Dell pulls a Superfish with easily cloneable root certificates, Amazon has some passwords leak & Jeff wants to show you his self landing rocket.

Plus the fun news for Sci Fi and Netflix fans & of course, our Kickstarter of the week!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Dell does a Superfish, ships PCs with easily cloneable root certificates | Ars Technica
• Response to Concerns Regarding eDellroot Certificate
• iamwpj comments on Dell ships laptops with rogue root CA, exactly like what happened with Lenovo and Superfish
• Amazon force-resets some account passwords, citing password leak | ZDNet
• Google Received More Than 65 Million URL Takedown Requests In The Past Month
• Blue Origin Rocket Landing Gets Jeff Bezos to Tweet for First Time | Re/code
• Netflix remake Lost in Space in development
• Pillow Talk: Feel the presence of your loved one by Little Riot — Kickstarter

The post Dell's Bad Latitude | TTT 224 first appeared on Jupiter Broadcasting.

This week we continue our two-part series on the activities of various BSD foundations. Ken Westerback joins us today to talk all about the OpenBSD foundation and what it is they do. We’ve also got answers to your emails and all the latest news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2015 schedule

• The list of presentations for the upcoming BSDCan conference has been posted, and the time schedule should be up shortly as well
• Just a reminder: it’s going to be held on June 12th and 13th at the University of Ottawa in Canada
• This year’s conference will have a massive fifty talks, split up between four tracks instead of three (but unfortunately a person can only be in one place at a time)
• Both Allan and Kris had at least one presentation accepted, and Allan will also be leading a few “birds of a feather” gatherings
• In total, there will be three NetBSD talks, five OpenBSD talks, eight BSD-neutral talks, thirty-five FreeBSD talks and no DragonFly talks
• That’s not the ideal balance we’d hope for, but BSDCan says they’ll try to improve that next year
• Those numbers are based on the speaker’s background, or any past presentations, for the few whose actual topic wasn’t made obvious from the title (so there may be a small margin of error)
• Michael Lucas (who’s on the BSDCan board) wrote up a blog post about the proposals and rejections this year
• If you can’t make it this year, don’t worry, we’ll be sure to announce the recordings when they’re made available
• We also interviewed Dan Langille about the conference and what to expect this year, so check that out too

SSL interception with relayd

• There was a lot of commotion recently about superfish, a way that Lenovo was intercepting HTTPS traffic and injecting advertisements
• If you’re running relayd, you can mimic this evil setup on your own networks (just for testing of course…)
• Reyk Floeter, the guy who wrote relayd, came up a blog post about how to do just that
• It starts off with some backstory and some of the things relayd is capable of
• relayd can run as an SSL server to terminate SSL connections and forward them as plain TCP and, conversely, run as an SSL client to terminal plain TCP connections and tunnel them through SSL
• When you combine these two, you end up with possibilities to filter between SSL connections, effectively creating a MITM scenario
• The post is very long, with lots of details and some sample config files – the whole nine yards

OPNsense 15.1.6.1 released

• The OPNsense team has released yet another version in rapid succession, but this one has some big changes
• It’s now based on FreeBSD 10.1, with all the latest security patches and driver updates (as well as some in-house patches)
• This version also features a new tool for easily upgrading between versions, simply called “opnsense-update” (similar to freebsd-update)
• It also includes security fixes for BIND and PHP, as well as some other assorted bug fixes
• The installation images have been laid out in a clean way: standard CD and USB images that default to VGA, as well as USB images that default to a console output (for things like Soekris and PCEngines APU boards that only have serial ports)
• With the news of m0n0wall shutting down last week, they’ve also released bare minimum hardware specifications required to run OPNsense on embedded devices
• Encouraged by last week’s mention of PCBSD trying to cut ties with OpenSSL, OPNsense is also now providing experimental images built against LibreSSL for testing (and have instructions on how to switch over without reinstalling)

OpenBSD on a Minnowboard Max

• What would our show be without at least one story about someone installing BSD on a weird device
• For once, it’s actually not NetBSD…
• This article is about the minnowboard max, a very small X86-based motherboard that looks vaguely similar to a Raspberry Pi
• It’s using an Atom CPU instead of ARM, so overall application compatibility should be a bit better (and it even has AES-NI, so crypto performance will be much better than a normal Atom)
• The author describes his entirely solid-state setup, noting that there’s virtually no noise, no concern about hard drives dying and very reasonable power usage
• You’ll find instructions on how to get OpenBSD installed and going throughout the rest of the article
• Have a look at the spec sheet if you’re interested, they make for cool little BSD boxes

Netmap for 40gbit NICs in FreeBSD

• Luigi Rizzo posted an announcement to the -current mailing list, detailing some of the work he’s just committed
• The ixl(4) driver, that’s one for the X1710 40-gigabit card, now has netmap support
• It’s currently in 11-CURRENT, but he says it works in 10-STABLE and will be committed there too
• This should make for some serious packet-pushing power
• If you have any network hardware like this, he would appreciate testing for the new code

Interview – Ken Westerback – directors@openbsdfoundation.org

The OpenBSD foundation‘s activities

News Roundup

s2k15 hackathon report: dhclient/dhcpd/fdisk

• The second trip report from the recent OpenBSD hackathon has been published, from the very same guy we just talked to
• Ken was also busy, getting a few networking-related things fixed and improved in the base system
• He wrote a few new small additions for dhclient and beefed up the privsep security, as well as some fixes for tcpdump and dhcpd
• The fdisk tool also got worked on a bit, enabling OpenBSD to properly wipe GPT tables on a previously-formatted disk so you can do a normal install on it
• There’s apparently plans for “dhclientng” – presumably a big improvement (rewrite?) of dhclient

FreeBSD beginner video series

• A new series of videos has started on YouTube, aimed at helping total beginners learn about FreeBSD
• We usually assume that people who watch the show are already familiar with basic concepts, but they’d be a great introduction to any of your friends that are looking to get started with BSD and need a helping hand
• So far, he’s covered how to get FreeBSD, an introduction to installing in VirtualBox, a simple installation or a more in-depth manual installation, navigating the filesystem, basic ssh use, managing users and groups and finally some basic editing with vi and a few other topics
• Everyone’s gotta start somewhere and, with a little bit of initial direction, today’s newbies could be tomorrow’s developers
• It should be an ongoing series with more topics to come

NetBSD tests: zero unexpected failures

• The NetBSD guys have a new blog post up about their testing suite for all the CPU architectures
• They’ve finally gotten the number of “expected” failures down to zero on a few select architectures
• Results are published on a special release engineering page, so you can have a look if you’re interested
• The rest of the post links to the “top performers” (ones with less than ten failure) in the -current branch

PCBSD switches to IPFW

• The PCBSD crew continues their recent series of switching between major competing features
• This time, they’ve switched the default firewall away from PF to FreeBSD’s native IPFW firewall
• Look forward to Kris wearing a “keep calm and use IPFW” shir- wait

Feedback/Questions

• Sean writes in
• Dan writes in
• Florian writes in
• Sean writes in
• Chris writes in

Mailing List Gold

• VCS flamebait
• Hidden agenda

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Some extra emails would be great, since we’ll be recording two episodes next week
• Be sure to say hi if you’re at AsiaBSDCon in a couple weeks, maybe we could even interview some listeners too
• We talked to the NetBSD foundation back in episode 12 and DragonFlyBSD doesn’t have a foundation, so there won’t be an “official” third part in this series

The post From the Foundation (Part 2) | BSD Now 78 first appeared on Jupiter Broadcasting.

Mike and Chris start the show by sharing some hard learned lessons, and then discuss the events of the last two weeks.

Then touch on SuperFish, Ubuntu Touch, and more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Become a supporter on Patreon:

Show Notes:

Feedback

• No editor this week. WTF is Chris going to do? No pants.

• The last python|ruby post ChrisLAS ever needs to read

• Getting paid and motivated as a freelancer

Hoopla

Lenovo’s SuperFish Removal Tool on GitHub – lenovo-inc/superfishremoval · GitHub

SuperFish was pre-installed on a limited group of Lenovo branded notebooks beginning September, 2014. Lenovo recommends removing SuperFish and the SuperFish certificates from all systems.

This utility will completely analyze your system for this problem and remove the SuperFish application, associated registry entries, files and security certificates, if needed.

The Superfish Funder List | Qntra.net

Superfish has offices in Palo Alto, California and Petah Tiqva, Israel. By all appearances Superfish par for the course when it comes to Venture Capital funded Silicon Valley startups down to the Crunchbase entry.

Lenovo slapped with lawsuit over dangerous Superfish adware | PCWorld

A proposed class-action suit was filed late last week against Lenovo and Superfish, which charges both companies with “fraudulent” business practices and of making Lenovo PCs vulnerable to malware and malicious attacks by pre-loading the adware.

Plaintiff Jessica Bennett said her laptop was damaged as a result of Superfish, which was called “spyware” in court documents. She also accused Lenovo and Superfish of invading her privacy and making money by studying her Internet browsing habits.

The post Accounts Percievable | CR 142 first appeared on Jupiter Broadcasting.

We round off the week’s tech news & follow up on the big Lenovo story & discuss HP’s push into Linux powered Networking.

Then Chris share’s the start of his lifestyle reboot & then a in depth discussion on getting into the IT job market.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Lenovo To Wipe Superfish Off PCs t

An anonymous reader send news from the Wall Street Journal, where Lenovo CTO Peter Hortensius said in an interview that the company will roll out a software update to remove the Superfish adware from its laptops. “As soon as the programmer is finished, we will provide a tool that removes all traces of the app from people’s laptops; this goes further than simply uninstalling the app. Once the app-wiping software is finished tonight or tomorrow, we’ll issue a press release with information on how to get it.” When asked whether his company vets the software they pre-install on their machines, he said, “Yes, we do. Obviously in this case we didn’t do enough. The intent of loading this tool was to help enhance our users’ shopping experience. The feedback from users was that it wasn’t useful, and that’s why we turned it off. Our reputation is everything and our products are ultimately how we have our reputation.”

HP Targets Cisco and Facebook With New Line of Open-Source Networking Gear

Hewlett-Packard said on Thursday that it would sell a new line of networking switches that are manufactured by a Taiwanese company and depend on Linux-based, open-source software from another company.

Epic Games offers up $5 million in Unreal Dev Grants

Today Epic Games has announced a new initiative — one that could see your game netting between $5,000 and $50,000 in no-strings-attached funding from the engine provider.

HEALTH WATCH: sweatthesweetstuff — Eating healthy doesn’t have to be boring and that working out can be fun!

I want people to understand their bodies. To know that there is a connection between what we put in it and on it, and how that makes us feel. That eating right isn’t just about losing weight, it’s about how good we can feel! On the inside and out. It doesn’t stop at our dress size and energy levels (which are great) but it can help improve other things like your skin, hair & nails, achy joints, headaches, allergies, asthma, your menstrual cycle, IBS, indigestion, several diseases, even cancer. Your body is smart. It knows what to do. You just have to give it the right stuff.

The post Chris' Lifestyle Reboot | Tech Talk Today 137 first appeared on Jupiter Broadcasting.

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, we’ll break down how this is possible, the danger that still exists & more.

Plus the story of a billion dollar cyber heist anyone could pull off, the Equation group, your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

APT Attack robs banks

• A staggering APT attack has been conducted against over 100 banks in 30 countries, and has reportedly managed to steal as much as 1 billion USD.
• “In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.”
• While investigating, Kaspersky Labs found no malware on the ATM, just a strange VPN connection
• Later, they were called into the bank’s headquarters, after the bank’s security officer got an alert about a connection from their domain controller to China
• Kaspersky Video
• “In order to infiltrate the bank’s intranet, the attackers used spear phishing emails, luring users to open them, infecting machines with malware. A backdoor was installed onto the victim’s PC based on the Carberp malicious code, which, in turn gave the name to the campaign — Carbanak.”
• “After obtaining control over the compromised machine, cybecriminals used it as an entry point; they probed the bank’s intranet and infected other PCs to find out which of them could be used to access critical financial systems.”
• “That done, the criminals studied the financial tools used by the banks, using keyloggers and stealth screenshot capabilities.”
• “Then, to wrap up the scheme, the hackers withdrew funds, defining the most convenient methods on a case-by-case basis, whether using a SWIFT transfer or creating faux bank accounts with cash withdrawn by ‘mules’ or via a remote command to an ATM.”
• On average, it took from two to four months to drain each victim bank, starting from the Day 1 of infection to cash withdrawal.
• The oldest code that could be found related to these attacks was from August 2013
• Additional Coverage – NY Times
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Report PDF
• This attack is related to the malware installed directly on ATMs that we have reported on before

Lenovo spyware installs own Root CA

• It has been discovered that Lenovo has been shipping devices preinstalled with an advertising application called SuperFish
• This “Visual Discovery” advertising system injects picture ads for items related to search terms into your google search results, and other websites
• While this is bad enough, and upsets many people, the bigger problem is how they do it
• In order to snoop upon the search terms you are using, SuperFish must intercept your encrypted communications with Google and others
• In order to do this, the SuperFish software installs its own SSL Root Certificate Authority into the trusted certificate store
• This makes your machine trust every certificate signed by SuperFish
• The proxy that SuperFish installs, intercepts all of your web traffic, when it sees you trying to make a secure connection, which it would not be able to snoop on, what it does is create (on the fly), a new certificate for the site you are trying to visit (google.com, bankofamerica.com, whatever), and signs it with its private key
• Now your browser trusts the authenticity of this fake certificate, so it does not issue a warning, and you are completely unaware that SuperFish is intercepting all of your communications
• There are a number of security problems with this, including, does SuperFish sign a ‘valid’ certificate even for invalid certificates, like self signed certificates, meaning that an attack could trick you into going to a website, and seeing it as authentic when it is not, because SuperFish has signed a fresh certificate for it
• Worse, because of the way SuperFish works, rather than relying on the SuperFish backend infrastructure to generate these bogus certificates, instead SuperFish ships the private key for their fake Root CA with their software
• Researchers at Errata Security were able to crack the password used to encrypt the private key in only 3 hours
• The password was: komodia
• He found it fairly easily, first using procdump to defeat the self-encryption used by SuperFish (procdump wrote out the binary as it was in memory after it had decrypted it self)
• Next, he ran the standard unix tool ‘strings’ on the resulting file, and found the encrypted SSL private key
• After failed attempts to brute force it, or run a dictionary attack against it, he went back to his ‘strings’ file
• After filtering it down to only include short all lowercase words, he used it as a dictionary, and found the password
• Now, anyone can download the SuperFish software, extract the certificate and private key, and start signing bogus certificates for any website they wish, and every Lenovo or other machine that has the SuperFish software installed, will happily accept it as genuine
• SuperFish CEO Adi Pinhas tells Ars that “Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement
• While Lenovo and SuperFish disabled the server side component of SuperFish, which will prevent it from showing the ads, it seems that even uninstalling the SuperFish software, does not remove the trusted root certificate, leaving the users vulnerable to Man-In-the-Middle attacks
• It is unclear what the certificate pinning feature in Google’s Chrome browser did not prevent this from working
• Given that this same technique is popular in corporate security software, and there are also open source application proxies that can do it (OpenBSD’s relayd for one), it may be that Google had to relax their requirements to be compatible with corporate networks
• Lenovo Forums
• Additional Coverage – ThreatPost
• Additional Coverage – TheNextWeb
• Additional Coverage – TechSpot
• Additional Coverage – ZDNet

The Equation Group — Part of the NSA?

• Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations.
• Known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods +
• Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
• An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.
• The trump card for the Equation Group attackers is their ability to inject an infected machine’s hard drive firmware. This module, known only by a cryptic name – “nls_933w.dll”, essentially allows the attackers to reprogram the HDD or SSD firmware with a custom payload of their own creation.
• One of the Equation Group’s malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
• Additional Coverage – Ars Technica
• Additional Coverage – ZDNet
• Additional Coverage – Digital Munitition

Feedback:

• ZFS expansion on iSCSI or LUN on FreeBSD

• Towers and Bread Racks posing as a Data Center.. I’ve got that beat!!

• FreeBSD as Xen Dom0 host?
  • FreeBSD Xen Dom0

• Exclude a specific device from my VPN

• Vizio TV Broadcasting SSID

Round-Up:

• French government has its own malware capable of eavesdropping on Skype, MSN, Yahoo Messanger and the like
• HTTP/2 is Done
• Even your car wash is on Facebook
• m0n0wall – End of the m0n0wall project
• TrueCrypt 7.1a audit stirs back to life
• UK parliament calls for Internet to be classified as a public utility
• Vint Cerf: we need to do a better job of recording the history of what we do on computers
• The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
• After Microsoft spat, Google will allow 14 days of flexibility beyond the 90 day disclosure window
• Payment Processor Stripe Now Allows Any Business to Accept Bitcoin
• Flaw in netgear wi-fi routers exposes admin password and WLAN settings
• Russian man extradited to US while visiting NL, charged with Heartland and Dow Jones hacks
• BadUSB in SCADA/ICS gear too
• AOL Email went down for many hours starting at 4am this morning

The post SuperFishy Mistake | TechSNAP 202 first appeared on Jupiter Broadcasting.

Lenovo has shipped PCs with man-in-the-middle adware that breaks HTTPS connections. We’ll go into the details & this discuss if this is a deal breaker for our panel.

A great article points out its not just Samsung that’s listening to you & an unboxing and first impressions of the $70 WinBook TW700 tablet.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections [Updated] | Ars Technica

Lenovo is selling computers that come preinstalled with adware that hijacks encrypted Web sessions and may make users vulnerable to HTTPS man-in-the-middle attacks that are trivial for attackers to carry out, security researchers said.

The critical threat is present on Lenovo PCs that have adware from a company called Superfish installed. As unsavory as many people find software that injects ads into Web pages, there’s something much more nefarious about the Superfish package. It installs a self-signed root HTTPS certificate that can intercept encrypted traffic for every website a user visits. When a user visits an HTTPS site, the site certificate is signed and controlled by Superfish and falsely represents itself as the official website certificate.

It’s not just Samsung TVs — lots of other gadgets are spying on you — Fusion

But Samsung’s televisions are far from the only seeing-and-listening devices coming into our lives. If we’re going to freak out about a Samsung TV that listens in on our living rooms, we should also be panicking about a number of other emergent gadgets that capture voice and visual data in many of the same ways.

Revealed: The experts Apple hired to build an electric car | 9to5Mac

In the last few weeks we’ve heard about a poaching war between Apple and Tesla, a couple hires by Apple from the auto industry, and a whole lot of speculation followed by reports that Apple has a team of hundreds working on an electric vehicle. But who exactly is working on the project at Apple?

Winbook TW700 Tablet – Windows 8.1 with full-size USB port, IPS Display, and one year of FREE Microsoft Office 365

• HD IPS Display
• Bluetooth/Wifi
• 2 USB Ports – 1 full size, 1 micro.2 Megapixel front and back camera
• MicroHDMI port and MicroSD slot
• Includes One year of Office 365 – for your TW700 AND a PC or Mac

Ubuntu on the Winbook TW700

I recently stopped by Houston’s new MicroCenter (they recently moved into a new store), and walked out of the store with their WinBook TW700 tablet for about $40. This tablet is built around Intel’s Bay Trail Atom architecture, sporting a 1.33GHz quad core Atom processor, Windows 8.1, and a free (1) year subscription to Office 365. This little tablet only has a 7″ screen, 1GB of RAM, and 16GB of internal storage, but the Micro-SD slot and a full sized USB 2.0 port sealed the deal for me.

The post Lenovo smells Superfishy | Tech Talk Today 136 first appeared on Jupiter Broadcasting.