If we could rebuild the Internet from scratch, what would we change? It’s more than just a thought experiment. We’ll share the details about real world research being done today!

Plus we dig through the Sony hack, answer a ton of great question & a rocking roundup!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Reinventing Computers And The Internet From Scratch, For The Sake Of Security

• DARPA funded research is looking at how we might design the Internet if we had to do it over again
• Many decisions that were made 30 and 40 years ago when UNIX and TCP/IP were designed, may be done differently today
• The overall project has a number of sub-projects:
  • CRASH – Clean-Slate Design of Resilient, Adaptive, Secure Hosts
  • MRC – Mission-Oriented Resilient Clouds
  • CTSRD – Clean Slate Trustworthy Secure Research and Development (Custard)
• BERI: Bluespec Extensible RISC Implementation: a open-source hardware-software research and teaching platform: a 64-bit RISC processor implemented in the high-level Bluespec hardware description language (HDL), along with compiler, operating system, and applications
• CHERI: capability hardware enhanced RISC instructions: hardware-accelerated in-process memory protection and sandboxing model based on a hybrid capability model
• TESLA: temporally enforced security logic assertions: compiler-generated runtime instrumentation continuously validating temporal security properties
• SOAAP: security-oriented analysis of application programs: automated program analysis and transformation techniques to help software authors utilize Capsicum and CHERI features
• The goal is to design newer secure hosts and networks, without having to maintain backwards compatibility with legacy systems, the biggest problem with changing anything on the Internet
• This is why there are still things like SSLv3 (instead of just TLS 1.2+), why we have not switched to IPv6, and why spam is still such a large problem
• I for one would definitely like to replaced SMTP, but no one has yet devised a plan for a system that the world could transition to without breaking legacy email while we wait for the rest of the world to upgrade
• “Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra “move fast and break things” has been replaced. It is now “move slowly and fix things.””
• For performance reasons, when hardware and programming languages were designed 30 and 40 years ago, it was decided that security would be left up to the programmer
• The CHERI project aim to change this, by implementing ‘Capabilities’, a sandboxing and security mechanism into the hardware, allowing the hardware rather than the software to enforce protections, preventing unauthorized access or modification of various regions of memory by malicious or compromised applications.
• CHERI, and the software side of the project, Capsicum, are based on FreeBSD, but are also being ported to Linux, where Google plans to make extensive use of it in its Chrome and Chromium browsers.
• Additional Coverage

Sony Internal Network Hacked

• No, this is not Episode 3 of TechSNAP, Sony was hacked, again
• Hackers identifying the selves as Guardians of Peace (GOP) claim to have stolen as much as 100TB of data from Sony
• One questions how they managed to exfiltrate such a huge amount of data without being noticed. A full 1 GBPS internet connection would have to run at full capacity for 10 days to move that much data. It seems a lot of the data was likely compressible, but unreleased movies etc would not be
• At this point, only about 40GB of data has been leaked, mostly internal documents
• “The data dump includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.”
• When will companies learn that a spread sheet is not a secure place to store sensitive information
• In a memo to Employees Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal said “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession,”
• Additional Coverage – CNET – 47,000 Social Security Numbers leaked, Celebrity Data included
• Additional Coverage – Sony Employees receive email threats: “your family will be in danger”
• Additional Coverage – BuzzFeed – Inside the Sony Data
• Additional Coverage – Gizmodo – Sony hack worse than thought
• Additional Coverage – Washington Post
• Additional Coverage – Edgadget
• Additional Coverage – The Verge
• George Clooney predicted the Sony Hack in December (in a now leaked email)
• Additional Coverage – BitDefender – Take Aways from the Sony Hack
• Additional Coverage – ArsTechnica – Attackers also stole certificates to sign malware

Feedback:

• Jupiter Dev Summit on Monday the 15th

• Remotely activate/disable firewall rules?

• AuthPF (works, especially remotely)

• FreeNAS/ZFS Filesystem Relationships

• Screenshot

• Naming software bugs like storms

• [ways to use as much bandwidth a possible? ](https://www.reddit.com/r/techsnap/comments/2oftzo/ways_to_use_as_much_bandwidth_a_p
  ossible/)

• Malware Authorship Language

• 31C3 – The 31st Chaos Communication Congress Who will be there?

Round Up:

• Sony hack: Studio Tries to Disrupt Downloads of its Stolen Files
• Brian Krebs interviewed on 60 Minutes
• Reset Linux Root Password
• Payment Processor “Charge Anywhere” transmitted some data in plain text, finds malware on their network stealing the data
• Apple CoreGraphics framework on OS X 10.10 logging input data to /tmp directory
• Fabrice Bellard (FFMPEG, QEMU, etc) introduces BPG, a replacement for JPG based on HEVC, better image quality in smaller size. Javascript based decoder means all browsers can render the images already
• Ron Wyden (D-OR) Introduces bill to prevent FBI backdoors — “The Secure Data Act would ban agencies from making manufacturers alter their products to allow easier surveillance or search”
• Man arrested for trying to sell detailed plans for next US Air Craft Carrier to Egypt
• DMCA should be altered to allow tinkering with hardware
• Flaw in Mantis bug tracker allow attackers and spammers to bypass captchas
• Keurig 2.0 Genuine K-Cup Spoofing Vulnerability
• Why you should only trust open source for your sensitive emails

The post Signed by Sony | TechSNAP 192 first appeared on Jupiter Broadcasting.

Google announces their own domain name management service, the Internet of things has arrived, and it’s already been hacked. We’ll chat about the Nest thermostats rooting, Google buying Dropcam and more.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a Tech Talk Today supporter on Patreon:

Show Notes:

— Headlines —

Google Begins Testing Domain Registrations

When Google Domains launches to the public, you’ll be able to buy and sell domains through the service. Unlike some other domain registration offerings, Google won’t charge you extra to register your domain privately. You’ll be able to create up to 100 email addresses on the domain and as many as 100 customized sub-domains. Google Domains will also use the company’s own DNS servers, so visitors should get a snappy response time when they hit up your site.

GTV Hacker » Google Nest: Exploiting DFU For Root

Today, popular Google TV hacking site GTV Hacker, announces it has hacked the device to enable the booting of unsigned code. If you own a Nest, hackers could have a backdoor into your home.

By leveraging the device’s DFU mode to boot unsigned code at the boot-loader level.

The attack on the Nest thermostat is simple, we use the device’s recovery mode to run our own modified boot-loader (stage one and two). We then use our loaded boot-loaders to initiate a Linux kernel that is used to modify the file system on the Nest. We then add a SSH server running as root as well as functionality to create a reverse SSH tunnel to a specified host using the Nest’s virtual drive.

They found this “feature” back in November 2013, and mentioned it publicly on December 5th, 2013 (see this tweet). Initially, we planned on releasing our findings at a conference this summer (along with new root methods for the Chromecast and Roku), but our talk was declined. Their loss!

They will, however, be speaking this year at DEF CON 22! Our talk, entitled Hack All The Things: 20 Devices in 45 Minutes, will feature unreleased exploits for 20 devices being released in a 45 minute period. If you are in Las Vegas this August, make sure to stop in!

If you are a Nest user, I probably wouldn’t panic yet. It seems the hacker would need physical access to the device, which limits the risk. However, a devious person could exploit it while in your home and then control it remotely later. Hopefully Google can release an update to make the thermostat more secure and block the exploit.

Nest Labs Joins Race to Define Platform for the Internet of Things

Last Friday, Nest moved to broaden its reach in the home, buying a fast-growing maker of Internet-connected video cameras, DropCam, for $555 million. And on Tuesday, Nest is expected to announce a software strategy backed by manufacturing partners and a venture fund from Google Ventures and Kleiner Perkins Caufield & Byers.

Whirlpool and Nest, Mr. Dibkey said, have worked together for more than year to develop a few applications. One allows a Whirlpool clothes dryer and a Nest thermostat to work together to conserve energy and save money. The thermostat detects a local utility’s peak load times, when electricity is most expensive. It sends a signal to the dryer to run on a cooler, slower drying cycle at those times.

In a Jawbone application, the company’s activity-monitoring wristband detects when a person gets up on a winter morning. It then sends a message to the Nest thermostat, telling it to heat up the house

Nest’s Internet of Things strategy will be backed by the Thoughtful Things Fund, a venture capital fund created by Google Ventures and Kleiner Perkins.

Google I/O 2014

How to Watch Google I/O 2014 Keynote Livestream

Google I/O 2014 runs from June 25 to 26. If you are interested in watching the Google I/O 2014 keynote as a livestream, you have a couple of options.

The post Nest Root Attack | Tech Talk Today 14 first appeared on Jupiter Broadcasting.

We\’ll be talking with Ted Unangst of the OpenBSD team about their new signing infrastructure. After that, we\’ve got a tutorial on how to run your own NTP server. News, your feedback and even… the winner of our tutorial contest! It\’s a big show, so stay tuned to BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation\’s 2013 fundraising results

• The FreeBSD foundation finally counted all the money they made in 2013
• $768,562 from 1659 donors
• Nice little blog post from the team with a giant beastie picture
• \”We have already started our 2014 fundraising efforts. As of the end of January we are just under $40,000. Our goal is to raise $1,000,000. We are currently finalizing our 2014 budget. We plan to publish both our 2013 financial report and our 2014 budget soon.\”
• A special thanks to all the BSD Now listeners that contributed, the foundation was really glad that we sent some people their way (and they mentioned us on Facebook)

OpenSSH 6.5 released

• We mentioned the CFT last week, and it\’s finally here!
• New key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein\’s Curve25519 (now the default when both clients support it)
• Ed25519 public keys are now available for host keys and user keys, considered more secure than DSA and ECDSA
• Funny side effect: if you ONLY enable ed25519 host keys, all the compromised Linux boxes can\’t even attempt to login
• New bcrypt private key type, 500,000,000 times harder to brute force
• Chacha20-poly1305 transport cipher that builds an encrypted and authenticated stream in one
• Portable version already in FreeBSD -CURRENT, and ports
• Lots more bugfixes and features, see the full release note or our interview with Damien
• Work has already started on 6.6, which can be used without OpenSSL!

Crazed Ferrets in a Berkeley Shower

• In 2000, MWL wrote an essay for linux.com about why he uses the BSD license: \”It’s actually stood up fairly well to the test of time, but it’s fourteen years old now.\”
• This is basically an updated version about why he uses the BSD license, in response to recent idiocy from Richard Stallman
• Very nice post that gives some history about Berkeley, the basics of the BSD-style licenses and their contrast to the GNU GPL
• Check out the full post if you\’re one of those people that gets into license arguments
• The takeaway is \”BSD is about making the world a better place. For everyone.\”

OpenBSD on BeagleBone Black

• Beaglebone Blacks are cheap little ARM devices similar to a Raspberry Pi
• A blog post about installing OpenBSD on a BBB from.. our guest for today!
• He describes it as \”everything I wish I knew before installing the newly renamed armv7 port on a BeagleBone Black\”
• It goes through the whole process, details different storage options and some workarounds
• Could be a really fun weekend project if you\’re interested in small or embedded devices

This episode was brought to you by

Interview – Ted Unangst – tedu@openbsd.org / @tedunangst

OpenBSD\’s signify infrastructure

Tutorial

Running an NTP server

News Roundup

Getting started with FreeBSD

• A new video and blog series about starting out with FreeBSD
• The author has been a fan since the 90s and has installed it on every server he\’s worked with
• He mentioned some of the advantages of BSD over Linux and how to approach explaining them to new users
• The first video is the installation, then he goes on to packages and other topics – 4 videos so far

More OpenBSD hackathon reports

• As a followup to last week, this time Kenneth Westerback writes about his NZ hackathon experience
• He arrived with two goals: disklabel fixes for drives with 4k sectors and some dhclient work
• This summary goes into detail about all the stuff he got done there

X11 in a jail

• We\’ve gotten at least one feedback email about running X in a jail Well.. with this commit, looks like now you can!
• A new tunable option will let jails access /dev/kmem and similar device nodes
• Along with a change to DRM, this allows full X11 in a jail
• Be sure to check out our jail tutorial and jailed VNC tutorial for ideas
• Ongoing Discussion

PCBSD weekly digest

• 10.0 \”Joule Edition\” finally released!
• AMD graphics are now officially supported
• GNOME3, MATE and Cinnamon desktops are available
• PCBSD also got a mention in eweek

Feedback/Questions

• Justin writes in: https://slexy.org/view/s21VnbKZsH
• Daniel writes in: https://slexy.org/view/s2nD7RF6bo
• Martin writes in: https://slexy.org/view/s2jwRrj7UV
• Alex writes in: https://slexy.org/view/s201koMD2c
  + unofficial FreeBSD RPI Images
• James writes in: https://slexy.org/view/s2AntZmtRU
• John writes in: https://slexy.org/view/s20bGjMsIQ

• All the tutorials are posted in their entirety at bsdnow.tv
• The ssh tutorial has been updated with some new 6.5 stuff
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: if you\’re on FreeBSD 8.3 for some reason, upgrade soon – it\’s reaching EOL
• Reminder: if you\’re using pkgng, be sure to update to 1.2.6 for a security issue
• The winner of the tutorial contest is… Dusko! We didn\’t get as many submissions as we wanted, but his Nagios monitoring tutorial was extremely well-done. It\’ll be featured in a future episode. Congrats! Send us a picture when it arrives.
• Allan got his pillow in the mail as well, it\’s super awesome

The post Time Signatures | BSD Now 23 first appeared on Jupiter Broadcasting.

Put away the Christmas trees and update your ports trees! We\’re back with the first show of 2014, and we\’ve got some catching up to do. This time on the show, we have an interview with Baptiste Daroussin about the future of FreeBSD binary packages. Following that, we\’ll be highlighting a cool script to do binary upgrades on OpenBSD. Lots of holiday news and listener feedback, on BSD Now – the place to B.. SD.

Thanks to:

• iXsystems: This is what 80 cores and 1TB of RAM looks like!

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Faces of FreeBSD continues

• Our first one details Shteryana Shopova, the local organizer for EuroBSDCon 2014 in Sophia
• Gives some information about how she got into BSD
• \”I installed FreeBSD on my laptop, alongside the Windows and Slackware Linux I was running on it at the time. Several months later I realized that apart from FreeBSD, I hadn\’t booted the other two operating systems in months. So I wiped them out.\”
• She wrote bsnmpd and extended it with the help of a grant from the FreeBSD Foundation
• We\’ve also got one for Kevin Martin
• Started off with a pinball website, ended up learning about FreeBSD from an ISP and starting his own hosting company
• \”FreeBSD has been an asset to our operations, and while we have branched out a bit, we still primarily use FreeBSD and promote it whenever possible. FreeBSD is a terrific technology with a terrific community.\”

OpenPF?

• A blog post over at the Dragonfly digest
• What if we had some cross platform development of OpenBSD\’s firewall?
• Similar to portable OpenSSH or OpenZFS, there could be a centrally-developed version with compatibility glue
• Right now FreeBSD 9\’s pf is old, FreeBSD 10\’s pf is old (but has the best performance of any implementation due to custom patches), NetBSD\’s pf is old (but they\’re working on a fork) and Dragonfly\’s pf is old
• Further complicated by the fact that PF itself doesn’t have a version number, since it was designed to just be ‘the pf that came with OpenBSD 5.4’
• Not likely to happen any time soon, but it\’s good food for thought

Year of BSD on the server

• A good blog post about switching servers from Linux to BSD
• 2014 is going to be the year of a lot of switching, due to FreeBSD 10\’s amazing new features
• This author was particularly taken with pkgng and the more coherent layout of BSD systems
• Similarly, there was also a recent reddit thread, \”Why did you choose BSD over Linux?\”
• Both are excellent reads for Linux users that are thinking about making the switch, send \’em to your friends

Getting to know your portmgr

• This time in the series they interview Bryan Drewery, a fairly new addition to the team
• He started maintaining portupgrade and portmaster, and eventually ended up on the ports management team
• Believe it or not, his wife actually had a lot to do with him getting into FreeBSD full-time
• Lots of fun trivia and background about him
• Speaking of portmgr, our interview for today is…

This episode was brought to you by

Interview – Baptiste Daroussin – bapt@freebsd.org

The future of FreeBSD\’s binary packages, ports\’ features, various topics

Tutorial

Binary upgrades in OpenBSD

• Using a third party script, binary upgrades in OpenBSD are easy
• It automates a lot of the manual work and saves time – great for large deployments

News Roundup

pfSense december hang out

• Interview/presentation from pfSense developer Chris Buechler with an accompanying blog post
• \”This is the first in what will be a monthly recurring series. Each month, we’ll have a how to tutorial on a specific topic or area of the system, and updates on development and other happenings with the project. We have several topics in mind, but also welcome community suggestions on topics\”
• Speaking of pfSense, they recently opened an online store
• We\’re planning on having a pfSense episode next month!

BSDMag December issue is out

• The free monthly BSD magazine gets a new release for December
• Topics include CARP on FreeBSD, more BSD programming, \”unix basics for security professionals,\” some kernel introductions, using OpenBSD as a transparent proxy with relayd, GhostBSD overview and some stuff about SSH

OpenBSD gets tmpfs

• In addition to the recently-added FUSE support, OpenBSD now has tmpfs
• To get more testing, it was enabled by default in -current
• Should make its way into 5.5 if everything goes according to plan
• Enables lots of new possibilities, like our ccache and tmpfs guide

PCBSD weekly digests

• Catching up with all the work going on in PCBSD land..
• 10.0-RC2 is now available
• The big pkgng 1.2 problems seem to have been worked out

Feedback/Questions

• Remy writes in: https://slexy.org/view/s2UrUzlnf6
• Jason writes in: https://slexy.org/view/s2iqnywwKX
• Rob writes in: https://slexy.org/view/s2IUcPySbh
• John writes in: https://slexy.org/view/s21aYlbXz2
• Stuart writes in: https://slexy.org/view/s21vrYSqU8

• All the tutorials are posted in their entirety at bsdnow.tv
• The jail tutorial and disk encryption tutorial have gotten some improvements and updates
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Happy new year everybody!

The post Eclipsing Binaries | BSD Now 18 first appeared on Jupiter Broadcasting.

How a Russian Spy ring used floppies to pass sensitive information, how Backblaze made it through the great hard drive shortage, and why the US congress is saying no to Chinese Telco manufactures.

Plus a big batch of your questions, and our answers.

All that and much more, on this week’s TechSNAP!

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

BONOUS ROUND PROMO:

Get your .COMs just $5.99 per year up to 3 domains! Additional .COMs just $7.99 per year!
CODE: 599tech

Expires 10/31/12

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: