Show Notes: coder.show/348

The post Dependency Dangers | Coder Radio 348 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/398

The post Proper Password Procedures | TechSNAP 398 first appeared on Jupiter Broadcasting.

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Internet of Linux?

• Can the Internet of Things really be under the control of Linux users?

• Home Assistant

• SmartThings Hub “How Things Work”

Home Assistant is an open-source home automation platform running on Python 3. Track and control all devices at home and automate control. Installation in less than a minute.

Ryan has a new job

• Community Manager at System76 -> Ryan’s blog post

• System76 Blog Post -> Community Manager at System76

• System76 “secret lab” and new project

• New Oryx Pro, w/ GTX 10-series -> New Oryx Pro

Controlling IoT with Open Source:

• Home Assistant
• Z-Wave Home control | Z-Wave Smart Home
• The ZigBee Alliance | Control your World
• Samsung SmartThings Hub | Things | SmartThings Shop
• openHAB

— PICKS —

Runs Linux

Promethean

The ActivBoard Touch combines multi-touch functionality, a dry-erase surface and award-winning software to foster a truly interactive learning experience. It provides teachers with a wide range of tools to support their daily instruction while respecting tight budgets. – See more at:

https://support.prometheanworld.com/download/activinspire.html

Desktop App Pick

BleachBit

• BleachBit “stifles investigation” of Hillary Clinton

BleachBit quickly frees disk space and tirelessly guards your privacy. Free cache, delete cookies, clear Internet history, shred temporary files, delete logs, and discard junk you didn’t know was there. Designed for Linux and Windows systems, it wipes clean a thousand applications including Firefox, Internet Explorer, Adobe Flash, Google Chrome, Opera, Safari,and more.

Spotlight

KDE Connect 1.0 is here!

Today we are officially publishing the first stable release of KDE Connect. Hooray! This version is the most solid yet feature-packed version we ever released. It’s been in development for a year now and it took a lot of hard work, we hope you like it!

New Linux Show: User Error

• Meet the Beard | User Error 1 – YouTube
• MP3 Download

— NEWS —

• Ting data price drop
• Ting drops data prices to $10 GB beyond the first gig

Having offended everyone else in the world, Linus Torvalds calls own lawyers a ‘nasty festering disease’

“I actually think we *should* talk about GPL enforcement at the kernel summit, because I think it’s an important issue,” Torvalds gently began, “but we should talk about it the way we talk about other issues: among kernel developers. No lawyers present unless they are in the capacity of a developer and maintainer of actual code, and in particular, absolutely not the Software Freedom Conservancy.”

Torvalds needs to rethink this position: Linus Torvalds calls own lawyers a 'nasty festering disease' https://t.co/qn94chknAn

— Christine Hall (@BrideOfLinux) August 27, 2016

• Linus Torvalds says GPL was defining factor in Linux’s success

“The GPL ensures that nobody is ever going to take advantage of your code. It will remain free and nobody can take that away from you. I think that’s a big deal for community management.”

Linux's High Elders discuss if GPL compliance is best sought via relationship or lawsuit. Read this then the thread: https://t.co/DtybdizL3e

— Simon Phipps (@webmink) August 26, 2016

Bytemark sponsor Ubuntu MATE

A couple of weeks ago the _Bytemark_Managing Director,
_Matthew Bloch, contacted the Ubuntu
MATE team to offer free hosting for the project. As of August 18th 2016
all the Ubuntu MATE infrastructure is hosted on Bytemark Cloud Servers._

Secure, Monitor and Control your data with Nextcloud 10

Nextcloud 10 is now available with many new features for system administrators to control and direct the flow of data between users on a Nextcloud server. Rule based file tagging and responding to these tags as well as other triggers like physical location, user group, file properties and request type enables administrators to specifically deny access to, convert, delete or retain data following business or legal requirements. Monitoring, security, performance and usability improvements complement this release, enabling larger and more efficient Nextcloud installations. You can get it on our install page or read on for details.

Mail Bag

• Jupiter Broadcasting and System76 – The Sisko Blogs

• https://slexy.org/view/s2HF7CcZIo

Call Box

• Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux
• Ryan Sipes – ryanleesipes
• System76 – system76

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post IoT and Chill | LAS 432 first appeared on Jupiter Broadcasting.

Rooting your Android device might be more dangerous than you realize, why the insurance industry will take over InfoSec & the NSA prepares for Quantum encryption.

Plus some great questions, a fantastic roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Taking Root – Malware on Mobile Devices

• Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.
• Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.
• Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.
• They analyzed the statistics collected from May to August 2015 and identified “Trojan families” that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.
• A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.

• After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications.

• There are popular “families” of Android malware.

• Leech Family

• This malware family is the most advanced of those described.
• Some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google.

• The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.

• Ztorg family

• On the whole, Trojans belonging to this family have the same functionality as the previous described.
• The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis.
• The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched.

• Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.

• It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks.

Will the insurance industry take over InfoSec?

• “Insurance is a maturity indicator“
• When insurance comes, full scale, to the InfoSec industry, maybe that means we have finally gotten to the point where we understand the risks enough to start putting money on it
• While I can definitely see the argument that insurance companies are in a position to force their clients into certain minimum security practises, either to qualify for insurance, or for a reduced rate
• At the same time, I foresee a bunch of useless certifications, extra bureaucracy, and more things like PCI-DSS audits that miss the point entirely
• “People see insurance entering into security as a bad thing, and maybe it is, but it should not be unexpected. If something involves both risk and significant quantities of money, there are likely people trying to buy or sell insurance around it. The car industry is informative here. As is healthcare, and countless other industries.”
• The article points points out the three basic requirements for insurance companies to be interested:
• Significant risk associated with the space, e.g., dying in surgery, getting into a car wreck, etc.
• Adequate money in the form of a population able to pay premiums.
• Sufficient actuarial data on which to base the pricing and payout models.
• I don’t know that that last measure can be met yet. Unlike with car insurance, it is much harder to predict what a company’s chances of getting breached are.
• Considering factors like how high profile they are (fancier cars get stolen more), what infrastructure they use (newer cars are safer), how often they patch (this can be hard to measure, like how often you service your car, it might not work), doesn’t really give you enough information in order to price the insurance
• In the end, pretty much every company has a 100% change to be breached, it can come down to how quickly it will be detected, and how much damage will be done
• At this point, I don’t think the insurance industry is qualified, and we’ll either see them making so many payouts that they are losing money, or writing loopholes into insurance with vague sentiments like “industry standard security practises”, to weasel out of paying up
• Predictions from the article:
• Insurance companies will have strict InfoSec standards that will be used to determine how much insurance, of what type, they will extend to a customer, as well as how much they will charge for it
  • As you would expect, companies who are deemed to be in poor security health will either pay exorbitant premiums or will be ineligible for coverage altogether
  • In this world, auditors become the center of the InfoSec universe. Either working for the insurance companies themselves, or being private contractors that are hired by the insurance companies, these auditors will be paid to thoroughly assess companies’ security posture in order to determine what coverage they’ll be eligible for, and how much it will cost
  • Insurance companies become, in other words, a dedicated entity that uses evidence-based decision making to incentivize improved security
  • For both internal and audit companies, those certifications will have to be maintained the same way medical professionals have to maintain their knowledge. Not like a CISSP where you lose a credential if you don’t renew it, but where you’re just instantly fired if it lapses
• “When you think about it, it’s not really insurance that’s making this happen, it’s industry maturity as a whole. It’s InfoSec becoming just like every other serious profession.”
• “Think about a hospital, or an architecture firm. You can’t hire nurses who have an aptitude for caring, and who helped this guy this one time. Nope—have a credential or you can’t work there. Same with accountants, and architects, and electricians, and civil engineers.”
• Insurance won’t fix everything (or anything?)
• “We also need to accept that the standardization and insurance agencies won’t fix everything. Auditors make mistakes, companies can and will successfully lie about their controls, certifications only get you so far, and the insurance companies have their own interests that are often in conflict with the goal of increased security.”

The NSA books crypto recommendations

• The NSA, in its role as the organization that sets cryptography standards used by the entire government, has updated its recommendations on what algorithms and key sizes to use
• Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS).
• A look at the site from a few months ago highlights some of the differences
  • AES 128 was dropped. Former used for ‘SECRET’ with AES 256 for ‘TOP Secret’, AES 256 is recommended for both now
  • ECDH and ECDSA P-256 were also dropped for ‘less’ secret information in favour of P-384
  • SHA256 was also dropped. Surprisingly, SHA-384 remained the recommendation over SHA-512
  • Additionally, new requirements that were not specified before were added
  • Diffie-Hellman Key Exchange requires at least 3072-bit keys
  • RSA for Key Establishment and Digital Signatures also now requires 3072 bit keys
• IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms.
• We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.
• Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms.
• With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability.

Feedback

• Flexible NAS storage

• sound problems

• Something I’ve always wondered….

• VPN and Tails

• LG made a foldable keyboard

Round Up:

• The Way GCHQ Obliterated The Guardian’s Laptops May Have Revealed More Than It Intended
• Two years later, researchers finally allowed to publish paper on fauly immobilizer chip in volkswagen products
• Reflective satellites may be the future of high-end encryption
• Cisco to develop new royalty free video codec, “Thor”
• ‘We Should Put A Metal Detector On The Other Side’: The Laughable Waste Of TSA Body Scanners
• Frontier’s password reset system is a guy named Shawn
• Survey Shows 81% of Healthcare Organizations Suffered Cyberattacks
• Single unprivileged instruction can hang a Raspberry Pi, requiring a power cycle

The post Trojan Family Ties | TechSNAP 230 first appeared on Jupiter Broadcasting.

Sam from the Moka project stops by to chat about the business of making Linux look better. Then we get into the role open source plays in self driving cars.

Plus we bust some of the FUD around Munich’s much reported plan to abandon Linux and switch back to Windows.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• BTRFS Wiki
• XFS: A high-performance journaling filesystem
• OpenZFS

FU:

• Apples and elementaries

• Tell Noah that he can put those Chromeboxes into production

• Flash drive distros

• Digital Ocean Server in 36 seconds!

• Announcing NYC3 With IPv6 Support | DigitalOcean

Moka Project

Joined by “snwh” aka Sam Hewitt

Moka started as a single Linux desktop icon theme, but over time it has gradually evolved into an entire project & brand identity that provides quality designs to people.

Moka is about personalization and its goal is to provide an assortment of style options to allow you to customize your experience. Moka’s suite of themes is a “style layer” for your favourite OS – you can use your favourites and layer Moka right on top.

Robocars | Erich Eickmeyer

Munich Disappointed with Linux, Plans to Switch Back to Windows [Updated]

German media is reporting that city officials were looking into productivity figures of local departments and acknowledged that many employees actually experienced issues with Linux. That wasn’t the case before 2004, when Windows was powering all PCs, a local source said.

• Linux in Munich: City Council defends LiMux against mayor | The H Open Source

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

Post-Show

• Is rolling really the future? (possible LU topic) : LinuxActionShow

• sam_vde comments on Is rolling really the future? (possible LU topic)

The post Microsoft's Munich Man | LINUX Unplugged 54 first appeared on Jupiter Broadcasting.

We’ll bust some java myths with Mark Heckler, a software engineer at Oracle. Plus the status of Duke, java on embedded systems, and what the future holds.

Plus your feedback and some of Mike’s 2014 bets.

Thanks to:

• Help the DigitalOcean community by submitting articles and get paid $50 per published piece!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• Coder Radio Question
• Objective-C and GNUstep
• New Dev in Pair Programming Hell?
• In 2014 to Mac or Not to Mac
• Java Play Question

Interview

• Mark Heckler Software Eng at Oracle.

Mike’s look at 2014:

• 2014 Predictions | dominickm.com

Follow the hosts and the show:

• FingertipTech on Twitter

• Email the show

• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post It’s Java’s Year | CR 83 first appeared on Jupiter Broadcasting.

Russia’s president Vladimir Putin has silenced America’s war drums, at least for now. While special interests continue to push for war, American’s have awoken from their industrial media induced commas and taken to the streets. We’ll cover the mounting pressure against a new war.

Then the NSA is caught again, this time subverting industry standards and covertly influencing major tech companies. We’ll bring you up to date.

Plus it’s your feedback, our follow up, and much much more.

On this week’s Unfilter.

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

NSA is CRAZY

• Revealed: how US and UK spy agencies defeat internet privacy and security | World news | Guardian Weekly

The files show that the National Security Agency and its UK counterpart GCHQ have broadly compromised the guarantees that internet companies have given consumers to reassure them that their communications, online banking and medical records would be indecipherable to criminals or governments.

The agencies, the documents reveal, have adopted a battery of methods in their systematic and ongoing assault on what they see as one of the biggest threats to their ability to access huge swathes of internet traffic – “the use of ubiquitous encryption across the internet”.

Those methods include covert measures to ensure NSA control over setting of international encryption standards, the use of supercomputers to break encryption with “brute force”, and – the most closely guarded secret of all – collaboration with technology companies and internet service providers themselves.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

• NSA FISA Surveillance: NSA Shared Americans’ Info From Phone Data Program With CIA, FBI

The National Security Agency made a select amount of information on American citizens available to the Central Intelligence Agency and two other agencies even though prohibited by court order, according to documents released Tuesday by National Intelligence Director James Clapper.

The unauthorized dissemination of Americans’ data, including telephone numbers and email addresses and culled from the full phone records database on all domestic and one-end-foreign calls, is one of a number of ways in which the NSA misused the database between 2006 and 2009. Though there are authorized reasons the NSA can share information with outside agencies, the dissemination activity revealed in the documents did not fit those criteria.

However, it remains a mystery why the NSA granted the CIA, Federal Bureau of Investigation and National Counterterrorism Center (NCTC) access to the data, because that information was blacked out when the intelligence community released documentation of this violation on Tuesday.

• NSA: Steve Jobs is the real Big Brother and iPhone buyers are zombies – The Hacker News

• iPhone 5s is a TRAP!

– Thanks for Supporting Unfilter –

This Week’s New Supporters:

• Anonymous Via Bitcoin and Bitmessage

• Vital T

• Craig T

• Craig C

• Colin H

• User

• Jakup L

• Thanks to our 177 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience.

Syria

• Obama ‘could pause Syria attack plans’

“I want to make sure that norm against use of chemical weapons is maintained,” Mr Obama told ABC News.

“That’s in our national security interest. If we can do that without a military strike, that is overwhelmingly my preference.”

• Obama + Syria

• Syria accepts Russian chemical weapons proposal

The Syrian government has accepted a Russian proposal to put its chemical weapons under international control to avoid a possible U.S. military strike, Interfax news agency quoted Syria’s foreign minister as saying on Tuesday.

• Russia’s Syria proposal offers major powers clear advantages – latimes.com

Russian President Vladimir Putin appears especially delighted by the tentative acceptance of the plan. It allows him to show that Moscow remains a major player in the Middle East and a world power broker.

“He’s been eager to show that he can fill the partial diplomatic vacuum the U.S. has left in the Middle East, and this lets him make that point,” said Andrew Weiss, a White House advisor on Russia during the Clinton administration and now vice president for studies at the Carnegie Endowment for International Peace.

• New Syria resolution would OK force if talks fail

The chairman of the Senate Armed Services Committee said Wednesday that he is working on a new congressional resolution for Syria that would link the use of force with the failure to achieve a political solution eliminating Bashar Assad’s chemical weapons stockpiles.

Sen. Carl Levin, D-Mich., made the remarks a day after President Obama said he would postpone seeking authorization for a military strike to give a diplomatic solution a chance to work.

• President Obama Addresses the Nation on Syria – YouTube

Feedback:

• Correction: David Miranda did not carry password, UK gov. is lying

• Australian election and bias media

• Bitmessage Address: BM-GuQ4gqmBeW8CYpSo3Htg2pBrBdHbvpe7

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post Russia to the Rescue | Unfilter 66 first appeared on Jupiter Broadcasting.

Mike and Chris debate if proprietary software holds the industry and platforms behind at the benefit of an individual, or a group of individuals.

And the practical fallout from the outings of Sinofsky from Microsoft, Forstall from Apple, and the lead Compiz developer from Canonical.

Plus your feedback, a solid C++ tease, and much more!

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Show Notes:

Feedback

• Justin is a two year IT/Desktop support major and would like to know if he can break into software.
• Andre’s email: The threat to \”our\” platform is not commercial development, it\’s proprietary development.
• Niklas asks: ‘Would you say that having a strong ego is a requirement for people who want to be successful in \”the business\”?”
• Pope agrees regarding the cult of personality and more
• Nathan shares The Linux Gui Development Nightmare

This Week’s Dev World Hoopla

• Tweetro rage
• Sinofsky is out! What does that mean for devs?
• Windows 8 sales \’well below\’ projections, report claims
• Windows 8 — Disappointing Usability for Both Novice & Power Users)
• Microsoft Complains That WebKit Breaks Web Standards

Book of the Week

[asa]0321776402[/asa]

Tool of the Week

• QT Creator

Follow the show

• Email the show
• Live Monday 9am PDT
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Lies++ | CR 24 first appeared on Jupiter Broadcasting.