating piece of trivia is that people seem to prefer even numbers over odd, and codes like 2468 occur higher than a odd number equivalent, such as 1357”
“Statistically, one third of all codes can be guessed by trying just 61 distinct combinations! The 50% cumulative chance threshold is passed at just 426 codes (far less than the 5,000 that a random uniformly distribution would predict)”
The most unpopular pin is: 8068
“Warning Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.”
“Many of the high frequency PIN numbers can be interpreted as years, e.g. 1967 1956 1937 … It appears that many people use a year of birth (or possibly an anniversary) as their PIN. This will certainly help them remember their code, but it greatly increases its predictability”
Pins that start with 19 dominate the top 10%, and all appear within the top 20%
The heatmap also shows that people tend to use Birthdays a lot as well (MMDD)

Feedback:

Round Up:

The post Metaphorically Exploited | TechSNAP 258 first appeared on Jupiter Broadcasting.

OMG the Internet! | WTR 20

chris — Wed, 01 Apr 2015 01:42:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Liz Abinante began her journey at the age of 12 and is now a software engineer at New Relic! She also funded her way through school by selling knitting patterns!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Full transcription of previous episodes can be found at heywtr.tumblr.com

The post OMG the Internet! | WTR 20 first appeared on Jupiter Broadcasting.

Beastly Infrastructure | BSD Now 56

chris — Thu, 25 Sep 2014 10:52:48 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week we’re on the other side of the Atlantic, attending EuroBSDCon. For now, we’ve got an awesome interview with Peter Wemm about the FreeBSD web cluster and infrastructure. It’s an inside look that you probably won’t hear about anywhere else! We’ll also get to a couple of your emails today, and be back next week with all the usual goodies, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Peter Wemm – peter@freebsd.org / @karinjiri

The FreeBSD web cluster and infrastructure

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
We’ll be back next week from EuroBSDCon, hopefully with some great interviews, come and say hi to us!

The post Beastly Infrastructure | BSD Now 56 first appeared on Jupiter Broadcasting.

Dead Desktop Walking | LINUX Unplugged 59

chris — Tue, 23 Sep 2014 17:05:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Debian moves to make Gnome the default desktop, is XFCE going the way of the Dodo bird? Our living debate will try to get to the bottom of the big elephant in the room.

Plus Red Hat announces its refocusing on the very thing Canonical makes all its money from & why we may be on the precipice of a massive new competition between the two companies.

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Pre-Show:

LiMux update: Deputy Mayor lobbies against LiMux, reveals his low technical expertise [German] (tldr in comments) : LinuxActionShow

rakudave gives us a TL;DR, translated:

The deputy mayors main complaint is that there’s no convenient way to access mails and appointments on mobile devices, apparently confusing LiMux (the desktop OS) with the current groupware migration to Kolab Enterprise[1] , which is still ongoing and targets all platforms (Windows/LiMux/Mobile), as opposed to the old system.

He then goes on to say that he doubts that the public sector can keep up to date and that the software is “years behind the latest version”, ignoring the fact that most of the other cities still rely on XP. The only valid part of this objections seem to be that LiMux is still based on Ubuntu 10.04 & KDE 3.5, however an update is scheduled for Q4 of this year (OpenOffice -> LibreOffice, Ubuntu LTS, KDE 4)

Easy2Boot

FU:

The Google Security Team discovered a buffer overflow vulnerability in
the HTTP transport code in apt-get. An attacker able to
man-in-the-middle a HTTP request to an apt repository can trigger the
buffer overflow, leading to a crash of the ‘http’ apt method binary, or
potentially to arbitrary code execution.

Red Hat: We want to be “undisputed leader” in the cloud

“The competition is fierce, and companies will have several choices for their cloud needs,” Whitehurst acknowledged. “But the prize is the chance to establish open source as the default choice of this next era, and to position Red Hat as the provider of choice for enterprises’ entire cloud infrastructure.”

To get there, Whitehurst says Red Hat will focus on three key offerings — its CloudForms management platform, its OpenShift PaaS, and OpenStack. However its Jboss middleware and storage solutions will also play a role, helping Red Hat to deliver as much infrastructure as it can.

Red Hat’s renewed cloud focus doesn’t mean it will pay any less attention to Linux. Its just that the greatest challenge lies in the data center itself.

Red Hat CEO announces a shift from client-server to cloud computing | ZDNet

They both have excellent reasons for seeing it this way. With the exception of Microsoft Azure, all other cloud platforms rely on Linux and open source software. Amazon’s cloud services, for example, run on top of Red Hat Enterprise Linux.

So neither Linux leader is walking too far away from Linux. Shuttleworth, for example, is quite proud that Ubuntu is the leading Linux OS on OpenStack. Whitehurst was quick to note that “Red Hat Enterprise Linux is easily the best operating platform in the world, counting more than 90 percent of the Fortune 500 as customers.”

Oracle and Canonical collaborate on support for Oracle Linux on Ubuntu | Ubuntu Insights

As part of this collaboration, Canonical will support Ubuntu as a guest OS on Oracle Linux OpenStack, and Oracle will support Oracle Linux as a guest OS on Ubuntu OpenStack. Canonical will test Oracle Linux as a guest OS in its OpenStack Interoperability Lab (OIL) program. This gives customers the assurance the configuration is tested and supported by both organisations.

Oracle said in its blog post : _”It is important for us to provide choice and interoperability around __OpenStack. Oracle and Canonical are committed to supplying interoperability by supporting Oracle Linux on Ubuntu OpenStack. Our goal is to continue to provide customers with the best-in-class products and solutions and a great customer experience.”_

Mark Shuttleworth » Blog Archive » #8 – Ubuntu makes useful guarantees on every cloud

Every cloud behaves differently — both in terms of their architecture, and their economics. When we engage with the cloud operator we figure out how to ensure that Ubuntu is “optimal” on that cloud. Usually that means we figure out things like storage mechanisms (the classic example is S3 but we have to look at each cloud to see what they provide and how to take advantage of it) and ensure that data-heavy operations like system updates draw on those resources in the most cost-efficient manner. This way we try to ensure that using Ubuntu is a guarantee of the most cost-effective base OS experience on any given cloud.

Is XFCE a Zombie Project?

Debian switched to Xfce as the default desktop environment back in November 2013. But that didn’t last long because a few days ago, Debian restored GNOME as the default desktop, based on preliminary results from the Debian Desktop Requalification for Jessie.

According to Joey Hess, the Debian developer who performed this change, the main reasons for Debian switching back to GNOME as the default desktop are related to accessibility and systemd integration

Runs Linux from the people:

Send in a pic/video of your runs Linux.
Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

Windows 9 Notifications, a Rip-Off of KDE?

The post Dead Desktop Walking | LINUX Unplugged 59 first appeared on Jupiter Broadcasting.

Meet the Dockers | LINUX Unplugged 16

chris — Tue, 26 Nov 2013 18:02:01 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A new version of Docker was just released, we bring on the CTO and Founder of Docker to chat about the big features all Linux users can look forward to.

Plus building the perfect Linux workstation, your feedback, and much more!

Thanks to:

Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

RSS Feeds:

Show Notes:

FU

Go Dock Yourself

Docker 0.7 runs on all Linux distributions – and 6 other major features

Docker 0.7 is finally here! We hope you\’ll like it. On top of countless bug fixes and small usability improvements, it introduces 7 major features since 0.6.0

Disadvantages from moving away from AUFS?
- Is there a slight performance overhead with lvm?
- btrfs? Add btrfs driver by alexlarsson · Pull Request #65 · shykes/docker
What people have already built using Docker

Docker is a powerful tool for many different use cases. Here are some great early use cases for Docker, as described by members of our community.

Getting Started Docker Tutorial

This hands-on tutorial is 100% online, so you don\’t need to install a thing. In about 10-15 minutes you\’ll be familiar with the basic
Docker commands.

Mail Sack:

Linux back in my day

The post Meet the Dockers | LINUX Unplugged 16 first appeared on Jupiter Broadcasting.

Amazon’s Secrets | TechSNAP 49

chris — Thu, 15 Mar 2012 18:35:54 +0000

Microsoft has released an extremely critical patch, the race against hackers has begun. We’ll give you the details on this important update.

Secrets about Amazon’s EC2 back-end have been revealed, and we’ll share them with you.

Plus, this week’s war story is a real pisser, urine for a treat!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Super special savings for TechSNAP viewers only. Get a .co domain for only $7.99 (regular $29.99, previously $17.99). Use the GoDaddy Promo Code cofeb8 before the end of March to secure your own .co domain name for the same price as a .com.

Private Registration use code: march8

Pick your code and save:
cofeb8: .co domain for $7.99
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Direct Download Links:

Subscribe via RSS and iTunes:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!

Fill out my Wufoo form!

Show Notes:

Microsoft releases patch for RDP vulnerability, recommends everyone patch immediately

Microsoft has released a major security update to fix two critical vulnerabilities in the Remote Desktop Protocol (formerly Terminal Services), CVE–2012–0002 and CVE–2012–0152
The first vulnerability is to do with the way RDP accesses memory that has been improperly initialized or deleted, and allows an attacker to send specially crafted packets to the RDP service and cause attacker supplied code to be executed on your machine, this means the attacker can install a trojan, add full privileged users, access or modify data, and otherwise take over your machine
The second vulnerability is a denial of service vulnerability in the way RDP processes packets, where an attacker who exploits the vulnerability can cause the RDP service to stop responding, thereby locking the all RDP users out of the machine
The vulnerability affects every version of windows, and Microsoft has released patches for all supported versions of Windows (Windows XP SP3, XP x64 SP2, Vista SP2, Windows 7 SP1, Server 2003 SP2, Server 2008 SP2, Server 2008 R2 SP1, Server 2003/2008/2008R2 for Itanium, and all ‘Core’ versions of Windows Server). Windows 8 Developer Preview is also affected.
Official Microsoft Security Bulletin MS12–020
List of March updates
The Race for MS12–020

Amazon AWS powered by nearly half a million servers

Just like Google and others, Amazon does not publish details about their infrastructure, however researches have made an educated guess that Amazon has no fewer than 454,400 servers spread between its 7 data center regions
Based on estimates generated by analyzing IP address space utilization, Amazon has approximately 5000 racks full of servers in the various data centers that make up the US-EAST region, representing over 70% of all Amazon Cloud capacity
By contrast, it is estimate that the most expensive US-WEST location in Oregon has only 40–50 Racks, which are known to be deployed in containers
The article contains more details about the estimate methodology and some contrary evidence
Amazon data center size
Amazon suffers multiple outages over the past week. March 10: 57 minutes, March 15: 20 minutes TarSNAP creator
*

Are multiword pass phrases actually more secure?
Is it better to use am easier to remember multi-word pass phrase, or a random string?
Research in to the topic has been spurred by the simple fact that auto-complete of dictionary words would simply entering multi-word pass phrases on mobile devices
Research in to the advantages of multi-word pass phrases covers some analysis of how users choose random phrases and how they can introduce weakness in to their passwords. The research focuses on data provided from the now defuncted Amazon PayPhrase
Research from Cambridge University suggests multi-word pass phrases still vulnerable to dictionary attacks
Coverage from Bruce Schneier
“even 5-word phrases would be highly insecure against offline attacks, with fewer than 30 bits of work compromising over half of users”
Using a sentence makes the password more predictable, it is better to use random words

Feedback:

Reminder: BSDCan is in Ottawa May 11th and 12th at the University of Ottawa
Talks will include:
+ Unified Deployment and Configuration Management
+ Virtually-Networked FreeBSD Jails
+ pfSense 2.1: IPv6 and more
+ Intro to DNSSEC
+ Crowdsourcing security
+ Fast reboots with kload
+ Optimizing ZFS for Block Storage
+ and the BSD-A

War Story:

At one point in my tech support career I managed to get myself transferred onto “Mobiles Gold” which was basically laptop support for corporate customers like Insurance companies. It was a more prestigious position but turned out to have less call volume and when a call did come in, I was only required to work out if the problem was hardware or software. Hardware issues were sent to service sites and software issues were sent to onsite technicians for replacements while reloads were done. Too simple, too boring and I frequently found myself listening to calls from people around me to stay amused.

Thanks to my lack of work at one point I picked up on the following call:

Agent: Ok Sir, when did you first notice that the keyboard on your Aptiva (desktop PC) has stopped working?

User: Eh, it was this mornin’ right after breakfast.

Agent: Have you changed any software or hardware settings recently?

User: I don’t think so. It was working fine last night but today it does nothing.

Agent: Would you happen to have another keyboard in the house that we could try instead?

User: Well, now that I think about it, I might have one in the garage. I’ll be right back,

At this point, the agent started typing up the case in the ticketing tool to save time later but was interrupted by a woman’s voice on the phone.

Woman: Uh, hello? Is anybody there?

Agent: Yes, I’m with IBM Tech Support Ma’am. I’m waiting for the man who called to return.

User: Ok, that’s my husband. Is his computer thingy not working no more?

Agent: No Ma’am. The keyboard appears to be faulty.

Woman: Well, that might be my fault. Since my husband bought that damn computer he’s been paying less and less attention to me. We had a big set to after dinner last night and when he stormed off in his truck….I peed on his keyboard!

Agent: Thank you for that Ma’am, that will definetely help me with diagnosing the problem.

Woman: That’s good. I hope it helps.

Over the next few minutes, the agent had time to think of how to approach this issue with the user and had a devious look on his face before long.

User: Hi there, you were right. The other keyboard works perfectly. Can you send me out a replacement keyboard?

Agent: Yes sir, that won’t be a problem. I just need your credit card details first.

User: Why do you need my credit card details. This computer is only a month old!

Agent: Because I need to bill you for the replacement as your warranty does not cover urination.

I’m sure there was more after that but I was too busy rolling around on the floor laughing to have heard any of it.

Round-Up:

The post Amazon’s Secrets | TechSNAP 49 first appeared on Jupiter Broadcasting.

Second Wave | STOked 110

chris — Mon, 13 Feb 2012 22:12:52 +0000

Al Rivera, STO’s Lead Game Designer joins STOked this week to bust some rumors, chat new ships, console changes, featured episode tech, and much more!

PLUS: Chris gives you his first take on the Second Wave, the first episode of the new “The 2800” featured series.

Direct Download Links

Subscribe via RSS and iTunes:

Fill out my Wufoo form!

[ad#shownotes]

Show Notes:

Second Wave | STOked 110

Al Rivera, STO’s Lead Game Designer joins STOked this week to bust some rumors, chat new ships, console changes, featured episode tech, and much more!

PLUS: Chris gives you his first take on the Second Wave, the first episode of the new “The 2800” featured series.

Google Server Secrets | TechSNAP 17

chris — Thu, 04 Aug 2011 22:13:35 +0000

Find out what consumer storage device is shipping with an encryption backdoor, and we share details about Google’s super secret million servers strong infrastructure.

AND – How Chris lost $1k in bitcoins!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Verbatim’s Crypto NAS has unexplained second key

Like we have talked about before, the only ‘secure’ way to ensure that encrypted data is recoverable if the encryption key is lost, is to encrypt it to a second key, a ‘recovery agent’
The important fact here, is that Verbatim does this without your consent, and there is no way to turn it off
This means that if you lose your key, you can call Verbatim and they will decrypt your files for you. Nice feature…
A rouge employee at Verbatim could also decrypt your data
An attacker could steal or guess the Verbatim key, giving them access to EVERY verbatim crypto NAS device
The government could have Verbatim decrypt your data against your will, or without your knowledge

Study estimates Google has around 900,000 servers

Based on Google’s energy use, compared to all other data centers in the work, and factoring in that google uses custom build highly efficient servers, it is estimated they have as many as 1 million servers
Google’s newly designed management system is build to be able to manage up to 10 million machines

Chris loves this book: In The Plex: How Google Thinks, Works, and Shapes Our Lives

The Massachusetts lottery can be gamed for a guaranteed payout

The way the rules are structured, if the lottery jackpot builds up to over $2 million, then they commence what are know as ‘rolldown weeks’, These weeks increase the payouts of minor jackpots, meaning if you buy enough tickets to increase your odds of winning, you can be assured a profit
It is estimated that if you buy 200,000 of the $2 tickets, during 4 roll down weeks a year, your payout would be between 1.8 and 4 million dollars, without ever winning the actual jackpot (which has only ever been won once)
The state lottery commission has known about this flaw for years, but has only recently started to enforce new rules after the stories started to get press

Pakistan passes new Internet monitoring law, bans encryption and VPNs

How will this effect Pakistani users of services like gmail, that require SSL encryption for authentication
Will this cause the creation of more tools designed to mask encryption, for example with steganography or masking data transfer as DNS requests
A copy of the proposed law

What are the requirements for true Freedom in the Cloud

Right to restrict Access – The user must be able to prevent the provider from reading their data
Freedom to leave, but not lose – Users must be able to export all of their data and move it to a different service
Open Standards – In order to be able to interact with your data, as well as import and export data, there must be open standards for interacting and transferring data
Transparent Privacy Policies – Most users will never read a 20 page privacy policy, there must be a legible and easily understood list of what the provider is and is not allowed to do with your data
No change of policy without explicit consent – If the provider can just change the policy, and it is up to you to notice this change, you can never be safe from the whim of the provider
We have seen many of these problems with services such as DropBox, which does not comply with most of these requirements. You cannot stop dropbox from accessing your data, they encrypt it only with their own key. There are no open standards for dropbox, when an open source project started an alternate client, it was promptly sent a DMCA notice. And dropbox has on numerous occasions changed it’s privacy policy and terms of service, without informing their users, requesting the users consent, or explicitly stating what was changing in the policy.

TOSBack | The Terms-Of-Service Tracker

Round-Up:

Bitcoin Blaster:

The post Google Server Secrets | TechSNAP 17 first appeared on Jupiter Broadcasting.

STO Open Beta Report & Game Video Capture Tip | STOked S01E19

chris — Tue, 19 Jan 2010 10:03:26 +0000

STOked Season 1 Episode 19: We cover the latest Star Trek Online developments from Open Beta, go over the different subscription plans and if they are a good deal.

Plus we reflect on our trip to Cryptic, the makers of Star Trek Online.

Then we give you a quick tip on capturing video of your gameplay with WeGame!

Our STOked App:

Grab the STOked iPhone/iPod App and download STOked plus bonus content on the go!

STOked019-S01E19

NEWS:

Lifetime / Yearly / Monthly Prices Announced

1-Month Recurring USD: 14.99 CAD: 16.49 GDP: 8.99 EUR: 12.99 DKK: 82.45

3-Month Recurring 47.97 46.17 25.17 35.97 230.84

6-Month Recurring 77.94 85.73 46.14 65.94 428.67

For those who pre-ordered:

$239.99 - USD
Lifetime Access to Star Trek Online
Playable Borg (fully customizable in character creator)
2 Additional Character Slots

$119.99/yr - USDHi
Annual recurring subscription locked in at the discount price
2 Additional Character Slots

Playable Borg Details:

Q: What are the playable Borg’s in-game traits?

A: The Liberated Borg begins with the following two traits. You can select another two traits from a general list.

Borg Nanites: +10% Health Regeneration

Description: Ground Trait. Constantly regenerates shields and health.

Efficient: +5 Starship Shield Efficiency, +5 Starship Engine Efficiency, +5 Starship Energy Weapon Efficiency, +5 Starship Auxiliary Systems Efficiency

Description: Space Trait. Provides a bonus to efficiency stats, improving the effectiveness of many of your power management abilities.

The Liberated Borg also has a unique optional trait.

Neural Blast: 30 second debuff. Drastically reduces run speed. Every 4 seconds

Neural Blast has a 40% chance to hold the target for 3 seconds. Description: Activatable Ground Trait. Inject the target with neural toxins, which continually attempt to hold the target for the duration. Also reduces the target's movement speed.

OUR TRIP TO CRYPTIC:

Jeremy and Chris visit Cryptic Studios, we report!

jupiterforce.org is active!

https://jupiterforce.org/forum.php

There is a "Home Page" containing content we haven't had time to modify yet.

www.jupitercolony.com to discuss the show's content

OPEN BETA REPORT:

Our reactions to beta (no NDA now!)

Etc

Server capacity reached!

Most of Saturday, and on/off this morning, the STO servers were popping up a "Server is Busy, please try again later" box.

It was announced that this was due to the hard-coded server capacity limits they've put in place, based on hardware performance.

https://forums.startrekonline.com/showthread.php?p=1473371#post1473371

No hard numbers on what that cap is, but I'd imagine it's quite high (like Bryan's ego).

You can keep clicking and sneak in when someone else logs off/disconnects.

Relatively stable performance under such a load! (No worse than the rest of the week was)

We warned them... Silly Cryptic!

QUICK TIP:

WeGame - www.wegame.com

The post STO Open Beta Report & Game Video Capture Tip | STOked S01E19 first appeared on Jupiter Broadcasting.

1-Month Recurring	USD: 14.99	CAD: 16.49	GDP: 8.99	EUR: 12.99	DKK: 82.45
3-Month Recurring	47.97	46.17	25.17	35.97	230.84
6-Month Recurring	77.94	85.73	46.14	65.94	428.67