Show Notes: linuxactionnews.com/191

The post Linux Action News 191 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/40

The post Password Shaming | Self-Hosted 40 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Revamp of ‘Pwned Passwords’ Boosts Privacy and Size of Database

In V2 of Pwned Passwords, launched last week, Hunt updated his password data set from 320 million passwords to 501 million new passwords, pulled from almost 3,000 breaches over the past year.

• AgileBits Blog | Finding Pwned Passwords with 1Password

First, 1Password hashes your password using SHA-1. But sending that full SHA-1 hash to the server would provide too much information and could allow someone to reconstruct your original password. Instead, Troy’s new service only requires the first five characters of the 40-character hash.

• Troy Hunt: I’ve Just Added 2,844 New Data Breaches With 80M Records To Have I Been Pwned

tl;dr – a collection of nearly 3k alleged data breaches has appeared with a bunch of data already proven legitimate from previous incidents, but also tens of millions of addresses that haven’t been seen in HIBP before. Those 80M records are now searchable

Apple’s China data migration includes iCloud keys, making data requests easier for authorities

Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.

• Microsoft’s Big Email Privacy Case Heads to the Supreme Court Tomorrow

Researchers Propose Improved Private Web Browsing System

In a paper (PDF) describing Veil, Frank Wang – MIT Computer Science and Artificial Intelligence Laboratory (CSAIL), Nickolai Zeldovich – MIT CSAIL, and James Mickens – Harvard, explain that the system is meant to prevent information leaks “through the file system, the browser cache, the DNS cache, and on-disk reflections of RAM such as the swap file.”

• Your private browsing isn’t as incognito as you want it to be

Nearly 8,000 Security Flaws Did Not Receive a CVE ID in 2017

A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.

What is Serverless Architecture? What are its criticisms and drawbacks?

Serverless architectures refer to applications that significantly depend on third-party services (knows as Backend as a Service or “BaaS”) or on custom code that’s run in ephemeral containers (Function as a Service or “FaaS”), the best known vendor host of which currently is AWS Lambda.

The big promise:

• NO SERVER MANAGEMENT

There is no need to provision or maintain any servers. There is no software or runtime to install, maintain, or administer.
FLEXIBLE SCALING

Your application can be scaled automatically or by adjusting its capacity through toggling the units of consumption (e.g. throughput, memory) rather than units of individual servers.

• HIGH AVAILABILITY

Serverless applications have built-in availability and fault tolerance. You don’t need to architect for these capabilities since the services running the application provide them by default.

• NO IDLE CAPACITY

You don’t have to pay for idle capacity. There is no need to pre- or over-provision capacity for things like compute and storage. For example, there is no charge when your code is not running.

Develop, test and deploy in a single environment, to any cloud provider. You don’t have to provision infrastructure or worry about scale. Serverless teams cut time to market in half.

• Maybe the ultimate layer of abstraction.
• Your not paying for un-utilized hardware/server time
• The vendor, like Amazon, is patching/maintaining the server base for you. Removing the developer from the process.
• Traditional server management roles may start to transition to service management, configuration, and manage all the abstractions AWS gives you. IE the admins role goes from one wrangeling the operating system, to wrangling layers of abstraction and independent services.

The big constraint:

• No local disk, you send data in, and data comes out.
• Not ideal for ongoing workloads.

The big secure:

• Serverless Security: What’s Left to Protect?

Open Source FaaS:

• OpenFaaS – Serverless Functions Made Simple

Serverless Functions Made Simple for Docker and Kubernetes

• open-lambda/open-lambda
• Iron.io – DevOps Solutions from Startups to Enterprise
• Apache OpenWhisk is a serverless, open source cloud platform

Feedback

• David’s Drive Tips

• Alex has BIG cloud storage requirements….

The post A Future Without Servers | TechSNAP 358 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Responsible Disclosure Is Hard

• When a responsible person discovers a security issue, disclosing it properly is difficult

• Uses Tesla’s policy as a good example of how companies should do this

• “This is not hard stuff and it basically amounts to text on a page. Consider whether your own organisation has something to this effect and is actually ready to handle disclosure by those who attempt to do so ethically. Listen to these people and be thankful they exist; there’s a whole bunch of others out there who are far less charitable and by the time you hear from those guys, it’s already too late.”

RedHat deprecates Btrfs

• The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

• The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

320 Million Freely Downloadable Pwned Password hashes

• NOTE: these are SHA-1 hashes, not the raw passwords: 320,335,236 to be precise

• Password checking page – that same URL has links for downloading the hashes

• To unzip the files, you need p7zip. Command to extract is: 7z x pwned-passwords-update-1.txt.7z

• to generate a sha1 hash, Dan used: ‘sha1 -s TechSNAP’ – SHA1 (“TechSNAP”) = c6586a62febc8706d814fe28fe397e9dca146992. Use “tr ‘[a-z]’ ‘[A-Z]'” to upper case.

• takes about 0.176ms to locate a hash on a PostgreSQL 9.6 database

• Example query construction

• Passwords Evolved: Authentication Guidance for the Modern Era

• API for using Troy’s service

• Troy’s donation page

Feedback

• PXE Boot Imaging

• +1 for FOG! Versatile and reliable

• slobeck retweets x0rz 1960’s vs. now

Round Up:

• How Dropbox securely stores your passwords

• gedit is unmaintained, some thoughts

• DigiCert to Acquire Symantec’s Website Security Business and Related PKI Solutions

• Microsoft didn’t sandbox Windows Defender, so I did

• Should I revoke no longer used Let’s Encrypt certificates before destroying them?

The post BTRFS is Toast | TechSNAP 331 first appeared on Jupiter Broadcasting.