SQL – Jupiter Broadcasting

What do we need to get started? Two things: a reasonably recent browser (WebRTC is supported in current versions of Chrome, Firefox, Edge and Opera but not in Safari or many mobile browsers) and drumroll – a server.

An Introduction to the ss Command

The ss command is a tool used to dump socket statistics and displays information in similar fashion (although simpler and faster) to netstat. The ss command can also display even more TCP and state information than most other tools. Because ss is the new netstat, we’re going to take a look at how to make use of this tool so that you can more easily gain information about your Linux machine and what’s going on with network connections.

Systemd for (Impatient) Sysadmins

…and although I’m at philosophical odds with it at some levels, I see no reason why everybody shouldn’t understand it a bit better – especially now that most people will need to deal with it on their favorite distros.

Linux tracing systems & how they fit together

The thing I learned last week that helped me really understand was – you can split linux tracing systems into data sources (where the tracing data comes from), mechanisms for collecting data for those sources (like “ftrace”) and tracing frontends (the tool you actually interact with to collect/analyse data). The overall picture is still kind of fragmented and confusing, but it’s at least a more approachable fragmented/confusing system.

Linux Academy

Linux Academy | Linux and AWS Online Training

Follow Up / Catch Up

How Microsoft brought SQL Server to Linux

“Talking to enterprises, it became clear that doing this was necessary,” Kumar said. “We were forcing customers to use Windows as their platform of choice.” In another incarnation of Microsoft, that probably would’ve been seen as something positive, but the company’s strategy today is quite different.

Formal Verification of WireGuard Protocal

The WireGuard protocol, described in the technical paper, and based on Noise, has been formally verified in the symbolic model using Tamarin. This means that there is a security proof of the WireGuard protocol.

ZFS Is the Best Filesystem (For Now…)

ZFS should have been great, but I kind of hate it: ZFS seems to be trapped in the past, before it was sidelined it as the cool storage project of choice; it’s inflexible; it lacks modern flash integration; and it’s not directly supported by most operating systems. But I put all my valuable data on ZFS because it simply offers the best level of data protection in a small office/home office (SOHO) environment.

Status update about bcachefs

DigitalOcean

DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

New stuff from the internet

You can root your Google Wifi router, but you’ll need a screwdriver

What’s nice about this hack is that GaleForce will keep working even after Google applies automatic updates to the router. It’s a best-of-both-worlds situation: your home router becomes a Linux box with endless possibilities, but it still has the mesh networking and app-based interface that Google provides.

Smach Z – The Handheld gaming PC

“Hi Smachers,
AMD has kindly agreed to let us inform backers about the new SoC upgrade. We can officially confirm that we are moving to the latest generation AMD technology which will be based on Ryzen and Vega technology.
We’re working together with AMD to bring the best performance to SMACH Z, so it will be the most powerful handheld console in the market. The new generation looks amazing, and we want to thank AMD for all the support and efforts contributed to our project.
At this point we cannot say any more information, but I hope that this announcement works to alleviate the long waiting and to confirm that SMACH Z will feature the best hardware when it will become available.
This decision has been taken after a thorough analysis of the situation. Being forced to move away from Romb.io technology and having to redo the SoC integration has moved our schedule opening the opportunity to bring the latest technology to our design. For the moment this announcements is private only for backers.
Thanks for your support!”

Beginner-Friendly Vulkan Tutorials

For those who don’t know, Vulkan is a new graphics API– in other words, a fresh new way to talk to your GPU and make it do things. It’s managed by the Khronos Group, which means no one corporation controls it. It’s pretty cool, and anyone who wants to do work on GPUs (not restricted to graphics programmers!) should at least have a high level knowledge of what it is.

vkmark: more than a Vulkan benchmark

Ever since Vulkan was announced a few years ago, the idea of creating a Vulkan benchmarking tool in the spirit of glmark2 had been floating in my mind. Recently, thanks to my employer, Collabora, this idea has materialized! The result is the vkmark Vulkan benchmark

TING

Ting – mobile that makes sense

Distro Corner

Slackware turns 24

Today marks 24 years since the original release of Slackware, which continues to be led by Patrick Volkerding. …development on Slackware does continue and its rolling-release code is currently on the Linux 4.9 LTS kernel and has many new packages compared to the v14.2 release.

Slackware birthday r/linux post

Announcing Mageia 6, finally ready to shine!

The whole Mageia community is extremely happy to announce the release of Mageia 6, the shiny result of our longest release cycle so far!

Though Mageia 6’s development was much longer than anticipated, we took the time to polish it and ensure that it will be our greatest release so far.

Highlights of Mageia 6

KDE Plasma 5 replaces the previous KDE SC 4 desktop environment
Support for AppStream and thus GNOME Software and Plasma Discover
Support for Fedora COPR and openSUSE Build Service
Successful integration of the ARM port (ARMv5 and ARMv7) in the buildsystem
While not a new feature, Mageia 6 supports over 25 desktop environments and window managers
Forking Mandriva Linux: The birth of Mageia

The post Beardy McBeardface | LINUX Unplugged 206 first appeared on Jupiter Broadcasting.

Cyber Liability | TechSNAP 314

chris — Wed, 12 Apr 2017 02:09:54 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Researchers demonstrate how PINs and other info can be gathered through phone movement

Team was able to crack four digit-PINs with 70 percent accuracy on the first try, with 100 percent accuracy by try number five
A site accessed with malicious code can open the device to such sensor-based monitoring working in the background when browser tabs are left open.
The team suggests a number of ways to help combat vulnerabilities, including regularly changing PINs and quitting out of any apps not currently in use
Dan suggests: Simple way around this: randomize the display of numbers on the keypad. I think this should be standard for all PIN entry. I recall seeing this somewhere, years ago, but I don’t recall where. I’ve always wondered why I’ve never seen it again. If the numbers have a narrow field of vision, nobody can watch over your shoulder.
A better article on the issue
The PDF of the study
From the PDF: . In the latest Apple Security Updates for iOS 9.3 (released in March 2016), Safari took a similar countermeasure by “suspending the availability of this [motion and orientation] data when the web view is hidden”x

Computer security is broken from top to bottom

Robert Watson spoke at the very first BSDCan
There are three main fundamental causes of insecurity: technology complexity, culture, an the economic incentives of the computer business.

Deep Dive starts with Dan’s first blog post about PostgreSQL

PostgreSQL
PostgreSQL < 9.6 has DATADIR is the same for all versions
PostgreSQL 9.6+ on FreeBSD, each major version has it’s own DATADIR
Installing in a FreeBSD jail means you can easily upgrading another jail, then start using it

Feedback

10 messages this past week. Requests for deep dives on PostgreSQL, DNS, ZFS, Jails.
The guy who asked us about that free DNS service, wrote in to say he has no connection with them.
Building pfsense box
Suggestion for a Simple Inventory & Change Management Software
Raidz-1 with hotspare vs raidz-2

Round Up:

The post Cyber Liability | TechSNAP 314 first appeared on Jupiter Broadcasting.

Wifi Stack Overfloweth | TechSNAP 313

chris — Wed, 05 Apr 2017 01:02:34 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

iOS 10.3.1 update prevents: attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Hackers Are Emptying ATMs With a Single Drilled Hole and $15 Worth of Gear

NOT SO LONG ago, enterprising thieves who wanted to steal the entire contents of an ATM had to blow it up. Today, a more discreet sort of cash-machine burglar can walk away with an ATM’s stash and leave behind only a tell-tale three-inch hole in its front panel.
The dispenser will obey and dispense money, and it can all be done with a very simple microcomputer.
They found that the machine’s only encryption was a weak XOR cipher they were able to easily break, and that there was no real authentication between the machine’s modules
In practical terms, that means any part of the ATM could essentially send commands to any other part, allowing an attacker to spoof commands to the dispenser, giving them the appearance of coming from the ATM’s own trusted computer.

Feedback

Round Up:

Dan mentioned these URLs during the podcast:

Adding a 10Gb NIC to an r610

The post Wifi Stack Overfloweth | TechSNAP 313 first appeared on Jupiter Broadcasting.

Privacy is Dead | TechSNAP 312

chris — Wed, 29 Mar 2017 00:27:34 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Alleged vDOS Owners Poised to Stand Trial

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.
On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.
According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.
Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

ZFS is what you want, even though you may not know – Dan talks about why he likes ZFS

The following is an ugly generalization and must not be read in isolation
Listen to the podcast for the following to make sense
Makes sysadmin life easier
treats the disks as a bucket source for filesystem
different file system attributes for different purposes, all on the same set of disks
Interesting things you didn’t know you could do with ZFS

Feedback

The following were referenced during the above Feedback segments:

Round Up:

The post Privacy is Dead | TechSNAP 312 first appeared on Jupiter Broadcasting.

The Red Hack | Unfilter 202

chris — Wed, 31 Aug 2016 20:40:22 +0000

RSS Feeds:

Become an Unfilter supporter on Patreon:

— Show Notes —

Episode Links

The post The Red Hack | Unfilter 202 first appeared on Jupiter Broadcasting.

Garbled Transmission | TTT 235

chris — Tue, 08 Mar 2016 12:00:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Bittorrent client Transmission gets hit with Ransomware, Facebook pays out $15k to a hacker & Microsoft is bringing SQL to Linux. It’s a HUGE edition of Tech Talk Today!

Direct Download:

RSS Feeds:

Show Notes:

Episode Links

Kickstarter of the Week

The post Garbled Transmission | TTT 235 first appeared on Jupiter Broadcasting.

Certifiable Authority | TechSNAP 238

chris — Thu, 29 Oct 2015 14:44:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

“TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
“In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
“We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
“A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
“It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
“Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
“It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
Additional Coverage — The Independant
Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
Video from TalkTalk CEO
If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
“Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

“Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
“This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
“Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
“The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
“The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
US Regulators grant DMCA exemption to legalize vehicle software tinkering
Additional Coverage: NPR
The ruling uses the terms “good faith security research” and “lawful modification.”
“The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
“The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

“Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
Google’s Blog Post
Symantec Report
“Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
It seems like Symantec was trying to downplay the incident, and gloss over its failings
“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
“The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
This brings up serious questions about the management and oversight of the Symantec certificate authority
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
“More immediately, we are requesting of Symantec that they further update their public incident report with:”
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
“We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
“Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

Round up:

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

No Crying In Coding | WTR 39

chris — Wed, 09 Sep 2015 03:40:09 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Carolyn went from working in data science to mobile developer at Lookout Mobile. She discusses writing “magic hands” to automate her old job & what it’s like to self teach.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed

Become a supporter on Patreon:

Show Notes:

Transcription:

ANGELA: This is Women’s Tech Radio.
PAIGE: A show on the Jupiter Broadcasting Network, interviewing interesting women in technology. Exploring their roles and how they’re successful in technology careers. I’m Paige.
ANGELA: And I’m Angela.
PAIGE: So, Angela, today we talk to Carolyn and she is a recent mobile developer at Lookout. She comes from a data scientist background and we have some really interesting chat about her transition and just all the things that she’s gotten into; what’s been hard, what’s been awesome, and it’s a really good time.
ANGELA: Yeah. And before we get into the interview I just want to mention that you can support Women’s Tech Radio by going to Patreon.com/today. It is a subscription based support of our network. It supports all the shows, but specifically this show, Women’s Tech Radio. So go to Patreon.com/today.
PAIGE: And we got started by asking Carolyn what she’s up to in technology these days.
CAROLYN: Yeah, so I have sort of an interesting story of, or at least I think it’s interesting, of how I got into tech. I was a business major, not sure what I wanted to do with my life. Ended up in operations at a big company, but I always really, really loved data and I just loved spreadsheets and i met someone that let me, sort of taught me SQL and taught me how to be faster with what I was doing with SQL and I found out I really loved SQL. So I sort of just started building from there. I ended up at Lookout which is a mobile security anti malware company and just sort of opened my eyes to a lot of technology. I started as a data analyst. Started managing the data warehouse and then earlier this year just moved over to Android development. So I’m learning a lot. So I’m new to engineering, but I have been speaking engineer, that’s what I say, for a very long time. So right now I”m working on a side project which we’ll be releasing at the end of this year and currently learning RxJava, which is pretty new. It’s really cool, but there’s definitely not really a lot out there about it. So I spend my days currently just really doing a lot of learning.
PAIGE: All right. So I will admit, I am not familiar with RxJava. How is it different than normal Java?
CAROLYN: It deals with like streaming data and so it’s really good for when you’re trying to chain things together without, you know, the data might not be available yet.
PAIGE: Oh, okay. So it’s Java non-blocking?
CAROLYN: Yeah.
PAIGE: Cool. You can probably continue explaining that for the audience.
ANGELA: And me.
PAIGE: Oh yeah.
CAROLYN: Well I’m still wrapping, I was just, like, so I, earlier this year did an online Android boot camp while I was still doing my data job and managing the data team and just sort of doing 20 things at once. And now, once I started to feel like I really got a foothold in Java, we decided to use RxJava and now I’m relearning a lot of things. So it’s still, I’m still feeling like I’m in a foreign country where I don’t speak the language. So I’m definitely, it’s made me actually have this huge respect for Netflix, because they are the ones that wrote the Android library for it and they’re just doing so much cool stuff over there. And they have a lot of good tutorials about it. So I definitely recommend, there’s a podcast about it and the head at Netflix is talking about RxJava. It’s really interesting. So I can add that to the show links for you guys too.
PAIGE: Netflix is really interesting because they, essentially their stack, they’re really stack agnostic where they look at their teams and they say do what you need to do to get your job done. And find the best way to do it. So I know that they have angular, amber, you know, they have imbedded team. The have the RxJava team and they all just kind of talk together because they really piece these pieces out. It’s really fascinating how they’re kind of making that work with being probably one of the biggest data companies in the world right now.
CAROLYN: Yeah. Well they’re definitely finding, you know, if there’s not a tool out there that meets their needs, they’ll build it. I have a friend who’s a doctor and I was explaining this concept to her and she was like this is so weird. She was like, why would they build it and open source it? You know. For me, personally, one of the things I actually stumbled upon in the tech community, which I didn’t really realize, is just the amount of support that people are willing, and companies are willing to give each other. I mean, there’s obviously companies that are competing and hate each other, but at the same time, I’m sure if you got their engineers together they would talk shop and share things they’re doing and it’s really cool. When I decided to be an engineer, late last year, I had so many people that were giving me free materials and helping me and the tech community, like every night of the week you can go to a meetup and have dinner and meet people and have people help you. Which was sort of a happy accident to find out about the tech community in general.
PAIGE: Yeah. I totally love that. And I love that it comes out of some of our roots of open source and being able to reach out and touch each other’s projects and just help out. I was listening to a podcast recently, ironically, and they were talking about how they’d opened sourced their website, kind of, It’s a paid service. The guy was like, I”m shocked because every week we get somebody who just pops in and was like hey I forked your website and made this change, because I found this problem and here it is back. And this guy that fix things is a paid customer of theirs, but he’s still jumping in to fix things for the company. It’s just like-
CAROLYN: Yeah.
PAIGE: Really awesome.
CAROLYN: Yeah. Actually, the boot camp that I did, um, is Code Path, which is a link in the show notes. And what they do is they go out to companies and do consulting and then they also have a boot camp if you are an engineer that you can, if you’re already two or three years in you can go. So I wasn’t like a candidate to be part of their boot camp. And even part of the consulting, my company said they’d pay for it, but they said you really need to learn Java before you do this boot camp. So they gave me all the materials for free. And they just said I could learn it on my own, which was pretty awesome. And had calls with me and sort of got me started on my path, just totally pro bono, which is really awesome.
ANGELA: That is really awesome.
CAROLYN: Yeah.
PAIGE: Very cool. Okay. So as a developer, I have to ask, how is it that it was SQL that grabbed your attention, because most developers I know just absolutely hate working in SQL, like we will avoid it like the plague. I actually kind of got my start in SQL as well, so I do like it, but most people I talk to they’re like I love all this web stuff, please don’t make me write SQL.
CAROLYN: Yeah, so what’s funny is the engineers on my team, when I see the SQL queries are writing I’m like, I’m so happy because that’s a place I can teach them and be like whoa this is not good. So what happened was, I was working for Williams Sonoma, which is, they also own Pottery Barn and they run it as this big monolithic company where they don’t really care if people are efficient and they would be perfectly happy with people just entering data all day instead of making efficient processes or systems. It was my first job out of college so I didn’t really know that life didn’t really have to be like that. So I was spending a lot of time manually going in and doing things and I just so happened to meet someone in my company named Mark Grassgob [ph] who really opened the door for me. He’s like just learn SQL and you can do this job that took you all day, you can do it in like 20 minutes. So it was more just a fact of me being like this is pretty powerful. These people are really living in the dark ages. So we literally wrote a script that would do our jobs for you. We called it magic hands. And then we’d go to coffee and no one that i worked for really — they just wanted us to get the work done. They didn’t know that we could eliminate everyone’s jobs and we’re like — we called it magic hands. It was so funny. We’d unleash magic hands on three computers and then realize oh the system couldn’t take that much input so we’d bring it down to two. And then it would enter in a price of a million dollars for a couch instead of $1,000 or something and so we’d get a call from like, you know, tech team in India overnight when something process blew up, so we definitely had to fine tune magic hands. Then I moved over to the technical team after that, because they sort of saw she can actually be on this team and do this without having really a background. And then once I moved into data, it’s like SQL is king no matter what anyone says about big data and all these big data tools. It really, the backbone of everything is really SQL. So learning how to do efficient queries will make your job so much happier. If you write SQL wrong you’re going to give people wrong answers. So on the data side, you know, SQL just, to me, just made so much sense. But I guess it was sort of the first real programming I ever got my hands on. I love it.
PAIGE: I actually have had a couple friends recently who have asked me, because I kind of learned SQL the hard way by just throwing my head against Access, which is probably the worst interface ever.
CAROLYN: Yeah.
PAIGE: But do you have any good recommendations for books for online resources for SQL, because it’s kind of like this weird black hole where i can learn almost everything else online and I can’t seem to find anything good for SQL.
CAROLYN: The thing about SQL is that you will not be good at it. You will not really get your hands around it until you actually use it. So it’s one of those things where you need access to a dataset and you need questions to answer and then you’ll get it. So there are resources out there. I actually, when I was hiring data analyst as a manager I just created my own dataset and posted it for people and then had them answer some questions to show me they knew SQL or not. It’s really a learning by doing kind of thing. Which I guess most things are. But if you don’t have an interesting dataset to work with and you’re not trying to solve interesting problems, you’re just never going to pick it up. But I haven’t really found, there are available datasets out there and as bad as Access is and it gives you the graphical interface, don’t use that, you need to actually physically write it out. If you use Access, if you get access to a dataset dump it into Access and then use the, just handwriting the SQL, you know, you’ll get it.
PAIGE: Yeah, totally.
ANGELA: So in the form that you filled out before the show you said that you’re still trying to figure out why you never thought to be an engineer before.
CAROLYN: Yeah.
ANGELA: I think there’s a lot of people that don’t know that the way their personality and skills would make them perfect for a position. What would you recommend people do to figure out what best to be or do or try?
CAROLYN: I’ve been thinking about his a lot, actually. When I was younger, I grew up in San Diego and it was very much a beach culture, like very dude broey. It wasn’t cool to be smart when I was a kid. That’s how I felt. I was networking the internet in my parent’s house, like running the wireless, created their wireless, and I was one of the first people on Napster stealing music and creating CDs. I had this little computer in my room and my friends would come over and they’d be in their bikinis like beep, beep, let’s go to the beach. Did you make us CDs? I’m just like, you know, like stealing music off the internet. But to me, it was like, I mean this is like 1998 so I was really probably one of 10,000 people doing this.
PAIGE: We might have shared that stolen music together.
ANGELA: Yeah, I was just going to say, yeah 1998, that was golden year too for Napster and WinAmp.
CAROLYN: Yeah, totally.
PAIGE: It’s really kicks the llama’s ass.
ANGELA: Yeah.
CAROLYN: But for some reason it never crossed my mind that I was really good at this. I was way more interested in it than any of my friends. But instead I just was like, I’m just going to go to the beach and we’re going to try to get beer and do all these things. And I’m trying to figure out why it never crossed my mind to do that. But I also think it was a different time and technology wasn’t, people weren’t talking about technology. People weren’t interested in talking about apps. You know, like 1 in 20 people had a cell phone back then.
ANGELA: Right.
CAROLYN: So I think maybe it was just kind of like that time. When I went to college I was a business major and I thought I would just do business. I wasn’t really sure what I wanted to do. I think I had all the tools and I knew that i loved computers and I loved building things, but I never really had someone set me down. I never really had that career thought. I just sort of followed the path that I thought was laid out. And it really wasn’t until like mid last year that I thought I could really be an engineer and do it. It was really — what sort of tipped me was all these boot camps coming out and people just going and doing it. I had this deep — this thought of what would I do if I could do anything and I wasn’t scared to do it? To me, engineering was it. Lookout was incredibly supportive and let me move teams, which was really great and sort of a rare find in a company that would support someone to do this. So I got really lucky. But, you know, I think now with Women Who Code and a lot of organizations asking these questions of why women aren’t engineers, I think it’s because no one ever asked me and I never asked myself. And now that it’s sort of becoming the norm, you know, I’m hoping that more women will sort of naturally follow the path to be an engineer, because I think if there would have been more of that growing up that I probably would have found that path earlier.
PAIGE: That’s actually a part of why we started the podcast is because, you know, you say oh it was a different time then. And it was actually my conversation with a 16 year old that spawned me to start this, because I had this conversation and the 16 year old is good at math, enjoyed science, liked tech stuff, you know, didn’t do the assembling computers thing because nobody really do that anymore. But I was like, well have you considered being a programer? And she was like, no that’s for boys, right? And I was like, whoa.
ANGELA: Yeah.
PAIGE: And this was last year.
CAROLYN: Yeah.
PAIGE: But I do think it’s changing. I think organizations like Women Who Code Girl Develop It, Chick Tech, all these different things are kind of getting in there and saying hey guys, or hey ladies you can do this too. And there’s no reason, like — like I like to say, girls type just as well as boys.
ANGELA: So I haven’t been to a boot camp, but it seems like that might be, aside from trying to join Women Who Code or another place like that that would support you, but the boot camp might help you. Is it like a conference where you can go and listen or watch different parts of development?
CAROLYN: I did a lot of research on boot camps at the end of last year and there’s some good and — there’s a lot of good, but there’s also a lot of bad. You can’t expect to just go somewhere for three months and then come out and be a fully fledged engineer and be ready to work, you know. So this boot camp is just a once a week for two hours for eight weeks kind of thing. Or I think it’s twice a week for two hours for eight weeks. But they are teaching mobile development to people who are already engineers. They just gave me — they record their lectures and they have all their assignments online and they just gave me access to their materials so I could write — I could work on apps on my own. I’d say it definitely took me a lot longer to get through it and I ended up just doing the parts of the boot camp that really applied to what I”de be working on at Lookout so I could just get up to speed faster, but, you know, their boot camp, there would be like a week of work would take me three weeks or something just to get done. Definitely was like, it took me a while to get through it. But it really is, I couldn’t say enough good things about Code Path. They do some really cool stuff. And they’re really smart guys. Actually, all men, but they do have a lot of women that go to their boot camps, so.
PAIGE: There’s definitely a really wide range of what we’re calling a boot camp right now. We have Codepath which is this kind of part-time thing. ANd there will be other online part-time things. And then there’s even in-person part-time things where you can go in the evenings and it’s a full five days a week. The boot camp that I worked out of is full five days a week. It’s a 16 week program if you do it at night or a 12 week program if you do it in the day. And it is full stack development. You go from the front end all the way through the back end. And I think that’s probably the most common is that it’s essentially two to three months. Some of them go out as far as six months of get in there, get your hands in code, have a portfolio at the end kind of a thing. But agree with you, Carolyn, that you can’t go into a boot camp expecting to come out the other end like a full fledged developer unless you work your butt off. And there are companies hiring beginners. I think that the market is getting a little bit saturated, because there are so many boot camps.
CAROLYN: Yeah.
PAIGE: I’m in Portland, it’s a fairly small city, and I think right now we have five boot camps.
ANGELA: Wow.
PAIGE: And one of them is turning out two classes of 60 people each every 10 weeks.
ANGELA: Wow.
PAIGE: So it’s getting a bit saturated, but the market is still there.
CAROLYN: Yeah, and so I have friends in San Francisco that are recruiters and when I was switching over they were like whoa, whoa, whoa, don’t do boot camp. Don’t do it. We can’t hire people out of boot camps. There’s like 1 out of 20 that are hireable, you know. And so I was like, okay. And I had some talks with them and they were like, you have to — if you’re going to do a boot camp you also have to have another strategy of how you’re still going to become and engineer, you know. You do the boot camp but where are you going to — who is going to take you on as a junior developer? You need to have all those things sort of lined up.
ANGELA: Right.
CAROLYN: Or else you’re just going to do the boot camp and then go do something else.
PAIGE: Yeah. And I think that there are some things coming into the market that are trying to fill that. There’s a couple places like Thoughtbot has apprenticeship programs. A couple of the other bigger dev shops have that where you can kind of transition from beginner into intermediate. And then there’s some online stuff like Think Full or Upcase where you can kind of build those skills after boot camp. And, of course, I’m always a fan; I think the biggest thing in our industry and most industries is mentorship. Like finding a mentor. Finding those people and going out and shaking hands.
ANGELA: Which you’d likely find at Women Who Code or Meetups or-
PAIGE: Totally.
ANGELA: The social aspect of it.
PAIGE: Meatspace as we like to call it.
CAROLYN: Yeah.
PAIGE: For nerd speak.
ANGELA: Whenever I hear meetspace I picture M-E-A-T.
PAIGE: That’s what it means.
ANGELA: Oh. Not M-E-E-T?
PAIGE: No. It’s it’s M-E-A-T.
ANGELA: Oh.
PAIGE: Meatspace.
ANGELA: Why?
PAIGE: Because we’re nerds and it’s not digital, so it’s fleshy, so it’s meat.
ANGELA: Oh my gosh. Okay. Interesting. Okay.
PAIGE: Sorry.
ANGELA: Wow, that’s a great, I’m glad, okay. Continue with the interview.
PAIGE: Yeah. So you talked a little bit. You’ve moved over to the Android team. What’s fun and what’s hard about Android? I haven’t really dug in on Android development. I’ve done some iOS.
CAROLYN: What’s really fun about Android is, you know, day one you can open up your Android Studio and download the STK and create a page. It has like a button, you know, and you can click the button and it can like play a song. You can do that in two days. You can publish it to the app store. You could put it on your phone. There’s definitely this — you can hit and API and pull data back. You know, you could do that in a couple days, learn all that from scratch. So there’s a very easy sort of, like, you know, there’s a link on Learning to Code in the notes where it’s a graph of — at first you, like, peek. It’s like a honeymoon at first. ANd everything seems really easy, but as you sort of start to unfold things, Android is really complicated and there’s 9,000 versions of Android that people are running out there and different sized devices and tablets and people are going to be using your app only on Wifi, and there’s so many things to think about. As you want to do more, you get royally confused very quickly. So it’s cool to just sort of get up and running and get started, but there’s a lot to learn. There’s things you have to think about like battery usage and memory and all these things that you don’t really deal with if you’re a web developer. So it’s definitely a lot to get started. I work on a team where there’s a lot of senior engineers and a lot of people that really know what’s going on, so it’s like, it’s fun but it’s also — you know, you take some hits to your ego a little bit, because I feel like I used to know everything about the data warehouse and stepping into something where you don’t know what’s going on and you really have to feel your way through it, it can be a shot to your ego and how you feel about yourself. I always say, like, sometimes i feel like Tom Hanks, like when I get code reviews, like in a League of Their Own where he’s like, “There’s no crying in baseball.”
PAIGE: Uh-huh.
CAROLYN: Like, I literally have to tell myself, there’s no crying in coding when I get a lot of comments on a code review or I just totally, like — it’s a lot of falling down. A lot.
PAIGE: I’m so glad I’m not the only person that says, there’s no crying in coding.
CAROLYN: Yes, I say that to myself all the time.
PAIGE: Me too.
CAROLYN: It makes me feel better, because at least I’m out there. I’m out there and I”m like, they’re always like, oh no you’re doing really, really good, you just have this — where you just want — I want to be — I don’t want to say, I want to be perfect, but I want to be contributing and I don’t — I want to be getting things done and moving forward and writing really good code and you’re not going to do that when you move into engineering for like a year or two, you know. So just setting those expectations. You just have to lower your expectations for yourself a little bit.
PAIGE: Yeah. I think — this is a talk that I have with a lot of — I meet a lot of junior developers through Women Who Code and explaining to them, like listen I”ve been doing coding for a lot of years as a professional now, and there’s rarely a week that goes by where I don’t go, wow I feel like I know nothing.
CAROLYN: Yeah.
PAIGE: I”m totally Jon Snow. It’s not fun.
CAROLYN: But then when I share that feeling with other developers they’re like, welcome to being an engineer.
PAIGE: Yep, exactly.
CAROLYN: That’s what everyone says to me. They’re like oh you were frustrated all day and the last 10 minutes of your day everything made sense and you got it to run, like that’s your life.
PAIGE: Uh-huh.
CAROLYN: And I kind of love that. Like, personally. I actually really love that. I love working all day on a problem . To me, the day goes by in 30 minutes to me, even if I want to cry sometimes. It’s fun and I feel like I’m using more of my brain than I ever did before.
PAIGE: Yeah, it’s like 30 minutes of success after an entire day of the crying game.
CAROLYN: Yeah.
PAIGE: It’s totally, it’s where you’re at. And I think that knowing that going in, I like to say that programmers need to be eternally optimistic because it will work this time, I swear.
ANGELA: Thank you for listening to this episode of Women’s Tech Radio. Remember you can find a full transcription of this show over in the show notes at JupiterBroadcasting.com. YOu can also subscribe to the RSS feeds.
PAIGE: And while you’re there you could also reach out to us on the contact form. Let us know what you think about the show or any guests you might like to hear. Don’t forget, we’re also on iTunes and if you have a moment leave a review so we know how we’re doing and how we can improve the show. If you’d like to reach out to Angela and I directly, you can use WTR@JupiterBroadcasting.com for an email or check us at at Twitter, @HeyWTR. Thanks for listening.

Transcribed by Carrie Cotter | Transcription@cotterville.net

The post No Crying In Coding | WTR 39 first appeared on Jupiter Broadcasting.

wget a Shell | TechSNAP 186

chris — Thu, 30 Oct 2014 18:15:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A vulnerability in wget exposes more flaws in commonly used tools, the major flaw in Drupal that just got worse & the new protocol built into your router you need to disable.

Plus a great batch of your feedback, a rocking round up & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

wget vulnerability exposes more flaws in commonly used tools

wget is a command line downloading client from the GNU project, often found on linux and unix servers, and even available for windows
It was originally designed for mirroring websites, it has a ‘recursive’ mode where it will download an entire website (by crawling links) or an entire FTP site (or subdirectory) by traversing the directory tree
It is this mode that is the subject of the vulnerability
Versions of wget before the patched 1.16 are vulnerable to CVE-2014-4877, a symlink attack when recursively downloading (or mirroring) an FTP site
A malicious FTP site can change its ‘LIST’ response (the directory listing command in the FTP protocol) to indicate the same file twice, first as a symbolic link, then the second time as a directory. This is not possible on a real FTP server, since the file system can not have 2 objects with the same name
This vulnerability allows the operator of the malicious FTP site you are downloading from, to cause wget to create arbitrary files, directories and symlinks on your system
The creation of new symlinks allows files to be overwritten
An attacker could use this to overwrite or create an additional bash profile, or ssh authorized_keys file, causing arbitrary commands to be executed when the user logs in
So an attacker could upload malware or an exploit of some kind, then cause the user to run it unintentionally the next time they start a shell
“If you use a distribution that does not ship a patched version of wget, you can mitigate the issue by adding the line “retr-symlinks=on” to either /etc/wgetrc or ~/.wgetrc”
Note: wget is often mislabeled as a ‘hacker’ tool because it has been used to bulk-download files from websites. Most times it is merely used an an HTTP client to download a file from a url
Redhat Bug Tracker
Some have proposed calling this bug “wgetmeafreeshell” or “wtfget” or “wgetbleed”, thankfully, we were spared such theatrics
HD Moore Tweets
HD Moore Blog Post
Metasploit Module

Drupal flaw from 2 weeks ago, if you have not patched, assume your site is compromised

Drupal 7 included a new database abstraction API specifically designed to help prevent SQL injection attacks
It turns out to be vulnerable, a specially crafted request results in the execution of arbitrary SQL commands
“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks”
All users running Drupal core 7.x versions prior to 7.32 need to upgrade
Drupal Security Advisory
One line patch — It seems the code assumed $data would always be a simple array, and if it was an associative array (had named keys instead of integers) it would have unintended affects
Additional Coverage: Threat Post
It was announced today that a wide spread automated attack has been detected against unpatched Drupal instances
Because of the nature of the vulnerability, a valid user account is not required to exploit the vulnerability, and no traces are left behind when a site is compromised
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement,” says a statement released by the Drupal maintainers on Wednesday
Drupal Public Sevice Announcement
Additional Coverage: Thread Post
It is entirely possible that attackers could have dumped the contents of databases in Drupal, it is probably best to reset all passwords

NAT-PMP flaw puts 1.2 million home routers at risk

NAT-PMP is a UDP protocol designed in 2005 and standardized in 2013 RFC6886 to replace part of uPNP with a more simple implementation
It allows hosts on the internal network to request ‘please open tcp (or udp) port XXXX on the internet interface and forward that traffic to me’, and ‘what is our internet facing IP’
This allows hosts to accept incoming connections (like game servers, skype calls, etc) without having to manually create a ‘port forwarding’ rule
However, it seems some implementation are configured incorrectly, and accept requests from both the internal (expected) and external (very bad!) interface
The NAT-PMP protocol uses the source IP address of the request to create the mapping, to help prevent abuse (so host A on the LAN cannot open up ports on host B, exposing it to the internet), however, because it is UDP, the source address can be spoofed
Researcher Post
Of the 1.2 million internet exposed devices Project Sonar found to be in some way vulnerable:
2.5% are vulnerable to ‘interception of internal NAT traffic’, specifically, an attacker can create a mapping to forward attempts to connect to the router itself, to an external address, allowing the attacker to take over DNS and other services, as well as the administrative interface of the NAT device
86% are vulnerable to ‘interception of external traffic’, allows the attacker to create a mapping on the external interface, for example, since more routers have the HTTP server disabled on the external interface for security reasons, an attacker could use your router to ‘reflect’ their website. Allowing them to keep the true address of their site secret, by directing traffic to your router, which would then reflect it to their address.
88% are vulnerable to ‘Access to Internal NAT Client Services’, because NAT-PMP is over UDP, it is often times possible to send a spoofed packet, with a fake from address. This allows an attacker to basically create port-forwarding rules from outside, gaining access to machines behind the router, that are normally not exposed to the Internet.
88% are vulnerable to a Denial of Service attack, by creating a mapping to the NAT-PMP service, the device will forward all real NAT-PMP requests off to some other host, basically breaking the NAT-PMP feature on the device
100% of the 1.2 million devices were vulnerable to ‘Information Disclosure’, where they exposed more data about the NAT-PMP device than they should have
Also found during the SONAR scan: “7,400 devices responses were from a single ISP in Israel that responds to unwarranted UDP requests of any sort with HTTP responses from nginx. Yes, HTTP over UDP”
Because of the nature of project SONAR and the wide spread of the vulnerability, it is not possible to tell which brands or models of device are vulnerable. It may be easier for users to test known routers with the metasploit module, and attempt to create a database

Feedback:

Round Up:

The post wget a Shell | TechSNAP 186 first appeared on Jupiter Broadcasting.

Base ISO 100 | BSD Now 44

chris — Thu, 03 Jul 2014 11:46:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be sitting down to talk with Craig Rodrigues about Jenkins and the FreeBSD testing infrastructure. Following that, we’ll show you how to roll your own OpenBSD ISOs with all the patches already applied… ISO can’t wait!

This week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

pfSense 2.1.4 released

The pfSense team has released 2.1.4, shortly after 2.1.3 – it’s mainly a security release
Included within are eight security fixes, most of which are pfSense-specific
OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
It also includes a large number of various other bug fixes
Update all your routers!

DragonflyBSD’s pf gets SMP

While we’re on the topic of pf…
Dragonfly patches their old[er than even FreeBSD’s] pf to support multithreading in many areas
Stemming from a user’s complaint, Matthew Dillon did his own work on pf to make it SMP-aware
Altering your configuration‘s ruleset can also help speed things up, he found
When will OpenBSD, the source of pf, finally do the same?

ChaCha usage and deployment

A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
OpenSSH offers it as a stream cipher now, OpenBSD uses it for it’s random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
Both Google’s fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
Unfortunately, this article has one mistake: FreeBSD does not use it – they still use the broken RC4 algorithm

BSDMag June 2014 issue

The monthly online BSD magazine releases their newest issue
This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, “saving time and headaches using the robot framework for testing,” an interview and an article about the increasing number of security vulnerabilities
The free pdf file is available for download as always

Interview – Craig Rodrigues – rodrigc@freebsd.org

FreeBSD’s continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end – this had the advantage of not requiring any extra disk space, but raised some security concerns
With signify, now everything is fully downloaded and verified before tar is even invoked
The pkg_add utility works a little bit differently, but it’s also been improved in this area – details in the post
Be sure to also read the original post from Adam, lots of good information

FreeBSD 9.3-RC2 is out

As the -RELEASE inches closer, release candidate 2 is out and ready for testing
Since the last one, it’s got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
The updated bsdconfig will use pkgng style packages now too
A lesser known fact: there are also premade virtual machine images you can use too

pkgsrcCon 2014 wrap-up

In what may be the first real pkgsrcCon article we’ve ever had!
Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
Unfortunately no recordings to be found…

PostgreSQL FreeBSD performance and scalability

FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
Lots of technical details if you’re interested in getting the best performance out of your hardware
It also includes specific kernel options he used and the rest of the configuration
If you don’t want to open the pdf file, you can use this link too

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
There, you’ll also find a link to Bob Beck’s LibReSSL talk from the end of May – we finally found a recording!
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
Next week Allan will be at BSDCam, so we’ll have a prerecorded episode then

The post Base ISO 100 | BSD Now 44 first appeared on Jupiter Broadcasting.

0x64 | CR 100

chris — Mon, 05 May 2014 18:25:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Mike and Chris celebrate 100 weeks of Coder Radio by reading some great feedback, discussing new hardware choices, and why the future of desktop Linux is a little worrying.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

— Show Notes: —

Follow up / Feedback

Celebrate Coder Radio Episode 100!

Dev Hoopla

The post 0x64 | CR 100 first appeared on Jupiter Broadcasting.

Misconceptions of Linux Security | TechSNAP 155

chris — Thu, 27 Mar 2014 17:01:59 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Exploring the misconceptions of Linux Security

“There is a perception out there that Linux systems don\’t need additional security”
As Linux grows more and more mainstream, attacks become more prominent
We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
“The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
Microsoft has released an emergency Fix-It Solution until a proper patch can be released
This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
The Fix-It solution disables automatically opening emails with RTF content with MS Word
This attack can also be worked around by configuring your email client to view all emails in plain-text only
Instructions for Office 2003, 2007 and 2010
Instructions for Outlook 2013
“The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
Additional Coverage – ThreatPost

Feedback:

Round Up:

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

Obscurity is not Security | TechSNAP 55

chris — Thu, 26 Apr 2012 18:59:25 +0000

Cryptic Studios suffered a database breach, but we’ve got more questions than answers, more vulnerabilities have been found in critical infrastructure hardware, and a WiFi hack you can so easy its fun!

Plus why you might have had trouble downloading Jupiter Broadcasting shows, and so much more!

All that and more on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offer: $5.99 .coms, up to 5 domains! just use our code 599com7

Want to save money on your entire order? Use our code spring7 and save 15%!

Direct Download:

RSS Feeds:

Support the Show:

Purchase anything at Amazon.com
Purchase anything at Think Geek using this link
Purchase anything at Newegg using this link
Contribute directly on our donation page or check out our advertising options and reach millions of amazing people!
Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Rugged OS contains backdoor maintenance account with insufficent security

Rugged OS makes devices for controlling SCADA systems, including enabling management of non-networked SCADA devices via an IP-to-Serial interface
Rugged OS devices are used to manage traffic control systems, railroad communications systems, power plants, electrical substations, and even US military sites
The issue is that all Rugged OS devices contain an account with the username ‘factory’, that cannot be disabled
This account is obviously meant to allow the manufacturer to service the device, however it is insufficiently secured
Instead of using strong cryptography or SSL/SSH keys or something like that, the Factory Account uses a password derived from the MAC address of the device (so, the password is unique per device)
However, this password is simple the MAC address run through a short perl script that reverses the octets and takes the modulus of a static constant
This means that all of the factory user passwords are at most 9 digits in length and always contain only numeric values
The RuggedCom devices appear to use plain Telnet, rather than SSH, so all communications to and from the device are in the clear, meaning the password to the device could be sniffed by another with access to the network segment
The MAC address of the device is presented automatically as part of the login banner, making the compromise of these devices extremely trivial
Researchers notified the manufacturer more than a year ago, but rarely got a response
The researchers forced the issue via US-CERT in February of this year, and in the beginning of April CERT set a disclosure date due to a lack of response
This vulnerability was discovered by analyzing the firmware of a used Rugged OS device bought on eBay by the researchers
RuggedCom was acquired by the Canadian subsidiary of Siemens last month
Full Disclosure Mailing List Post

Cryptic Studios Customer Database Stolen, in Dec 2010

The database that was compromised contained user login names, game handles, and ‘encrypted’ passwords
The official notice is sparse on details and does not explain what type of ‘encryption’ was used for the passwords
“Even though the passwords were encrypted, it is apparent that the intruder has been able to crack some portion of the passwords in this database”
Given the fact that it has been more than a year since the database was compromised before a string of accounts started being compromised suggests that the passwords may have been properly hashed
The delay suggests that the attackers had to brute force the password database, and that this took significant time, however the time factor is relative, if the attacker only used a single machine to crack the passwords, or was unaware of Rainbow Tables, plain MD5 sums could easily take this long
Cryptographically hashed MD5 (meaning, with a salt) or better yet SHA256 would take significantly longer to crack and would be immune to rainbow tables
Salted passwords mean that even if two users have the same password, you have to brute force each hash separately (if you use plain MD5 sums, then all users with the same password can be cracked in one attempt)
It is also very likely that the attacker saved up the passwords they were able to crack in order to compromise all of the accounts at once, to avoid Cryptic taking the step they have taken now, and forcing a password reset on all affected accounts
The risk in waiting is that users will change their passwords over time, and the cracked passwords will then be rendered useless
Even cryptographic hashes can be cracked eventually, that is why it is important to change your passwords periodically

Arcadyan Wifi Routers have accidental backdoor in WPS

The flaw, which was likely originally in place as a debugging tool, allows any user to authenticate to your network using the WPS pin 12345670
This attack is worse than the previous WPS attach that reduced the keyspace, because it does not require someone to press the WPS button on the device
Worse, this override pin still works even if the WPS feature is disabled in the settings on the router
Arcadyan makes routers specifically for ISPs, and there are more than 100,000 of these $275 routers deployed in Germany alone, all of which are vulnerable
Both the stock shipped 1.08 and the latest downloadable version 1.16 of the firmware are vulnerable
The only available workaround is to disable wireless entirely
Since the routers are often white labeled to the name of your ISP, Arcadyan devices will have MAC addresses that start with one of the following:
00–12-BF
00–1A–2A
00–1D–19
00–23–08
00–26–4D
1C-C6–3C
74–31–70
7C–4F-B5
88–25–2C

Feedback:

Q: The entire Internet writes….

Why can’t I download JB shows? My world is ending!

A: Blip.tv (our video CDN) has made changes, that are stupid. We are moving off blip.tv and will keep you updated. If you want to grab something that is still hosted on blip.tv and are having issues downloading the files, here are some example work arounds:

Round-Up:

The post Obscurity is not Security | TechSNAP 55 first appeared on Jupiter Broadcasting.

SQL Injections | TechSNAP 40

chris — Thu, 12 Jan 2012 18:53:27 +0000

We’ll explain how SQL Injections work, plus cover tools you can use to passively discover details about everyone connected to your network.

And Adobe blames some researches for THEIR security mistakes, we’ll explain.

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

Show Notes:

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.99 .com
techsnap10: 10% off
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

Zero day Adobe Reader vulnerability uses to target defense contractors

An extremely targeted attack was carried out against major players in the defense industry using a previously unknown zero-day vulnerability in Adobe Reader
Only 20 or so machines were targeted, spread across a number of different companies
Specially crafted .PDF files that exploited the vulnerability to execute code on the victim’s machine were sent to a very specific list of email addresses, rather than the typical spam of phishing style attack. This was likely meant to prevent the zero day vulnerability from being discovered so it could continue to be used
The payload of the exploit was the Sykipot Trojan
From analysis of the exploit , it appears to be based on previous research and a proof of concept released by Felipe Andreas Manzano in 2009
Adobe made a point of reminding security researchers that their publicly disclosed proof of concepts are often used as free R&D by cyber criminals. TechSNAP would like to remind Adobe that the point of publicly disclosing the research is free R&D to help/force Adobe to patch the vulnerabilities
The vulnerability was apparently reported to Adobe by Lockheed Martin after they discovered they had been compromised
Adobe announced the vulnerability on December 6th, and released the patch on January 10th
Previous TechSNAP Coverage
CVE Announcement

New version of the P0f network finger printing tool

The tool passively analyzes incoming network transmissions and determines the operating system and other information about the remote machine with a fairly high degree of accuracy
The feature of note with the newly rewritten version is that it can detect many types of forgery, alerting you when the remote machine is who what it claims to be
The tool also features the ability to analyze some application layer protocols such as HTTP
One of the features I the ability to detect user agent forging (spam bots pretending to be running firefox or MSIE)
It is also able to detect some other aspects of the connection, such as NAT, load balancing, PPPoE (common for DSL), VPNs, Transparent and other irregular Proxies, and even tor
This tool could be very useful for fraud screening purposes, ecommerce sites can detect when the user is attempting to mask their identity and flag the orders for additional investigation
This tool could also be used as part of a firewall or man-in-the-middle attack, to detect technologies such as VPNs and block them, in an effort to have users connect without the additional security so they can be spied upon

Verizon Business Consulting analyzes second wave attacks against RSA customers

Typical attacks using email spear-phishing to attempt to place trojans and keyloggers on machines of SecurID users
The objective is to log the username, password and the temporary PIN generated by the SecurID Token
Once a small number of these PINs are obtained, the attackers may be able to successfully clone the SecureID Token to generate valid PINs at will, allowing them to compromise the targets easily
The unconfirmed list of companies who have been targeted includes: Lockheed Martin, Northrop Grumman, The International Monetary Fund, and L–3 Communications
RSA continues to claim that the security of the SecurID tokens has not been compromised, but after being subjected to much pressure by customers, has agreed to replace the tokens of any customers who request it

Feedback:

Q: (EBeyer) You talk about it a lot on the show, and it is one of the most common security vulnerabilities on the web, but what is SQL Injection?

A: An SQL Injection attack is caused by careless coding during the construction of an application that uses an SQL database. Through some fault or other, the attacker is able to “inject” code in to the SQL statement.

The most classic example of this comes from this very poor example of a login script:

SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password’

During normal operations, which would work as expected. However, if someone were to attempt to login with a username of say, “allan’ –” the executed SQL query would be:

SELECT * FROM users WHERE username = ‘allan’ –‘ AND password = ‘$password’

Where – is the SQL comment indicator, causing the rest of the query to be ignored. This would allow someone to login as any user without knowing the users password

A further example, they could use the username “‘; DROP TABLE users; –”

Causing the resultant SQL query to be:

SELECT * FROM users WHERE username = ‘’; DROP TABLE users; –’ AND password = ‘$password’

Which would find 0 users, then delete the entire users database table.

That is why it is important to ‘sanitize inputs’. What this means is that you must remove or escape characters with special meanings, so that they are not interpreted. Each programming language provides ways to do this, but amateurs and sloppy coders often forget or miss cases where input from the user is executed without being sanitized.
PHP for example, provides a number of methods of sanitizing the input , including the mysql_escape_string() function which attempts to escape any meta characters, but does not consider the character set. It has been deprecated and should be replaced by mysql_real_escape_string() which requires an active connection to the MySQL database (required anyway if you are going to run a query), and takes the character set, database settings and server configuration in to consideration. You can also use Prepared Statements , where the SQL query is defined with the variables, and then those variables are replaced at execution time, where they are escaped properly.

Round-Up:

The post SQL Injections | TechSNAP 40 first appeared on Jupiter Broadcasting.

Phreaking 3G | TechSNAP 14

chris — Thu, 14 Jul 2011 21:38:23 +0000

Coming up on This Week’s TechSNAP!

We’ll cover a story that really drives home how serious cell phone hijacking has gotten, and what new technology just made it a lot easier for the bad guys.

Plus find out why TrendJacking is more than a stupid buzz term, and we load up on a whole batch of audience questions!

All that and more, on this week’s TechSNAP!

Direct Download Links:

Subscribe via RSS and iTunes:

[ad#shownotes]

Show Notes:

Thanks to the TechSNAP Redditors!

Vodaphone SureSignal appliance rooted by THC

Vodaphone sells a 3G Signal Boosting appliance for home users to boost mobile reception in their homes. The device sells for 160GBP ($260 USD)
The FemtoCell or SureSignal appliance connects to the VodaPhone network via your home internet connections, and relays mobile phone signals
The Hackers Choice (THC, developers of the well known hacking tool Hydra) managed to reserve engineer the device and brute force the root password. THC has been actively working on exploiting various devices of this nature since 2009
Once compromised, the device can be turned in to a full blown 3G/UMTC/WCDMA call interception device.
The FemtoCell uses the internet connection to retrieve the private key of the handset that is attempting to use the cell, in order to create an encrypted connection.
In it’s intended mode of operation, the FemtoCell can only be used by the person who purchased it
The FemtoCell has a limited range of about 50 meters (165 feet)
With a rooted device, an attacker can get the secret key of any Vodaphone Subscriber
With a users secret key, you can decrypt their phone calls (if they are within range), but also masquerade as their phone, and make calls at the victims expense.
This attack also grants you access to the victims voicemail
The root password on the Vodaphone device was ‘newsys’
Some question whether Vodaphone should be held liable for not protecting their customers
Quote from THC “Who is liable if the brakes on my car malfunction? The drive or the manufacture? Or the guys who tell us how insecure they are?”
THC Wiki page on the Vodaphone device, includes Diagrams

Fake Facebook App promises invites to Google+ to steal your info

When you visit the unofficial page for Google+ on Facebook, you are invited to allow the 3rd party app to access your facebook account (common requirement to use any facebook app)
Specifically, this app requests access to post on your wall, allowing it to spam all of your friends, inviting them to join as well. It also requests access to all of your personal data
You are then requested to ‘Like’ the app, and then invite all of your friends (Again, this is common with many Facebook apps, especially games, where inviting your friends can offer in-game rewards)
Your friends then accept the invite, assuming it is legitimate because it came from you
Now this application has managed to spread wildly and has complete access to your facebook profile, allowing it to scrape all of your personal information, as well as use your account to promote further fake and malicious applications.
You need to watch what applications you are allowing access to your profile, and specifically which rights they are requesting. Does that game really need ‘access to your data at any time’, rather than only when you are using it? Do you trust it with access to post to your wall?
This trend has been dubbed TrendJacking

Feedback

Q: (Peter) While investigating different data centers to house our application, one of them mentioned that we should use physical servers to host our database, rather than hosting the database in virtualization like vmware. This this true?

A: There are a number of reasons that a physical server is better for a database. The first is pure I/O. In virtualization, there is always some level of overhead in accessing the physical storage medium, compared to doing it natively. There is also an overhead even with hardware virtualization for CPU cycles, Disk Access, Network Access, etc. In it generally considered best practise to keep your database on physical hardware. That doesn’t mean you can’t virtualize it, but if you are worried about performance, I wouldn’t.

Q: (nikkor_f64) In the recent ‘usage based billing’ legal battles in Canada, the smaller ISPs are proposing to use 95th Percentile Billing, what is that?
A: 95th Percentile billing is the way most carrier grade Internet connections have been billed for as long as I have been in the business. The concept is quite simple, rather then charging the subscriber for the amount of bandwidth that they use, such as pricing per gigabyte, the billing is based on peak usage. Typically, the rate of data up and down the link is measured every 5 minutes (routers count every bit as it goes though, but looking at that counter every 5 minutes, and subtracting the value from 5 minutes ago, you can determine the average speed for the last 5 minutes). Then, as the name suggests, you take the 95th percentile of those values. This is done by sorting the list of measurements, then deleting the top 5%, the highest measurement left, is the 95th percentile, and you pay for that much bandwidth. Some might argue, but that is more than I actually used, my average was far less than that. The key to why this system works, is that it charges the subscriber for the peak amount of bandwidth they used, save for a small grace. This allows the ISP to properly budget for the capacity they need to serve that customer. Normally, your contract will be something like: a 5 megabit/second commitment, with 100megabit burstable. This means you have a full 100/100 megabit connection, and you will pay for 5 megabits/second minimum at a fixed price. You will also be quoted a price for ‘overage’. If your 95th percentile is over 5 megabits, you pay the overage rate per megabit that you are over. You get a lower per megabit rate on your commitment level, but that is a minimum, you have to buy at least that much each month, even if you don’t use it, but the more you buy, the cheaper it is. So, this means that during peak periods, you can use the full 100 megabits, without having to pay extra, as long as your 95th percentile stays below 5 megabits. (5% of a month is about 36 hours, meaning you get the busiest 1 hour of each day, for free)

Q: (Justin) What would be the weaknesses of using GPG to encrypt my files before storing them in the cloud.
A: There are a few issues:
1. Key Security – You need to keep the keys safe, if they fall in to the wrong hands, then your data is no longer secure.
2. Key Management – You also have to have access to the key, where ever you are, in order to access your data. Unlike data that is protected with a simple passphrase, in order to access your data, you need the key. So if you are on your mobile, and you need access to your data, how do you get access to your key? If you store a copy of your key on the mobile, is it secure? Also, if your key is lost or destroyed, then there is no way to access your data, so you have to safely back it up.
3. Key Lifecycle – How often should you change your key? How many different keys should you use? If you use multiple keys, less data is compromised in the event that one of your keys is exposed, but it also complicates Key Security and Key Management.
4. Speed – Asymmetric encryption, such as GPG is far slower than symmetric encryption algorithms like AES. This is especially true with the newer Intel i7 processors having a specific AES instruction set that increases performance by about 8 times. This is way sometimes, you will see a system, where the data is encrypted with AES, and then the key for the AES is then encrypted with GPG. Giving you a hybrid, the strength of GPG with the speed of AES.
5. Incremental Changes –

Round-Up:

Bitcoin Blaster:

Download & Comment:

The post Phreaking 3G | TechSNAP 14 first appeared on Jupiter Broadcasting.