Show Notes: selfhosted.show/7

The post Why We Love Home Assistant | Self-Hosted 7 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/414

The post Rooting for ZFS | TechSNAP 414 first appeared on Jupiter Broadcasting.

Become a supporter on Patreon:

— Notes: —

Links:

• balloob (Paulus Schoutsen) · GitHub
• Home Assistant
• GitHub – home-assistant/home-assistant: Open-source home automation platform running on Python 3
• Hass.io – Home Assistant
• Home Assistant Podcast 1 – Introduction and 0.45 : Home Assistant Podcast
• GitHub – nfarina/homebridge: HomeKit support for the impatient
• Components – Home Assistant

The post No Privacy Compromise Home Automation first appeared on Jupiter Broadcasting.

How to get an SSL certificate for other people’s domains, how to decrypt HTTPS traffic with some javascript & the latest storage reliability report.

Plus great questions & a rocking round up!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Keeping Positive: Obtaining wildcard SSL certificates for arbitrary domains

I recently decided to investigate the security of various certificate authority’s online certificate issuing systems. These online issuers allow certificate authorities to verify that someone owns a specific domain, such as thehackerblog.com and get a signed certificate so they can enable SSL/TLS on their domain.

When I started out hunting for possible vulnerabilities, my initial strategy was to look for the cheapest, most 90’s-looking, poorly designed certificate authority websites. Since the compromise of any certificate authority allows an attacker to bypass all the protections of SSL/TLS it doesn’t even have to be a popular provider because they all have the same power. After doing a bit of searching I realized it would be advantageous to do testing against authorities that had free SSL certificates, since doing tests against these wouldn’t cost me any money. I passed on Let’s Encrypt because I figured it had already been thoroughly audited, the second site I saw was a 30 day free trial from Positive SSL (a company owned by Comodo).

Upon entering your CSR and selecting the software you used to generate it, you then select the email address for domain validation (from the website’s WHOIS) and arrive on a “Corporate Details” page. This is the vulnerable portion of the application, where you fill out your company/personal information getting to the email validation portion

When I first went through this process I mindlessly filled out junk HTML for all of these fields. The service then sent a verification email to the email address on the website’s WHOIS info. Once I received the email, I noticed the HTML was not being properly escaped and the markup I had entered before was being evaluated. This is really bad because the email also contained a verification code which could be used to obtain an SSL/TLS certificate for my website. This means if I had a way to leak a victim’s token, I could obtain a valid certificate for their site, so that I could intercept traffic to that site seamlessly without users knowing I was doing so

• Normally, the email provides the user with a link and the code to validate the certificate. However, because an attacker can fill out the form fields with HTML, they can change the message in the email, instead requiring you to click a link within the next 24 hours to REJECT this bogus certificate
• So, in the field he wrote some HTML that included an form tag and a textarea tag that was never closed
• This resulted in everything that appears after that field in the email, being swallowed by the text area, rather than the body of the email.
• Then a later form field adds a button, “click here to reject this request”. When the user clicks the button, it submits the contents of the HTML textarea (including the verification code) to the attacker’s website, giving them the code, allowing them to approve the certificate for YOUR domain

Form submissions are a great way to leak secrets like this because they work in many different mail clients. Even the iPhone’s Mail app supports this functionality

Once I’ve leaked the code from the victim in this way, I can then log into the account I created during the certificate request process and download the SSL/TLS certificate

One other important thing to note is that resellers of Comodo’s certificates were also affected as well. This risk is amplified because resellers can have a customized HTML header and footer for the verification emails that get sent out. This means that it would be possible for a third party vendor to have a dangling tag in the header combined with a single quote in the footer which would side-channel leak the verification code in the email body (similar to the attack above, but automatic with no user interaction). This style of dangling mark-up injection wasn’t possible in the previously proof-of-concept but is possible for resellers.

• Timeline:
• June 4th, 2016 – Emailed security@comodo.com and reached out on Twitter to @Comodo_SSL.
  • June 6th, 2016 – Robin from Comodo confirms this is the correct contact to report security issues, provides PGP key.
  • June 6th, 2016 – Emailed Comodo the vulnerability PGP-encrypted and sent my PGP public key.
  • June 7th, 2016 – Robin from Comodo confirms they understand the bug and state they will work on a fix as soon as possible.
  • June 20th, 2016 – Emailed Comodo for status update.
  • July 1st, 2016 – Outline timeline for responsible disclosure date (90 days from report date per industry standards).
  • July 25th, 2016 – Robin from Comodo confirms a fix has be put in place.

Normally, the name of the game when it comes to finding a way to mint arbitrary SSL/TLS certificates is to find the smallest, cheapest, and oldest certificate provider you can. Comodo is the exact opposite of this, they have a 40.6% marketshare and are the largest minter of certificates on the internet. Basically, they are the largest provider of SSL/TLS certificates and yet they still suffer from security issues which would be (hopefully) caught on a regular penetration testing engagement. This paints a grim picture for the certificate authority system. If the top providers can’t secure their systems, how could the smaller providers possibly be expected to do so? It’s a hard game to play since the odds are heavily stacked in the attacker’s favor with tons of certificate authorities all with the power to mint arbitrary certificates. A single CA compromise and the entire system falls apart.

Luckily, we have some defences against this with newer web technologies such as Public Key Pinning which offers protection against attackers using forged certificates. This is a fairly powerful mitigation against an attacker with a forged certificate. However, the support is iffy with a lack of support in Internet Explorer, Edge, Safari, and Safari on iOS.

Many people like to speak of a certificate authority hack as if it was something only a nation state could accomplish, but just a day’s worth of searching led me to this issue and I don’t doubt that many providers suffer from much more severe vulnerabilities. What happens when your attacker doesn’t care about ethical boundaries and is willing to do much more in-depth testing? After all, this is Comodo, the largest provider. What about the smaller certificate providers? Do they really stand a chance?

HEIST: New attack allows stealing sensitive information web HTTPS encrypted pages

• HEIST: HTTP Encrypted Information can be Stolen through TCP-windows
• This new attack exploits how HTTPS responses are delivered over TCP, and how compression is used, and the new Javascript API

The exploit is notable because it doesn’t require a man-in-the-middle position. Instead, an end user need only encounter an innocuous-looking JavaScript file hidden in an Web advertisement or hosted directly on a webpage. The malicious code can then query a variety of pages protected by the secure sockets layer or transport layer security protocols and measure the precise file sizes of the encrypted data they transmit.

Once attackers know the size of an encrypted response, they are free to use one of two previously devised exploits to ferret out the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to make pages load more quickly.

• “HEIST makes a number of attacks much easier to execute,” Tom Van Goethem, one of the researchers who devised the technique, told Ars. “Before, the attacker needed to be in a Man-in-the-Middle position to perform attacks such as CRIME and BREACH. Now, by simply visiting a website owned by a malicious party, you are placing your online security at risk.”
• Rather than having to visit a malicious website, all that is required is that you end up being served a malicious advertisement, on any website

Using HEIST in combination with BREACH allows attackers to pluck out and decrypt e-mail addresses, social security numbers, and other small pieces of data included in an encrypted response. BREACH achieves this feat by including intelligent guesses—say, @gmail.com, in the case of an e-mail address—in an HTTPS request that gets echoed in the response. Because the compression used by just about every website works by eliminating repetitions of text strings, correct guesses result in no appreciable increase in data size while incorrect guesses cause the response to grow larger.

To determine the size of an HTTPS-protected response, the attacker uses an oracle technique that returns what amounts to a yes-or-no response to each guess. When a request containing “value=” results in the same data size, the attacker knows that string is inside the encrypted response and then tries to modify the guess to include the next character, say “value=0”. If that guess results in a larger file size, the attacker knows it’s wrong and will try “value=1”, “value=2”, and so on until the new guess similarly results in a response that shows no increase in file size. The attacker then tries to guess the next character and repeats the process until the entire token has been recovered.

Until now, this BREACH-style exploit required the attacker to be able to actively manipulate the traffic passing between the Web server and end user. A HEIST-enabled BREACH exploit removes that limitation. It does this by using TCP characteristics as a quasi cryptographic side channel to measure the size of an HTTPS response. TCP divides large transmissions into smaller fixed-sized chunks called frames and further groups frames inside what are called TCP windows, which are sent one at a time. TCP sends a new window only after receiving confirmation that frames from the previous window were received by the end user.

HEIST is able to count the number of frames and windows sent by interacting with a set of newly approved APIs, one called Resource Timing and another called Fetch. In the process, they allow a piece of JavaScript to determine the exact size of an HTTPS response.

Van Goethem said the only mitigation he knows of is to disable the third-party cookies, since responses sent by the HTTPS site are no longer associated with the victim. At the moment, most Web browsers by default enable the receipt of third-party cookies, and some online services don’t work unless third-party cookies are allowed.

Wednesday’s demo will show how a malicious ad displayed on The New York Times website is able to painstakingly measure the size of an encrypted response sent by a fictitious third-party site they dubbed targetwebsite.com (see the image below). It will go on to show how that information can be used to infer the characters contained in a security token designed to prevent cross-site request forgery attacks

• And, we are not protected by the next generation HTTP protocol either

HEIST is also effective against HTTP/2, the drop-in replacement for the older HTTP standard that encrypts all Web traffic. In some cases, HEIST can abuse new features of HTTP/2 to increase the damaging effects.

• If we know that HTTP/2 is used, we can let the browser simultaneously request the targeted resource, and another resource that contains reflected content,” Vanhoef and Van Goethem wrote in a research paper.

Since HTTP/2 is used, both requests are sent in parallel to the server, and the server replies to them in parallel as well.

It’s too early to know if HEIST combined with BREACH will be exploited against real people visiting real HTTPS-protected websites. While there’s no indication that BREACH has ever been exploited in the wild, the new convenience offered by HEIST may change that.

• Blackhat Slides
• Research Paper

Backblaze: 2016 Q2 hard drive failure rates

• Backblaze has published their latest numbers on drive failures
• This is the first report to feature the newer 8TB drives
• As before, the HGST drives are doing very well, although some models seem to be doing better than others. The Seagate drives are on spec, and the Western Digital drives are not doing so well. Although there is relatively few WD drives, not because of the high failure rate, but as explained in the 2016Q1 report, just difficulty acquiring large numbers of them
• Almost half of all drives in BackBlaze are the Seagate 4TB desktop model
• I think it would help for BackBlaze’s formula to consider the age of the drive. Of course the failure rate of older drives will increase over time. It would be interesting to see a graph of the failure rate vs drive age
• The Seagate 4TB drives seem to be doing as expected. I feel confident in my decision to purchase these exact drives for my own use
• Backblaze explains their formula, and reminders readers to consider the formula when looking at the numbers. A single drive failure in a new set of Toshiba 5TB drives gives a result of a nearly 9% failure rate, but obviously the sample set is too small
• There is also an interesting discussion of their migration process, moving data from 64+ month old hard drives to new larger drives
• Further down, they also provide a breakdown of their failure statistics from 2013 through 2016, which makes for much more interesting reading
• In general, most of the drives seem to perform as expected, with a 1 – 3 % annual failure rate
• Of course, BackBlaze does not buy the fancier Enterprise drives. Hopefully someone else will produce a similar report using Enterprise drives, so we can see if they are worth the extra money.

The 4TB Seagate drives are our workhorse drives today and their 2.8% annualized failure rate is more than acceptable for us. Their low failure rate roughly translates to an average of one drive failure per Storage Pod per year. Over the next few months expect more on our migrations, a look at the day in the life of a data center tech, and an update of the “bathtub” curve, i.e. hard drive failure over time

• If you would like to do your own thing with the data, here it is

Feedback:

• Any way to guess or estimate how many drives would be needed? // Slexy 2.0

• how secure are long unique links?

• Google’s Unguessable URLs – Schneier on Security

• Redirecting domain requests, mail and linking droplets

  • DNS Made Easy for dns or backup mx

• Hosting your own email – follow up to Feedback Episode 277

Round Up:

• Networking hardware vendor TP-Link today admitted violating US radio frequency rules by selling routers that could operate at power levels higher than their approved limits. In a settlement with the Federal Communications Commission, TP-Link agreed to pay a $200,000 fine, comply with the rules going forward, and to let customers install open source firmware on routers
• FireFox 48 finally ships, with multiprocess support. For the next few days, only a fraction of a percent of Firefox 48 users will have Electrolysis turned on by default. If this mini-rollout goes well, the multiprocess feature will be rolled out to about half of all Firefox 48 users
• Malvertising Campaign Infected Thousands of Users per Day for More than a Year
• EFF Files lawsuit challenging DMCA provisions that place restrictions on security researchers
• Iranian hackers compromise Telegram’s secure messaging
• FireEye releases: Overload: Critical lessons from 15 years of ICS vulnerabilities
• QRLJacking attack can bypass any QR login system
• Something I have been saying for years, FTC says frequent forced password changes are the enemy of security Allan’s post from 2009 came to the same conclusion
• Japanese Olympic Gymnist racks up $5000 mobile data bill playing Pokemon go in Brazil
• Deanonymizing Windows users and stealing Microsoft and VPN accounts
• SwiftKey was accidently sharing your autocorrect suggestions with other people, leaking email contents, search history, and more

The post Dangerous Dangling Quotes | TechSNAP 278 first appeared on Jupiter Broadcasting.

On this weeks episode we cover a UEFI firmware bug that is affecting computers including ThinkPads, tell you how your windows box can be totally pwned even if it’s fully encrypted & talk about the shortcomings of the MD5 checksum. Plus the feedback, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

ThinkPwn, Lenovo and possible other vendors vulnerable to UEFI bug

• “This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.”
• an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode
• “Vulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets.”
• “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code”
• Lenovo Advisory
• The vulnerable code has also been found in HP Pavilion Laptops, some Gigabyte Motherboards (Z68, Z77, Z87, Z97), Fujitsu, and Dell.
• Exploring and exploiting Lenovo firmware secrets
• ThinkPWN, proof of concept exploit

From zero to SYSTEM on a fully encrypted Windows machine

• “Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment.
  When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system.”
• “In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature.”
• “These two vulnerabilities, discovered with the help of my colleague Tom Gilis were reported to Microsoft however only one vulnerability is patched at the time of writing CVE-2016-0049 / MS16-014.
• “The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here.”
• Acknowledgement by Microsoft
• Since the time of this post, the patch has been released. It turns out, it is MS16-072
• You might remember MS16-072 from TechSNAP #272 as the Windows Update that broke Group Policies!
• “Step 1 – Hibernation – Your friendly neighbourhood password dumper”
• “Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating the HIBERFIL.SYS.”
• “Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. Once we force the laptop into hibernation mode we reboot it and move to the next step”
• “Step 2 – Bypassing the login or lock screen”
• “If the computer is a member of an AD Domain, and the user has logged in on this machine before, so their password is cached locally, all an attacker needed to do is create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing”
• “Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials)”
• So, since the attacker set the new password on the Domain Controller (not really, but the computer things they did), they know this password, and when they attempt to login with it, and windows cannot reach the domain controller, it uses this locally cached password, and allows them to login
• “Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software.”
• “Step 3 – Privilege escalation to SYSTEM”
• “We know that the trust between the client and Domain Controller (DC) is not always properly validated, we have a working Active Directory set-up and we have a working rogue DC. The question is are there any other Windows functionality that is failing to properly validate the trust?”
• “How about Group Policies? It works on all supported Windows versions. There is no need for any additional (vulnerable) software. No specific configuration requirements”
• “There are 2 types of Group Policy Objects (GPO), Computer Configuration and User Configuration Policies.”
• “Computer Configuration Policies are applied before logon, the machine account is used to authenticated to the DC in order to retrieve the policies and finally all policies are executed with SYSTEM privileges. Since we don’t know the machine account password using Computer Configuration Policies is not an option.”
• “User Configuration Policies are applied after a user is logged in, user’s account is used to authenticated to the DC to retrieved the User Configuration Policies and the policies are either executed as the current logged-on user or as SYSTEM.”
• “Now this last type of Policy is interesting because we know the password of the user as we reset it to our likings.”
• “Let’s create a Scheduled Task GPO that will execute NetCat as SYSTEM and finally will connect to the listening NetCat service as a the current user.”
• On Windows 7, Immediately game over, you own the system
• “Windows 7 fails to validate if the DC from where the Group Policies are being applied is indeed a trusted DC. It is assumed that the user credentials are sufficient to acknowledge the trust relationship. In this attack all encrypted traffic remains intact and doesn’t require any modification whatsoever.”
• On Windows 10, it didn’t work right out of the box
• It turns out, the Rouge DC needs to have a user object matching the SID of the user that is logging in. Luckily, with Mimikatz, you can edit the SID of the user on the Rouge DC to make it match
• Additional Coverage: Part 2
• Slides
• So, Microsoft has patched both of these vulnerabilities, and we are all safe again, right?
• “Bypassing patch MS16-014: Yes, you’ve read it right! There is still a way to bypass the Windows Login screen and bypass Authentication More details will be released soon!”
• The author has not released the details yet, as they are waiting on Microsoft to release another patch

The MD5 collision is here

• “A while ago a lot of people visited my site (~ 90,000 ) with a post about how easy it is to make two images with same MD5 by using a chosen prefix collision. I used Marc Steven’s HashClash on AWS and estimated the the cost of around $0.65 per collision.”
• “Given the level of interest I expected to see cool MD5 collisions popping up all over the place. Possibly it was enough for most people to know it can be done quite easily and cheaply but also I may have missed out enough details in my original post”
• A 2014 blog post showed how to create two php scripts with the same MD5
• An early 2015 blog post showed two JPGs with the same MD5
• So, this version of the tools was able to make two different .jpg images, that had the same MD5 checksum, but different contents, while still being perfectly valid JPG images
• The post included instructions and an Amazon AWS images to do the number crunching
• That a later follow up post on how to do the same thing with executable files
• Same Binaries Blog Post
• This example shows a C binary that prints an Angel if a condition is true, and a Devil if it is false
• It contains a bunch of filler that can be changed to make the hashes the same in a second version of the file, where the condition is false. The end result is a pair of binaries, with the same MD5 hash, but different output
• Using this same technique, Casey Smith (@subtee) managed to make an Angel.exe that is a copy if mimikatz, a windows password dumping utility, and a devil.exe that just says ‘nothing to see here’
• Demo of the attack
• This means all I need to do is run this tool against my malware, and say, regedit.exe that is on the whitelist in Windows, and now I have a malware binary that will be trusted

Feedback:

• Pete asks about Owncloud

• John tries to troll Noah

• Matt is having ZFS problems

Round Up:

• New Edge Switch
• Reverse engineering the default WPA2 password on UPC UBEE routers
• ViewSonic ThinClient
• Post intrusion, most attackers use the same everyday admin tools that you do
• TP Link Forgets to Renew Domain
• What Air conditioning Tech can teach us about innovation and laziness
• 10 Million Android Phones Rooted
• Your SmartWatch can steal your ATM pin
• Microsoft’s attempt to recruit interns is a barrel of cringe
• Password sharing ruled a crime under the terrible CFAA (Computer Fraud and Abuse Act)
• Avast Acquired AVG for $1.3 billion, now has 400 million endpoints
• Wendy’s POS malware disclosure page, pwned with XSS
• Passthoughts, a new type of password?
• The definition of a sophishticated attack
• Frontier and AT&T to Block Google Fiber
• This cyber security guide from “The Guardian”, is full of AWEFUL advice, don’t do it
• Man builds $53,000 computer that plays Tetris, to visualize the internals

The post Windows Exploit Edition | TechSNAP 274 first appeared on Jupiter Broadcasting.

Microsoft & Ubuntu working together to bring you Bash & the Ubuntu userland on Windows 10. Is this the ultimate Win for Linux? Or is this Embrace, Extend, Extinguish at its finest? We share our thoughts on this historic announcement.

Plus Red Hat wants to save you some money, TP-Link bans OSS firmwares, Edubuntu calls it quits, our new favorite note taking app for Linux & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Ubuntu Userland on Windows 10

Ubuntu on Windows — The Ubuntu Userspace for Windows Developers

Here’s let’s break it down slowly…

1. Windows 10 users
2. Can open the Windows Start menu
3. And type “bash” [enter]
4. Which opens a cmd.exe console
5. Running Ubuntu’s /bin/bash
6. With full access to all of Ubuntu user space
7. Yes, that means apt, ssh, rsync, find, grep, awk, sed, sort, xargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, gcc, tar, vim, emacs, diff, patch…
8. And most of the tens of thousands binary packages available in the Ubuntu archives!“So maybe something like a Linux emulator?”

Now you’re getting warmer! A team of sharp developers at Microsoft has been hard at work adapting some Microsoft research technology to basically perform real time translation of Linux syscalls into Windows OS syscalls. Linux geeks can think of it sort of the inverse of “wine” — Ubuntu binaries running natively in Windows. Microsoft calls it their “Windows Subsystem for Linux”. (No, it’s not open source at this time.)

So as part of the engineering work, I needed to wrap the stock Ubuntu root filesystem into a Windows application package (.appx) file for suitable upload to the Windows Store. That required me to use Microsoft Visual Studio to clone a sample application, edit a few dozen XML files, create a bunch of icon .png’s of various sizes, and so on.

Mono Relicensed MIT

At Microsoft Build today, we announced that we are re-releasing Mono under the MIT license and have contributed it to the .NET Foundation. These are major news for Mono developers and contributors, and I am incredibly excited about the opportunities that this will create for the Mono project, and for other projects that will be able to benefit from this.

Red Hat Hyping .NET Support

Get a behind the scenes sneak peek of .NET on Red Hat Enterprise Linux.

There is a lot of Microsoft on Linux and LAS sub-reddit these days

— PICKS —

Runs Linux

ICarus – CAR PC RUNS LINUX

iCarus is provided as a fully assembled device (from December 2015). Just connect it to your car’s radio connector directly (in the case your car uses a standard ISO-10487 connector)

BONUS RUNS LINUX:

Hotel Sign Runs linux

Desktop App Pick

Simplenote

Light, clean, and free. Simplenote is now available for iOS, Android, Mac, Windows, Linux, and the web.

• Simplenote on Github

A Simplenote React client packaged in Electron. Learn more about Simplenote at Simplenote.com.

Weekly Spotlight

ZenyPass

Passwords are the keys to our online life, but they are painful to manage securely. We’ve all been told each account should be secured with a strong unique password, but we often fallback for the easy solution: a handful of simple memorizable passwords.

We want to make it even easier to do it right. We want to bring an end to password pain with a simple solution affordable to all: ZenyPass. Help us bridge the last mile by supporting our Kickstarter campaign. Offers start as low as 15€ per unlimited license: no recurring fees, no limitations, on all your devices.

Sent in By Arnaud V.

https://slexy.org/view/s2X7ixQlZi

— NEWS —

No-Cost RHEL Developer Subscription now available

Today, Red Hat announced the availability of a no-cost Red Hat Enterprise Linux developer subscription, available as part of the Red Hat Developer Program. Offered as a self-supported, development-only subscription, the Red Hat Enterprise Linux Developer Suite provides you with a more stable development platform for building enterprise applications — across cloud, physical, virtual, and container-centric infrastructures. Red Hat SVP Craig Muzilla added some good points in his blog, too.

• The future is through software developers: Red Hat is the key | Red Hat

So, why did we do this? As DevOps processes and agile software methods become the primary means for creating software, it is critical that software developers have access to the same environments and tools during their development phases as they will use when they push out their software into production. Especially as they build applications for cloud environments. And we expect Linux to be key to future success.

• Download Red Hat Enterprise Linux Developer Suite

To download Red Hat Enterprise Linux Developer Suite, which includes Red Hat Enterprise Linux 7 server, a collection of development tools, and much more, you must have an account and need to accept the terms and conditions of the Red Hat Developer Program which provides $0 subscriptions for development use only. Read more about the Red Hat Developers Program.

Router Company Lazily Blocks Open Source Router Firmware, Still Pretends To Value ‘Creativity’

“The FCC requires all manufacturers to prevent user from having any direct ability to change RF parameters (frequency limits, output power, country codes, etc.) In order to keep our products compliant with these implemented regulations, TP-LINK is distributing devices that feature country-specific firmware. Devices sold in the United States will have firmware and wireless settings that ensure compliance with local laws and regulations related to transmission power.”

Edubuntu calling it quits

• Edubuntu 16.04 and beyond

I’m announcing today that Edubuntu will NOT be releasing a
16.04 LTS version. Instead, Jonathan and I will focus on ongoing support
of Edubuntu 14.04 LTS until it goes EOL in April 2019.

Deployments | Edubuntu

• DebianEdu

DebianEdu/Skolelinux is an operating system intended for educational use and a Debian Pure Blend . As skole [skuːlə] is the Norwegian word for school, Skolelinux’s literal translation is “school linux”. It has been created as an overall free software computer solution designed to fit on school’s resources and needs and is currently being internationally developed by a large international and growing community.
It is an advanced network solution that provides a terminal server environment suitable to most educational scenarios and it comes with most of its services pre-configured out-of-the-box. It allows both a technical and non-technical installation process depending on the user needs and expertise and highly simplifies middle to large system deployments and configurations.

• ubermix Home

The ubermix is an all-free, specially built, Linux-based operating system designed from the ground up with the needs of education in mind. Built by educators with an eye towards student and teacher empowerment, ubermix takes all the complexity out of student devices by making them as reliable and easy-to-use as a cell phone, without sacrificing the power and capabilities of a full operating system. With a turn-key, 5 minute installation, 20 second quick recovery mechanism, and more than 60 free applications pre-installed, ubermix turns whatever hardware you have into a powerful device for learning. Learn more…

Feedback:

Brought to you by: System76

The review was IMMEDIATELY followed by an ad for a competitor who sponsored the show. Journalistic ethics???? https://t.co/DKEguncMu8

— Purism (@Puri_sm) April 3, 2016

• Giselle Bisson, Principal at Visibility shift communications

Social media is PR + marketing + storytelling + branding + customer service. I love helping CEOs, founders and solopreneurs leverage it for success.

• Visibility Shift – Shift your visibility to the next level

Mail Bag

• https://slexy.org/view/s25NIWKptD
• https://slexy.org/view/s209nFNd59
• https://slexy.org/view/s28mFbqDRq

Noah v. Emma: Switching People to Linux

• Noah vs Emma Card
• Can not already be running Linux.
• Must agree to install Linux, or have Linux installed
• Will take place Sat during Linux Fest NW (Location TBD)
• Come find Noah let him switch you to Linux and get a free SSD installed.

Call Box

• Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Windows Gets Bash-ed | LAS 411 first appeared on Jupiter Broadcasting.