Show Notes: linuxunplugged.com/432

The post Three Tumbleweed Temptations | LINUX Unplugged 432 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/410

The post Ye Olde Linux Distro | LINUX Unplugged 410 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/405

The post Distro in the Rough | LINUX Unplugged 405 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/426

The post Storage Stories | TechSNAP 426 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links:

linuxactionnews.com/71

The post Linux Action News 71 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Why TLS 1.3 isn’t in browsers yet

It has been over a year since Cloudflare’s TLS 1.3 launch and still, none of the major browsers have enabled TLS 1.3 by default.

Leaky S3 Buckets

• Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS

“I had seen unencrypted flight logs, passports, drivers licenses, and identification cards,” Finisterre said, adding: “It should be noted that newer logs and PII [personally identifiable information] seemed to be encrypted with a static OpenSSL password, so theoretically some of the data was at least loosely protected from prying eyes.”

• Data on 123 million US households exposed – Naked Security

For a researcher at UpGuard, on 6 October the answer turned out to be an intriguing 36GB database file sitting in plain view_on an Amazon Simple Storage Service (S3) bucket uploaded by analytics company Alteryx._

• Massive US military social media spying archive left wide open in AWS S3 buckets • The Register

Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages — all scraped from around the world by the US military to identify and profile persons of interest.

• Netflix/security_monkey: Security Monkey

Introduction to SMB for Network Security

Of all the common protocols a new analyst encounters, perhaps none is quite as impenetrable as Server Message Block (SMB). Its enormous size, sparse documentation, and wide variety of uses can make it one of the most intimidating protocols for junior analysts to learn. But SMB is vitally important: lateral movement in Windows Active Directory environments can be the difference between a minor and a catastrophic breach, and almost all publicly available techniques for this movement involve SMB in some way. While there are numerous guides to certain aspects of SMB available, I found a dearth of material that was accessible, thorough, and targeted towards network analysis. The goal of this guide is to explain this confusing protocol in a way that helps new analysts immediately start threat hunting with it in their networks, ignoring the irrelevant minutiae that seem to form the core of most SMB primers and focusing instead on the kinds of threats an analyst is most likely to see.

• StorageCrypter Ransomware: Security Threat or Clickbait?

The StorageCrypter Ransomware appears to be targeting NAS systems around the world but the facts surrounding it have been somewhat confusing.

Feedback

• DHCPDECLINE

• Please keep some BSD

Repairing a 1960s mainframe: Fixing the IBM 1401’s core memory and power supply

The IBM 1401 was a popular business computer of the early 1960s. It had 4000 characters of internal core memory with additional 12000 characters in an external expansion box. 2 Core memory was a popular form of storage in this era as it was relatively fast and inexpensive. Each bit is stored in a tiny magnetized ferrite ring called a core. (If you’ve ever heard of a “core dump”, this is what the term originally referred to.) The photo below is a magnified view of the cores, along with the red wires used to select, read and write the cores.4 The cores are wired in an X-Y grid; to access a particular address, one of the X lines is pulsed and one of the Y lines is pulsed, selecting the core where they intersect.

The post Trials of TLS | TechSNAP 350 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cultivating cybersecurity talent

• Unit 8200 dates back to 1952

Theresa may to create new internet that would be controlled and regulated by government

• Theresa May is planning to introduce huge regulations on the way the internet works, allowing the government to decide what is said online.

new SMB worm using 7 NSA tools not 2

• New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two

Feedback

• WannaCry – an overlooked defense

• user feedback on why no autofill for password managers

• Finnish developer shows how browser autofill profiles can be exploited to leak information

• DVL might want to remove webring

Round Up:

• The new normal?

• Congress introduces bill to stop US from stockpiling cyber-weapons

• The increased use of powershell in attacks

• Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware

• Comcast tries to censor pro-net neutrality website calling for investigation of fake FCC comments potentially funded by cable lobby

• What is astroturfing? vs grassroots movements

The post A Burrito Stole My Money | TechSNAP 321 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Cisco’s Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to ‘WannaCry’

FCC Filings Overwhelmingly Support Net Neutrality Once Anti-Net Neutrality Spam is Removed

• Net Neutrality II: Last Week Tonight with John Oliver (HBO)

• Because of a procedural quirk, the FCC will not be considering any comments on the issue of net neutrality that are submitted over the next week or so.

• https://youtu.be/qI5y-_sqJT0 — follow up video

Feedback

• IPv6 only

• ZoL and other Linux Filesystems

Round Up:

• Ways in which the WannaCry ransomware could have been much worse

• Postmortem for outage of us-east-1

• 1.9 million Bell customer email addresses stolen by ‘anonymous hacker’ – Technology & Science – CBC News

• Appcanary – Everything you need to know about HTTP security headers

• GitHub – schollz/howmanypeoplearearound: Count the number of people around you by monitoring wifi signals

The post Kill Switch Engage | TechSNAP 320 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool

• Timeline of the attach

• Don’t tell people to turn off Windows Update, just don’t

• U.K. Hospitals Hit in Widespread Ransomware Attack

+The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack

+ Microsoft Issues WanaCrypt Patch for Windows 8, XP

• Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far

• Tim Cook’s refusal to help FBI hack iPhone is validated by ‘WannaCry’ ransomware attack

• WCry/WanaCry Ransomware Technical Analysis

• Stopping the malware by registering a domain

Keylogger Found in Audio Driver of HP Laptops

• HP issues fix for ‘keylogger’ found on several laptop models

Feedback

• Budget switches By request, some of Dan’s 10G stuff two zpools

• Password Manager – Why No Autofill?

Round Up:

• Fastmail’s https://blog.fastmail.com/2017/05/13/nyi-datacentre-move/

• Debugging Under Fire: Keep your Head when Systems have Lost their Mind • Bryan Cantrill

The post When IT Security Cries | TechSNAP 319 first appeared on Jupiter Broadcasting.

Researches find an 18 year old bug in Windows thats rather nasty, we’ve got the details. A new perspective on the bug bounty arms race & the security impact of Wifi on a plane.

Plus great feedback, a bursting round up & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Cylance finds “SPEAR” a new spin on an 18 year old Windows vulnerability

• In 1997 Aaron Spangler discovered a flaw in Windows
• By causing a user to navigate to a file://1.2.3.4/ url in Internet Explorer, the user’s windows credentials would be sent to the remote server, to attempt to login to it
• “Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password”
• “It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network.”
• “Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability”
• “Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.”
• “Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools.”
• “While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day.”
• “Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 — either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps.”
• “Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”
• Cylance Whitepaper (PDF)

Given enough money, all bugs are shallow

• Eric Raymond, in The Cathedral and the Bazaar, famously wrote: “Given enough eyeballs, all bugs are shallow.”
• “The idea is that open source software, by virtue of allowing anyone and everyone to view the source code, is inherently less buggy than closed source software. He dubbed this “Linus’s Law”.”
• “However, the Heartbleed SSL vulnerability was a turning point for Linus’s Law, a catastrophic exploit based on a severe bug in open source software. How catastrophic? It affected about 18% of all the HTTPS websites in the world, and allowed attackers to view all traffic to these websites, unencrypted… for two years.”
• “OpenSSL, the library with this bug, is one of the most critical bits of Internet infrastructure the world has – relied on by major companies to encrypt the private information of their customers as it travels across the Internet. OpenSSL was used on millions of servers and devices to protect the kind of important stuff you want encrypted, and hidden away from prying eyes, like passwords, bank accounts, and credit card information.”
• “This should be some of the most well-reviewed code in the world. What happened to our eyeballs, man?”
• “In reality, it’s generally very, very difficult to fix real bugs in anything but the most trivial Open Source software. I know that I have rarely done it, and I am an experienced developer. Most of the time, what really happens is that you tell the actual programmer about the problem and wait and see if he/she fixes it”
• “Even if a brave hacker communities to read the code, they’re not terribly likely to spot one of the hard-to-spot problems. Why? Few open source hackers are security experts”
• “There’s a big difference between usage eyeballs and development eyeballs.”
• “Most eyeballs are looking at the outside of the code, not the inside. And while you can discover bugs, even important security bugs, through usage, the hairiest security bugs require inside knowledge of how the code works.”
• Peer reviewing code is a lot harder than writing code.
• “The amount of code being churned out today – even if you assume only a small fraction of it is “important” enough to require serious review – far outstrips the number of eyeballs available to look at the code”
• “There are not enough qualified eyeballs to look at the code. Sure, the overall number of programmers is slowly growing, but what percent of those programmers are skilled enough, and have the right security background, to be able to audit someone else’s code effectively? A tiny fraction”
• “But what’s the long term answer to the general problem of not enough eyeballs on open source code? It’s something that will sound very familiar to you, though I suspect Eric Raymond won’t be too happy about it.”
• “Money. Lots and lots of money.”
• “Increasingly, companies are turning to commercial bug bounty programs. Either ones they create themselves, or run through third party services like Bugcrowd, Synack, HackerOne, and Crowdcurity. This means you pay per bug, with a larger payout the bigger and badder the bug is.”
• However, adding more money to the equation might actually make things worse
• “There’s now a price associated with exploits, and the deeper the exploit and the lesser known it is, the more incentive there is to not tell anyone about it until you can collect a major payout. So you might wait up to a year to report anything, and meanwhile this security bug is out there in the wild – who knows who else might have discovered it by then?”
• “If your focus is the payout, who is paying more? The good guys, or the bad guys? Should you hold out longer for a bigger payday, or build the exploit up into something even larger? I hope for our sake the good guys have the deeper pockets, otherwise we are all screwed.”
• I like that Google addressed a few of these concerns by making Pwnium, their Chrome specific variant of Pwn2Own, a) no longer a yearly event but all day, every day and b) increasing the prize money to “infinite”. I don’t know if that’s enough, but it’s certainly going in the right direction.
• “Money turns security into a “me” goal instead of an “us” goal“
• “Am I now obligated, on top of providing a completely free open source project to the world, to pay people for contributing information about security bugs that make this open source project better? Believe me, I was very appreciative of the security bug reporting, and I sent them whatever I could, stickers, t-shirts, effusive thank you emails, callouts in the code and checkins. But open source isn’t supposed to be about the money… is it?”
• “Easy money attracts all skill levels — The submitter doesn’t understand what is and isn’t an exploit, but knows there is value in anything resembling an exploit, so submits everything they can find.”
• “But I have some advice for bug bounty programs, too”:
• “You should have someone vetting these bug reports, and making sure they are credible, have clear reproduction steps, and are repeatable, before we ever see them.”
• “You should build additional incentives in your community for some kind of collaborative work towards bigger, better exploits. These researchers need to be working together in public, not in secret against each other”.
• “You should have a reputation system that builds up so that only the better, proven contributors are making it through and submitting reports”.
• “Encourage larger orgs to fund bug bounties for common open source projects, not just their own closed source apps and websites. At Stack Exchange, we donated to open source projects we used every year. Donating a bug bounty could be a big bump in eyeballs on that code.”

FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen

• The Federal Aviation Administration (FAA) faces cybersecurity challenges in at least three areas:
• (1) protecting air-traffic control (ATC) information systems,
• (2) protecting aircraft avionics used to operate and guide aircraft
• (3) clarifying cybersecurity roles and responsibilities among multiple FAA offices
• “FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace systems”
• “Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.”
• “FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors. FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems.”
• “Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems”
• One would hope that the cockpit avionics are separated from the onboard entertainment and wifi systems by more than just a firewall. Even if they are not, a properly configured firewall is very difficult to compromise.
• Additional Coverage – BatBlue
• It seems that the authors of this report were not experts on the subject, and when interviewing experts on the topic, they asked questions like “is there any way to get around a firewall”

Feedback:

• Why does Allan hate CloudFlare?

• Hardware for pfSense

• Best Virtualizer for a few Linux VMs?

• No www or Yes www

Round Up:

• Remote Code Execution Via HTTP Request In IIS On Windows
• Snowden explains why you should use passphrases instead of passwords
• Florida middle schooler arrested, charged with hacking cybercrimes .
• After patch, details emerge about a number of Apple flaws (OS X and iOS) including Darwin Nuke, nVidia driver vulnerabilities, and a kqueue bug
• IBM claims new areal density record with 220TB tape tech
• LA Schools seeking refund after iPad rollout fails miserably
• Hacked French network exposed its own passwords during TV interview
• OEM designs have big impact on Intel Core M performance
• briankrebs on Twitter: “RT @RichardKarash: @SwiftOnSecurity @briankrebs There’s no hope for retail security! At a retail checkout yesterday: https://t.co/mUr9tcw8nD”
• Design vs User Experience

The post SMBTrapped in Microsoft | TechSNAP 210 first appeared on Jupiter Broadcasting.

We’re back from AsiaBSDCon! This week on the show, we’ll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They’re getting BSD in the hands of Windows admins who don’t even realize it. We also have all this week’s news and answer to your emails, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Using OpenBGPD to distribute pf table updates

• For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol – a way for routers on the internet to discover and exchange routes to different addresses
• This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
• It begins with “One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems.”
• If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
• OpenBGPD is part of the OpenBSD base system, but there’s also an unofficial port to FreeBSD and a “work in progress” pkgsrc version

Mounting removable media with autofs

• The FreeBSD foundation has a new article in the “FreeBSD from the trenches” series, this time about the sponsored autofs tool
• It’s written by one of the autofs developers, and he details his work on creating and using the utility
• “The purpose of autofs(5) is to mount filesystems on access, in a way that’s transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes.”
• He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
• It ends with a real-world example of something we’re all probably familiar with: plugging in USB drives and watching the magic happen
• There’s also some more advanced bonus material on GEOM classes and all the more technical details

The Tor Browser on BSD

• The Tor Project has provided a “browser bundle” for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
• Just tunneling your browser through a transparent Tor proxy is not safe enough – many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
• It has, however, only been released for Windows, OS X and Linux – no BSD version
• “[…] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves.”
• Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
• If you’ve got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved)

OpenSSH 6.8 released

• Continuing their “tick tock” pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 – it’s a major upgrade, focused on new features (we like those better of course)
• Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
• This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default – a big step up from the previously hex-encoded MD5 fingerprints
• Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
• You can now require multiple, different public keys to be verified for a user to authenticate (useful if you’re extra paranoid or don’t have 100% confidence in any single key type)
• The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
• Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers

NetBSD at AsiaBSDCon

• The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you’d expect
• It covers their BoF session, the six NetBSD-related presentations and finally their “work in progress” session
• There was a grand total of 34 different NetBSD gadgets on display at the event

Interview – Lawrence Teo – lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

• A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
• By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
• HardenedBSD has introduced a similar mechanism into their “secadm” utility
• You can list binaries in the config file that you want to be protected from changes, then specify whether those can’t be run at all, or if they just print a warning
• They’re looking for some more extensive testing of this new feature

More s2k15 hackathon reports

• A couple more Australian hackathon reports have poured in since the last time
• The first comes from Jonathan Gray, who’s done a lot of graphics-related work in OpenBSD recently
• He worked on getting some newer “Southern Islands” and “Graphics Core Next” AMD GPUs working, as well as some OpenGL and DRM-related things
• Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
• Ted Unangst also sent in a report to detail what he hacked on at the event
• With a strong focus on improving SMP scalability, he tackled the virtual memory layer
• His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
• All the trip reports are much more detailed than our short summaries, so give them a read if you’re interested in all the technicalities

DragonFly 4.0.4 and IPFW3

• DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
• It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed “new xorg” and “with kms” variables and a few LAGG fixes
• There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
• Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it’s technically the third revision)

NetBSD gets Raspberry Pi 2 support

• NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
• There are -current snapshots available for download, and multiprocessor support is also on the way
• The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
• The usual Hacker News discussion on the subject
• If anyone has one of these little boards, let us know – maybe write up a blog post about your experience with BSD on it

OpenIKED as a VPN gateway

• In our first discussion segment, we talked about a few different ways to tunnel your traffic
• While we’ve done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven’t talked a whole lot about OpenBSD’s IPSEC suite
• This article should help fill that gap – it walks you through the complete IKED setup
• From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide’s got it all

Feedback/Questions

• Gary writes in
• Robert writes in
• Joris writes in
• Mike writes in
• Anders writes in

Mailing List Gold

• Can you hear me now
• He must be GNU here
• I’ve seen some…

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you’re in or around the Troy, New York area, our listener Brian is giving a presentation about ports on OpenBSD at the Rensselaer Polytechnic Institute this Friday at 4:00PM
• If anyone else in the audience is doing something similar or organizing any kind of BSD event, let us know and we’ll be glad to mention it
• Look forward to seeing the AsiaBSDCon interviews in upcoming episodes

The post Puffy in a Box | BSD Now 81 first appeared on Jupiter Broadcasting.

Easily share files between Windows and Linux, and we’ll solve some common network browsing challenges under Linux.

Plus a quick look at Linux Mint 17 KDE edition, the huge new features coming to OwnCloud, a new hacker event….

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Easy Windows File Sharing from Linux:

Brought to you by: System76

File Manager not show your network shares?

Install Samba:

Samba is a re-implementation of the SMB/CIFS networking protocol, it facilitates file and printer sharing among Linux and Windows systems as an alternative to NFS. Some users say that Samba is easily configured and that operation is very straight-forward. However, many new users run into problems with its complexity and non-intuitive mechanism.

• Install Samba

sudo apt-get update

sudo apt-get install samba samba-common system-config-samba python-glade2 gksu nautilus-share

• Enable your user account as a Samba user

smbpasswd -e chase

Having troubles resolving computer names?

• Check your DNS settings

• Add the following stanza to smb.conf:

name resolve order = lmhosts bcast host wins

• testparm

testparm — check an smb.conf configuration file for
internal correctness

Bonus: Going through these steps will also make your Windows network file browsing work under your file manager too!

Further Reading:

• Setup your file share in /etc/samba/smb.conf or use system-config-samba

• Ubuntu 14.04 LTS: File Sharing With Samba | UbuntuHandbook

• Sharing files in LAN through Samba or SSH – Ask Ubuntu
• Samba/SambaServerGuide – Community Help Wiki
• Samba – ArchWiki

— Picks —

Runs Linux

Raspberry Pi Controlled Aquaponics

This build uses the IBC method of Aquaponics, with modifications to include a Raspberry Pi for controlling a pump, solenoid drain, and temperature probes for water and air temperatures. The relays and timing is controlled with python scripting. Temperature and control data is collected every minute and sent to plot.ly for graphing, and future expansion will include sensors for water level and PH values for additional control.

All of my scripts are available at github.com

Desktop App Pick

beets: the music geek’s media organizer

The purpose of beets is to get your music collection right once and for all. It
catalogs your collection, automatically improving its metadata as it goes using
the MusicBrainz database. Then it provides a bouquet of tools for
manipulating and accessing your music.

Weekly Spotlight

Unix & Linux Stack Exchange

— NEWS —

ownCloud 7 Community Edition Enhances, Extends and Simplifies Control of Sensitive Data

ownCloud 7 Community Edition server-to-server sharing enables users on one ownCloud instance to seamlessly share files with a user on a different ownCloud installation without using share links — enhancing sharing and collaboration while maintaining security and privacy.

ownCloud 7 Community Edition also gives end users a “Dropbox-like” experience — complementing the security and privacy on the back end — with an entirely new web interface, mobile web browser support, file notifications in email or activity stream, and significant performance improvements.

“ownCloud 7 Community Edition enables greater collaboration even across ownCloud instances, as well as greater admin control, updated user management and improved external storage control,” said Frank Karlitschek, founder and leader of the ownCloud project. “And at the same time, added or improved installation and configuration wizards, completely overhauled sharing, and a new user interface significantly simplifies the ownCloud experience.”

Russia to ditch Intel, AMD in favor of homegrown ‘Baikal’ chips; will use GNU/Linux

According to a Russian business newspaper, state departments and state-run companies have no plans to buy PCs built around Intel or AMD processors. Instead, beginning in 2015, the government will order some 700,000 personal computers annually worth $500 million and 300,000 servers worth $800 million based on the Baikal chip.

• Ъ-Газета – Минпромторг включился в процессоры

Where KDE is going – Part 1 | KDE.news

GNOME 3.13.3 | Goings on

The Linux Mint Blog » Blog Archive » Linux Mint 17 “Qiana” KDE released!

Dad’s computer lady and “The Linux” by Chad Seaman

ToorCamp | the five day, open air, tech camping event

NEAH BAY, WA
JULY 9-13, 2014

Feedback:

• Patreon for JB as a whole?

• Support Jupiter Broadcasting on Patreon

• SELF2014: The Linux Game Industry – YouTube

• Linux without internet?

— Chris’ Stash —

• jupiterbroadcasting on Instagram

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged
• Switching to Ubuntu: User Tips
• Broforce – Part 3 | Geek And The Gamer

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post Sharing with Samba | LAS 319 first appeared on Jupiter Broadcasting.

Michael Christen the creator and maintainer of YaCy search joins us to discuss his free search engine that anyone can use to build a search portal for their intranet or to help search the public internet using a unique Peer-to-peer technology.

Plus who’s building Linux, the big Docker news, a look ahead at the next big Gnome release…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

— Show Notes: —

Michael Christen YaCy Maintainer:

Brought to you by: System76

YaCy is a free search engine that anyone can use to build a search portal for their intranet or to help search the public internet. When contributing to the world-wide peer network, the scale of YaCy is limited only by the number of users in the world and can index billions of web pages. It is fully decentralized, all users of the search engine network are equal, the network does not store user search requests and it is not possible for anyone to censor the content of the shared index. We want to achieve freedom of information through a free, distributed web search which is powered by the world’s users.

• YaCy – The Peer to Peer Search Engine: AWESOME Visualization

Questions

• What’s the key reason you believe decentralized search is important?

• How does YaCy help combat censorship?

• Can I use YaCy on my school/work network to index all of the material on our intranet?

• I want to run YaCy on a VPS, can it be configured to crawl faster than my home PC since it has a faster connection?

• How would I know that some YaCy machine in the globe does not collect all the requests it gets?

• Could YaCy be used to index the TOR network?

• And more in show, not documented here.

Installing YaCY

• Install YaCy On Debian/Ubuntu

• Install YaCy on Arch

q5ys’s Kickstarter

• YaCyPi – Turnkey Raspberry Pi based Internet Search Engine by Obsidian Security Services

– Picks –

Runs Linux:

• The Cew of Despicable Me 2, Run Linux

• Martin Gräßlin – Google+ – Just watched the extras on the “Despicable Me 2” Blu-Ray…

• KDE Plasma at Gravity VFX Shop

• Despicable Me 2 – Steve Carell Explains 3D Animation – YouTube

Desktop App Pick

• linux-dash · GitHub

Weekly Spotlight

• BlackArch

— NEWS —

• Who’s Writing Linux?

About once a year, the Linux Foundation analyzes the online repository that holds the source code of the kernel, or core, of the Linux operating system.

As well as tracking the increasing complexity of the ever-evolving kernel over a series of releases from versions 3.0 to 3.10

The report also reveals who is contributing code, and the dominant role corporations now play in what began as an all-volunteer project in 1991.

Over 80 percent of code is contributed by people who are paid for their work

The Linux Foundation notes that contributions have been increasing from companies that make mobile and embedded systems, such as Linaro, Samsung, and Texas Instruments.
Contributions from individual developers must have sign-offs before being incorporated into the official kernel code.

Corporate employees truly dominate, with just over 5 percent of approvals by volunteers.

The increasing size of the Linux kernel is due to the incorporation of significant new features, including a file system optimized for solid-state drives and support for the 64-bit ARM microprocessors used in embedded and mobile devices.

• Docker 0.8: Quality, new builder features, btrfs, OSX support
• Docker Raises $15M For Its Open-Source Platform That Helps Developers Build Apps In The

That’s evident in today’s news that the company has raised $15 million in a Series B round led by Greylock Partners, with minority participation from Insight Venture Partners and existing investors Benchmark Capital and Trinity Ventures. Also participating is Yahoo! Co-Founder Jerry Yang, who has participated in previous

Docker will use the funding to push toward the general availability of the Docker environment, develop commercial services that pair with the open-source technology and build a team to support the growing community.

• A quick glance at GNOME 3.11.5

• GEdit Strikes Again | Popovers This Time!

• Shell 3.12 Introducing Jumplists!

• GNOME Sound Recorder Icons, From Sam Hewitt?

• Northeast GNU/Linux Fest – Bringing Linux And Free Software To The Northeast

– Feedback: –

• Jolla Mobile Phone

• suggest: On to the Bacon Festival

— Chris’ Stash —

• Good sirs… I would like a howto! Form

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— What’s Matt Doin? —

• Check out LINUX Unplugged

— Find us on Google+ —

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

— Find us on Twitter —

• Chris – ChrisLAS
• Matt – matthartley

— Follow the network on Facebook: —

• Jupiter Broadcasting on Facebook

— Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC: —

• https://jblive.tv
• Network Calendar

The post YaCy Creator Interview | LAS s30e09 first appeared on Jupiter Broadcasting.

A BGP hack reroutes the traffic of banks, Amazon and many others. We’ll explain how this can happen, and why we don’t see it more often.

Plus an Interview with Brendan Gregg author of a new book that focuses on Systems Performance in the Enterprise and the Cloud, plus a big batch of your questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

BGP hijack used to redirect traffic destin for online banking

• On 24 July 2013 a number of specific IP addresses were maliciously mis-routed to an ISP in the Netherlands
• This is especially unusual because most all BGP routes are /24 or larger (because routers only have so much RAM in which to hold the routing table for the entire Internet), and most of these were specific /32s (a single IP address).
• This might be considering a mistake or something, however the owners of the specific IP addresses suggest otherwise:
  • AMAZON-AES – Amazon.com, Inc.
  • AS-7743 – JPMorgan Chase & Co.
  • ASN-BBT-ASN – Branch Banking and Trust Company
  • BANK-OF-AMERICA Bank of America
  • CEGETEL-AS Societe Francaise du Radiotelephone S.A
  • FIRSTBANK – FIRSTBANK
  • HSBC-HK-AS HSBC HongKong
  • PFG-ASN-1 – The Principal Financial Group
  • PNCBANK – PNC Bank
  • REGIONS-ASN-1 – REGIONS FINANCIAL CORPORATION
• The ISP, NedZone.nl normally announced about 30 prefixes of various sizes between /18 and /24, but on the date in question, they were announcing 369, most all of which were smaller than /24 (usually the smallest that would be announced)
• It is most likely this was caused by a malicious customer, rather than NedZone or one of it’s Employees
• The attack appears to have been an attempt to run a MITM attack against online banking
• RIPE AS Dashabout for AS25459, showing list of prefixes announced in the last 30 days
• HE BGP Looking Glass AS25459 Prefixes

Digital Ocean Cloud ‘Droplets’ found to be reusing same SSH private keys

• While using Digital Ocean’s cloud server to write a comparison of Ansible and Salt, two different administration/orchestration tools, Joshua Lund discovered that many of his ‘Droplets’ had the same SSH fingerprint
• While rapidly creating and destroying Droplets, he ended up with the same ip address, and noticed that he did not receive an SSH fingerprint mismatch, warning him that this server is not the same as the one that resided at this IP address previously
• Upon further investigation he found that the SSH keys appeared to be part of the base image, rather than being generated on first boot
• While this was likely a simple oversight while creating the images, or an attempt to make the droplets boot faster by foregoing the SSH key generation, it is a significant security issue
• This means someone could replace your droplet with their own and have the same SSH private key (and therefore fingerprint), if you or one of your old users connected to your old IP which now belonged to someone else, they could capture your password or otherwise perform a MITM attack
• The issue was reported to Digital Ocean and they responded the same day
• The immediate fix did not resolve all instances of the issue, but within 7 days the issue had been resolved
• Digital Ocean then started working with their customers to have them replace their SSH host keys with unique ones
• 6 weeks later a public security advisory was issued
• If you do not install the OS your self, it may be a good idea to regenerate the SSH keys as part of the initial setup process
• Official Advisory
• On a future Episode of TechSNAP we’ll talk about SSHFP DNS records and maintaining a system wide ssh_known_hosts file

Interview with Brendan Gregg

[asa]0133390098[/asa]

Feedback:

• Starting out as a Sysadmin

• Question about a home webserver

• How do I double check my encryption?

• Backing up a live VM

• FreeNAS Crashing

• Hitting the sweet spot on a low power home server?

Directory Dive:

• Central User Management? Check out Zentyal

• LDAP + SMB4 + Windows = Win

• What graphical remote desktop software do you recommend?

Round Up:

• XKeyscore – NSA program allows analysts to search vast databases of emails, online chats and the browsing histories
• Feds tell Web firms to turn over user account passwords | Politics and Law – CNET News
• Canada’s hangup with foreign owned telcos
• Google gives AT&T the boot, will supply 7000 US Starbucks locations with WiFi starting next month
• College students misdirect an $80 million Yacht with GPS spoofing
• Russia proposes ban on foul language on the internet with a law named \”On the protection of children from information harmful to their health and development\”
• A look at LZ4 in ZFS

The post Grand Theft BGP | TechSNAP 121 first appeared on Jupiter Broadcasting.

Attackers take aim at Apple with an exploit that could brick your Macbook, or perhaps worse. Plus you need to patch against a 9 year old SSL flaw.

Plus find out about a Google bug that could wipe a site from their Index, and a excellent batch of your feedback!

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: