USB – Jupiter Broadcasting

Plasma 5.8 LTS “marks the point where the developers and designers are happy to recommend Plasma for the widest possible audience be they enterprise or non-techy home users,” project lead Jonathan Riddell says.

KDE Turning 20, Launches Plasma 5.8 LTS Desktop To Celebrate Its Birthday

Modifier-only shortcuts, a highly requested functionality for the Plasma desktop, has been added. This allows you to launch an application by pressing a Meta key. The inclusion of Wayland to the Plasma desktop has facilitated the addition of this feature which has also been backported the X11.

Another notable feature is the support for right-to-left scripts like Urdu, Hebrew, etc. The widget explorer, window switcher, activity manager can be seen on the right side of the screen for such languages.

Wayland debuted on Plasma with 5.4 release. Since then, it has been continuously improved for stability and features. In the Plasma 5.8 LTS, a lot of work has been done on Wayland which now supports the GTK+ toolkit. The support for multitouch gestures and touchscreen devices has been enhanced, although, no default gestures are actually present as of now. The X11 and Wayland-based applications can now have a shared clipboard.

Review Notes

Now if you don’t recall KDE Neon is not a distro per sey, rather it’s a great way to play with KDE. Basically you get the Ubuntu base and the KDE Plasma Desktop and that’s it! Everything NOT KDE related is maintained by Canonical/Ubuntu. KDE Neon only cares about KDE’s stack.
They provide downloads to make initial setup easier for users. You could just do minimal install of Ubuntu and then install Neon PPA to essentially get the same thing.
They did however fix the wifi bug that some users experienced with Kubuntu so neon WILL fix other things if they need to but basically they “just care about KDE”
If you need more infomation go back and take a look at LAS409 where Chris and I deep dive into what exactly is Neon
The project leaders have said “If your last dalliance with a KDE desktop was somewhere south of now it may be time to ‘re+assess’, the team say. “Plasma is simple by default, powerful when needed.“ Well as it turns out my last experience with KDE was somewhere south of now so it’s high time we take a looksee.
Neon makes sure that KDE’s entire stack is compatible with Ubuntu including updates. Every new release of KDE’s stack will be managed in Neon so if someone wants Ubuntu + KDE then Neon will always be up to date where as Kubuntu has the whole 6 months hold back still.
5.7 to 5.8 is mostly a polish release but a few things stand out for improvements
5.8 offers a very cohesive design, their tag line is “everything is designed to match the KDE experience, from startup to shutdown.” The breeze theme makes sure that everything looks amazing
Right off the bat the fact that it’s an 18 month support cycle has me hooked.
The nice thing I noticed about Plasma does colour scheme independent of theme. As such you can have any theme with any color scheme. As of the most recent versions of plasma this includes the colours in Icon’s of the default icon theme.
I’ve always said there are a few things that make or break a distro for me. Firefox, Thunderbird, Telegram a terminal application and the ability to launch applications with the super key. Up until now we’ve had to rely on the super+space to launch an application. I was pleased to learn that launching Telegram is now as simple as superkey and typing it. Additionally unlike Ubuntu 16.04 with Unity I can launch Telegram immediately after installing it. I don’t need to reboot.
Their package manager formally Moo On but now branded as Discover is a great package manager. Muon or Discover is an advanced program with a graphical program that as it’s name obviously implies will allow you to install and remove software. Additionally It will automatically notify you for updates (in the lower right hand corner), but you can use it at anytime to install new package
Michael Tunnel our producer who uses this distro as his daily driver and has been invaluable to my review is pretty excited about something that seems like it’s just a minor improvement. The virtual desktop switcher applet now has an option to show only the current screen in multi+screen setups. This seemingly small improvement is great for him because it makes it easier to create the GNOME workflow in Plasma”
Last thing to note is the improved global shortcuts. Global shortcuts configuration has been simplified and global shortcuts can now be configured to jump to specific tasks within an application via jump list functionality.

— PICKS —

Runs Linux

Hurricane Matthew is being tracked WITH LINUX

Desktop App Pick

PDFtk

PDFtk Server is our command-line tool for working with PDFs. It is commonly used for client-side scripting or server-side processing of PDFs.
It is also used by OEMs and ISVs to give their products the ability to manipulate PDFs. A commercial license is required to distribute PDFtk with your commercial product.

pdftk contract.pdf cat 1-9 output firstnine.pdf
pdftk firstnine.pdf lastpage.pdf output signedcontract.pdf

Spotlight

Paperwork by twostairs

Paperwork – OpenSource note-taking & archiving alternative to Evernote, Microsoft OneNote & Google Keep

— NEWS —

X crash during Fedora update when system has hybrid graphics and systemd-udev is in update

Here’s the short version: especially if your system has hybrid graphics (that is, it has an Intel video adapter and also an AMD or NVIDIA one, and it’s supposed to switch to the most appropriate one for what you’re currently doing — NVIDIA calls this ‘Optimus’), DON’T UPDATE YOUR SYSTEM BY RUNNING DNF FROM THE DESKTOP. (Also if you have multiple graphics adapters that aren’t strictly ‘hybrid graphics’; the bug affects any case with multiple graphics adapters).

elementary blog — We’ve Joined the Snap Format TOB!

Yesterday, Jamie Bennett had the pleasure of announcing the members of the new Snap Format Technical Oversight Board. This board has been formed to guide the shaping of the Snap package format and ensure that it remains useful for everyone. We’re very excited to have Cody Garver sit on this board as a representative of elementary!

Canonical Announces Snapcraft 2.19 Snap Creator Tool for Ubuntu 16.04 LTS

Canonical’s Sergio Schvezov announced recently the release and immediate availability of the Snapcraft 2.19 tool for creating Snap universal packages, in the Ubuntu 16.04 LTS and Ubuntu 16.10 repos.

Flatpak 0.6.12 Linux Application Sandboxing Makes Kernel Keyring Non-Containable

New features in Flatpak 0.6.12 include support for the “–device=kvm” option to be able to access /dev/kvm, support for the “–allow=multiarch” parameter to allow running 32-bit (i686) code in a 64-bit (x86_64) application, better error messages, robustness fixes for the build-commit-from command, and partial revert in application ID rules.

Pirate Kodi Add-Ons Gain Massive Popularity

Streaming piracy is on the rise with the popular media center Kodi at the center of attention. While Kodi itself is a neutral platform, millions of people use third-party add-ons to turn it into the ultimate pirate machine. In less than a year, the leading add-on repository has seen the number of unique users double, which may be just the beginning.

Torvalds Blows Stack Over Buggy New Kernel

“I’m really sorry I applied that last series from Andrew just before doing the 4.8 release, because they cause problems, and now it is in 4.8 (and that buggy crap is marked for stable too),” he wrote in a message to the Linux kernel mailing list. “In particular, I just got this — kernel BUG at ./include/linux/swap.h:276 — and the end result was a dead kernel.”

KDE Celebrates Its 20th Anniversary with the Release of KDE Plasma 5.8 LTS

KDE Plasma 5.8 LTS will be supported until the year 2018

and it shall receive no less than nine point releases. The first one, KDE Plasma 5.8.1, will come next week, on October 11, followed one week later by the second one, KDE Plasma 5.8.2. On November 1, KDE Plasma 5.8.3 will arrive with more improvements, and KDE Plasma 5.8.4 should see the light of day three weeks later, on November 22, 2016._

Feedback:

Behind the Scenes: Engineering with David – YouTube

Product Engineer David Jordan shares what he’s working on in this behind the scenes video from the System76 office.

Add User Error · Issue #55 · RobLoach/plugin.video.jupiterbroadcasting

Audio Hardware: Focusrite Scarlett 2i2 (2nd Gen) USB Audio Interface

Mail Bag

Name: Joe H

Subject: Exploring Linux

Message: Hi Noah and Chris I was wondering if at some point on the LAS or the LUP you could cover some more bare-bones-like distros. I am not sure about the right name for these type of distros. I don’t believe that I am looking to roll my own distro, that is if I truly understand what that would entail.

Name: Eric W

Subject: Wanting to Switch Video Production to Linux

Message:: Hello Chris and Noah!

I am a small time video editor and for years have been using the Adobe CC Suite for editing video and creating graphics etc. I know there are Linux alternatives for Adobe Premiere and Photoshop, but I don’t know of anything that is similar to After Effects and that is the one really important application I need. Any Advice on this would be much appreciated! Love the show and keep up the good work!

Call in: 1-877-347-0011

New Show: User Error

User Error | Jupiter Broadcasting

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post Plasma 5.8 Shines Bright | LAS 438 first appeared on Jupiter Broadcasting.

I Can’t Believe It’s Not Ethernet | TechSNAP 283

chris — Thu, 08 Sep 2016 20:00:44 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Modified USB ethernet adapter can steal windows and mac credentials

“Security researcher Rob Fuller has discovered a unique attack method that can steal PC credentials from Windows and Mac computers, and possibly Linux (currently untested).”
Thesis: “If I plug in a device that masquerades as a USB Ethernet adapter and has a computer on the other end, can I capture credentials from a system, even when locked out”
“The researcher used USB-based Ethernet adapters, for which he modified the firmware code to run special software that sets the plug-and-play USB device as the network gateway, DNS, and WPAD servers on the computer it’s connected to.”
“The attack is possible because most computers will automatically install any plug-and-play (PnP) USB device. This means that even if a system is locked out, the device still gets installed”
“Now, I believe there are restrictions on what types of devices are allowed to install at a locked out state on newer operating systems (Win10/El Capitan), but Ethernet/LAN is definitely on the white list.”
“When installing the new (rogue) plug-and-play USB Ethernet adapter, the computer will give out the PC credentials needed to install the device. Fuller’s modified device includes software that intercepts these credentials and saves them to an SQLite database. The password is in its hashed state, but this can be cracked using currently available technology. The researcher’s modified device also includes a LED that lights up when the credentials have been recorded.”
So, just like in a spy movie, you plug in the device, wait until the light comes on, and you have stolen the credentials
“An attacker would need physical access to a device to plug in the rogue USB Ethernet adapter, but Fuller says the average attack time is 13 seconds.”
The attack was tested against versions of Windows as far back as Windows 98 SE, and as modern as Windows 10 Enterprise and OS X El Capitan
The device pretends to be an ethernet adapter, and provides access to a ‘network’, where a DHCP server tells you to install this proxy configuration
“This means that by plugging in the device it quickly becomes the gateway, DNS server, WPAD server and others”
It gives you the hashes password for the logged in user, which you can then crack offline, and return later and login with the known password
Researcher blog

Zstandard, a new compression algorithm from Facebook

Unlike the new Dropbox algorithm that is designed specifically for jpeg images, this is a general purpose algorithm, designed to replace gzip
“Today, the reigning data compression standard is Deflate, the core algorithm inside Zip, gzip, and zlib. For two decades, it has provided an impressive balance between speed and space, and, as a result, it is used in almost every modern electronic device (and, not coincidentally, used to transmit every byte of the very blog post you are reading). Over the years, other algorithms have offered either better compression or faster compression, but rarely both. We believe we’ve changed this.”
There are three standard metrics for comparing compression algorithms and implementations:
- Compression ratio: The original size (numerator) compared with the compressed size (denominator), measured in unitless data as a size ratio of 1.0 or greater.
Compression speed: How quickly we can make the data smaller, measured in MB/s of input data consumed.
Decompression speed: How quickly we can reconstruct the original data from the compressed data, measured in MB/s for the rate at which data is produced from compressed data.
“The type of data being compressed can affect these metrics, so many algorithms are tuned for specific types of data, such as English text, genetic sequences, or rasterized images. However, Zstandard, like zlib, is meant for general-purpose compression for a variety of data types. To represent the algorithms that Zstandard is expected to work on, in this post we’ll use the Silesia corpus, a data set of files that represent the typical data types used every day.”
The post compares the best of the modern compression algorithms, lz4 (what ZFS uses), zstd (Facebook’s new thing), libz (gzip, what your browser uses for webpages), and xz (what most unix distros have switched to for compressing tar and log files)
In the comparison, LZ4 does not compress the data as much, but does so at almost 450 MB/s, while zlib compresses more, but only 23 MB/s. XZ compresses even better, but at only 2.3 MB/s
zstd gets about the same compression as zlib, but at almost 6 times the speed (136 MB/s)
Decompression is similar: LZ4: 2165 MB/s, zstd: 536 MB/s, zlib: 281 MB/s, xz: 63 MB/s
When comparing the command line tools, zstd is about 5x faster at compression, and 3.6x faster at decompression
As with gzip and xz, zstd also supports different ‘levels’ of compression. Although instead of having a range from 1 to 9, it instead offers a range of 1-22 (which suggests that additional levels might be added in the future)
It looks like it can get xz levels of of compression if turned up high enough
“By design, zlib is limited to a 32 KB window, which was a sensible choice in the early ’90s. But, today’s computing environment can access much more memory — even in mobile and embedded environments.

Zstandard has no inherent limit and can address terabytes of memory (although it rarely does). For example, the lower of the 22 levels use 1 MB or less. For compatibility with a broad range of receiving systems, where memory may be limited, it is recommended to limit memory usage to 8 MB. This is a tuning recommendation, though, not a compression format limitation.”

I forgot the password for my consumer grade NAS

“I got my WD My Book World Edition II NAS out of the closet. The reason it went in the closet is that I locked myself out of SSH access, and in the meantime I forgot most of its passwords.”
“I miraculously still remember the password to my regular user, but the admin password is nowhere to be found and you need the old one to change it. So I start poking around to see if there is any way to recover it.”
“One of the most common vulnerabilities on these thingies is allowing anyone to download a “config backup” that includes all the juicy passwords, and indeed, this screen looks promising”
The download was just base64 encoded random data. Definitely encrypted
“Mandatory Open Source releases usually have LICENSE files or some other indication of what libraries are being used, so he’s hoping to find some clue on what they used.”
Apparently WD releases everything, including the php script that generates the config download
“Looks like it’s a tarball encrypted with something called encodex and a fixed password”
“So we got the config file. Is it over? Nope. No passwords in it. This system does everything wrong. it’s unsalted MD5. Then it is stored a second time as a plain MD5 anyway”
I have never seen anyone do that before. I didn’t even know that would work…
So they reversed the process and uploaded a new configuration file with the hash of a known password (faster than brute forcing). Why is this allowed by a non-admin user anyway?
“Great. Fun. Is it enough? No! I locked myself out of ssh access too, by adding an unmatchable AllowUsers directive to my sshd_config.”
“First realization, the whole webgui runs as root. Look at ChangeWebAdmin above, it calls passwd and reads /etc/shadow!”
So, when you upload a new config, it just decrypts it and runs the untar, as root
“plus the fact that it’s probably a BusyBox implementation of tar might mean that the oldest trick in the book works: creating an archive with a fully-qualified /etc/sshd_config file in it and hope it gets extracted directly at the absolute path.”
“No luck. Second try: we see that it’s extracted in /tmp, what if we call it ../etc/sshd_config? No luck with that neither.”
“But hey… we can extract as much as we want in /tmp and nothing will get deleted between a run and the next! So let’s try with a convenient symlink :). First we plant a root => / symlink, and now that /tmp/root points to / we try calling our file root/etc/sshd_config and hope it gets extracted inside the symlink”
And, we’re in. The sshd_config has been replaced with one uploaded by a unprivileged user.
“This is all nice, but I started from a vantage point: I remembered a user login. Can we do something from scratch?”
“For example, extracting the config… It didn’t look like that PHP file had any access control, is it possible that… Oh God.”
“If we can crack any user password from the MD5, we can go from zero to root”
“All actions are actually unauthenticated. If you are not logged in the NAS will answer with a HTTP 302 Redirect… AND THEN PROCEED HANDLING THE REQUEST and sending the output. As if you were logged in. That’s a first for me.”
“Let me repeat this: if you are not logged in, the only thing the system will do is add a redirect to the login page in the HTTP Headers and carry on, obeying whatever you are telling it to do.”
Most browsers will respect the header, and redirect you to the login page, and ignore the excess content that was included in the response (like a config backup, or downloading a file, or doing any action what-so-ever
“So with the admin password reset trick above, we can get a full escalation from unauth to admin+root. Pwn’d. (The hardest thing was emulating the browser request with curl well enough to upload the file.)”
“So yeah, don’t expose these thingies on the Internet and don’t worry too much if you lose the passwords ;-)”
And in the end, the mystery was solved: “Turns out all the password fields except the login form have maxlength=16, so when resetting the password I pasted it from the password manager and it got cut without me knowing”

Feedback:

Round Up:

The post I Can't Believe It's Not Ethernet | TechSNAP 283 first appeared on Jupiter Broadcasting.

Pay to Boot | TechSNAP 260

chris — Thu, 31 Mar 2016 15:02:17 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

New Ransomware locks your bootloader & makes you pay to boot. Malware with built in DRM? We’ll share the story of this clever hack.

Plus some great questions, our answers, a packed round up & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

New Petya malware encrypts the Master Boot Record then BSoDs your machine

“Malware experts from German security firm G DATA have found a new type of lock-ransomware that uses a DOS-level lock screen to prevent users from accessing their files”
Unlike some other malware, the researchers did not come up with the name, the malware has its own website and logo, where you pay the ransom
I am not sure “DOS-level” makes sense as a term, but ok
“Lock-ransomware, also known as lockers, is the first type of ransomware that existed before the rise of crypto-ransomware. This type of ransomware doesn’t encrypt files, but merely blocks the user’s access to his data”
“The latest lock-ransomware discovered by security researchers is the Petya ransomware, which was seen spread via spear-phishing campaigns aimed at human resource departments. HR employees are sent an email with a link to a file stored on Dropbox, where an applicant’s CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death.”
“As soon as the user restarts the PC after the blue screen, the computer will enter a fake check disk (CHKDSK) process that, after it finishes, will load Petya’s lock screen. Restarting the computer over and over will always enter this screen”
“This screen provides a link to the ransomware’s payment site, hosted on Tor. After the user purchases a decryption key, he can enter it at the bottom of the DOS lock screen. Petya claims to encrypt the user’s files, but G DATA says they can’t verify its claims, and that this is presumably a lie.”
“UPDATE: Trend Micro’s researchers also took a look at Petya and they confirm that the ransomware does encrypt files, while also revealing it alters the MBR , preventing users from entering in Safe Mode, and it ask for a 0.99 Bitcoin (~$400) ransom”
The encryption of the boot sector is very simple, the data is just XOR’d with the value 0x37 (the ascii code for the number 7): Animated GIF
Additional Coverage: Threat Post

New USB Thief trojan found in the wild

Researchers at ESET have identified a new trojan being spread on USB sticks, called “USB Thief”
What makes this malware so unique is how it protects itself from analysis by researchers
“Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.”
“It depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives. The malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.”
“The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements. The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.”
So when researchers copied the malware to a VM to try to dissect it, it stopped working, as it could no longer decrypt its payload
“It was quite challenging to analyze this malware because we had no access to any malicious USB device. Moreover, we had no dropper, so we could not create a suitably afflicted USB drive under controlled conditions for further analysis.”
“Only the submitted files can be analyzed, so the unique device ID had to be brute-forced and combined with common USB disk properties. Moreover, after successful decryption of the malware files, we had to find out the right order of the executables and configuration files, because the file copying process to get the samples to us had changed the file creation timestamp on the samples.”
“Finally, the payload implements the actual data-stealing functionality. The executable is injected into a newly created “%windir%\system32\svchost.exe -k netsvcs” process. Configuration data includes information on what data should be gathered, how they should be encrypted, and where they should be stored. The output destination must always be on the same removable device. In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called “WinAudit”. It encrypts the stolen data using elliptic curve cryptography.”
“In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload.”

Six people charged in hacked lottery terminal scam

“Connecticut prosecutors say the group conspired to manipulate automated ticket dispensers to run off “5 Card Cash” tickets that granted on-the-spot payouts in the US state.”
“According to the Hartford Courant, a group of shop owners and employees setup the machines to process a flood of tickets at once, which caused a temporary display freeze. This allowed operators to see which of the tickets about to be dispensed would be winning ones, cancel the duff ones, and print the good ones.”
“While those reports were being processed, the operator could enter sales for 5 Card Cash tickets,” the newspaper reports. “Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners.”
“The Courant says that the lottery commission wised up to the scheme back in November when it heard that people were winning the 5 Card Cash game at a higher-than-expected rate. The game was temporarily halted. The paper notes that more arrests are expected in the case.”
In Ontario, there are special provisions for when an employee of the store wants to buy a lottery ticket, specifically to deal with crimes of this nature
The other common lottery crime was replacing a customer large payout winning ticket with a smaller one. The employee would buy a number of tickets, keep the small winners ($10), and swap them for the larger winning tickets of unsuspecting customers when they came in to cash them
It is now common place for there to be an automated lottery checking machine that is used directly by the customer.
The ticket machines in Ontario also play an audible tune when a winning ticket is scanner, much to the annoyance of people who have to work there all day, but it ensures that customers are not ripped off

Feedback:

Mail Backup
DB2 on copy-on-write filesystem.
Server Rebooting After Updates
Is Krebs on holiday? No new posts since last week. How am I supposed to do this show without Krebs?

Round Up:

The post Pay to Boot | TechSNAP 260 first appeared on Jupiter Broadcasting.

LAS 400 Phones Home | LAS 400

chris — Fri, 15 Jan 2016 21:39:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We celebrate 400 episodes of the Linux Action Show, show you how easy it is to setup your own free phone system, never flash another USB stick again & the big Ubuntu rumors.

Plus the openSSH bug you need to patch, the Steam Link SDK, Gnome 3 changes & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Noah Calls /home

AsterisksNOW

Install Asterisk and start building custom telephony applications with AsteriskNOW. AsteriskNOW makes it easy to create custom telephony solutions by automatically installing the “plumbing.” It’s a complete Linux distribution with Asterisk, the DAHDI driver framework, and, the FreePBX administrative GUI. Much of the complexity of Asterisk and Linux is handled by the installer, the yum package management utility and the administrative GUI. With AsteriskNOW, application developers and integrators can concentrate on building solutions, not maintaining the plumbing.

SIP Desk Phone

Part of the Cisco Small Business Pro Series, the SIP-based Cisco SPA504G 4-Line IP Phone (Figure 1) has been tested to ensure comprehensive interoperability with equipment from voice over IP (VoIP) infrastructure leaders, enabling service providers to quickly roll out competitive, feature-rich services to their customers.

Grandstream PBX

1GHz ARM Cortex A8 application processor, large memory (512MB DDR RAM, 4GB NAND Flash), and dedicated high performance multi-core DSP array for advanced voice processing
Integrated 2 PSTN trunk FXO ports, 2 analog telephone FXS ports with lifeline capability in case of power outage, and up to 50 SIP trunk accounts
Gigabit network port(s) with integrated PoE, USB, SD card; integrated NAT router with advanced QoS support
Hardware DSP based 128ms-tail-length carrier-grade line echo cancellation (LEC), hardware based caller ID/call progress tone and smart automated impendance matching for various countries
Supports up to 500 SIP endpoint registrations, up to 60 concurrent calls (up to 40 SRTP encrypted concurrent calls), and up to 32 conference attendees
– Flexible dial plan, call routing, site peering, call recording, central control panel for endpoints, integrated NTP server, and integrated LDAP contact directory
– Automated detection and provisioning of IP phones, video phones, ATAs, gateways, SIP cameras, and other endpoints for easy deployment
– Strongest-possible security protection using SRTP, TLS, and HTTPS with hardware encryption accelerator

— PICKS —

Runs Linux

My gym runs linux!

I was working out this morning, and the IT guy was messing with the exercise bike next to me. I noticed the CentOs boot screen, and when I inquired further, I found out that all the equipment uses linux! Looks like our penguin buddy is trying to work off those holiday pounds.

M3 Indoor Cycle

Desktop App Pick

netboot.xyz

View post on imgur.com

netboot.xyz is a way to select various operating system installers or utilities from one place within the BIOS without the need of having to go retrieve the media to run the tool. iPXE is used to provide a user friendly menu from within the BIOS that lets you easily choose the OS you want along with any specific types of versions or bootable flags.

You can remote attach the ISO to servers, set it up as a rescue option in Grub, or even set up your home network to boot to it by default so that it’s always available.

Digital Ocean – netboot.xyz

netboot.xyz – never flash a thumb drive again!

Weekly Spotlight

Open-AudIT – The network inventory, audit, documentation and management tool.

Open-AudIT is an application to tell you exactly what is on your network, how it is configured and when it changes.

LAS Shirt at SCALE – Teespring

— NEWS —

Bug that can leak crypto keys just fixed in widely used OpenSSH

View post on imgur.com

The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1

OpenSSH 7.1p2

Gnome Settings design update

A major feature of the latest settings designs is a rethink of the GNOME Settings “shell” (that is, the overall framework of the settings application). We want to move from the current model, that uses an icon grid and fixed window size, to one that uses a list sidebar for navigation, and has a resizeable window.

System 6 Ex 2

Steam Link SDK AKA Steam Link Native Apps

View post on imgur.com

We have released an SDK for native application development!
https://github.com/ValveSoftware/steamlink-sdk

The Steam Link hardware is a single core ARMv7 processor using the hard-float ABI, running at 1 GHz, with neon instruction support.
Approximately 256 MB of available RAM.
500 MB of usable flash storage.
Custom Linux firmware based on kernel 3.8
glibc 2.19.

View post on imgur.com

New Ubuntu Convergence Device Will Be Demoed Next Month

Canonical will demo at least one new Ubuntu convergence device at next month’s Mobile World Congress next month, we’ve learned.

Feedback:

https://slexy.org/view/s20lrCrSh4
https://slexy.org/view/s2wcBsKt0X
https://slexy.org/view/s20AM6fJjb
Chris’ call out for the community to help him with his background for the Linux Action

Were you around for today’s (10 January 2016) live show? If not, you should seriously consider taking some time with us on Sunday and watch the live show. Not only will you get more content, but you’ll be able to interact with Chris and Noah.
One of the things that came up today was Chris talking about his background in today’s episode.

Brought to you by: System76

Semi-Official SCaLE 14x Jupiter Broadcasting thread : LinuxActionShow

Register! and use the coupon code LAS40 for a 40% discount; thanks /u/irabinovitch!

SCaLE 14x: The Southern California Linux Expo is upon us again! I’m looking forward to seeing & sharing with everyone in the free software community in Southern California this year; last year was a blast.

SCaLE 14x is January 21-24, 2016 at the Pasadena Convention Center

Thanks to Ryan (@techhelper1)

Offered the use of his 99 Cadillac Seville while at SCALE

Thanks to Brian

Offered his long driveway, which might or might not work.

Catch the show LIVE SUNDAY:

— CHRIS’ STASH —

Driving in the snow and Leavenworth was Fun

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

The post LAS 400 Phones Home | LAS 400 first appeared on Jupiter Broadcasting.

Solving the Flash Plague | TechSNAP 226

chris — Fri, 07 Aug 2015 07:33:08 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Adobe is making changes to Flash to mitigate 0day exploits, with help from Google. Chrysler recalls 1.4M vehicles due to a software flaw, we go inside the “Business Club” cyber crime gang.

Plus a great batch of questions, the roundup & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

0day exploits against Flash will be harder thanks to new mitigations

Three new exploit mitigations are being added to Adobe’s Flash player in an effort to prevent future exploits
The mitigations were developed in a collaboration between Adobe and Google’s Project Zero
The mitigations are:
- “buffer heap partitioning” – Specific types of objects have been moved to an entirely separate heap (the OS Heap instead of the Flash Heap), preventing an overflow in the Flash Heap from ever being able to corrupt those objects. “It’s worth noting that this defense is much more powerful in a 64-bit build of Flash, because of address space limitations of 32-bit processes. This mitigation is now available in the Chrome version of Flash, and is expected to come to all other browsers sometime in August. Now is a good time to upgrade to a 64-bit browser and Flash.”
- “stronger randomization for the Flash heap” – The flash heap is no longer stores in a predictable location, so it is harder to exploit. In addition, especially on 64-bit platforms, large allocations are further randomized. And older exploit developed by Project Zero used up to a 1GB allocation in order to hit a predictable location. With the large 64bit address space to play with, these allocations can be so far apart that it will be very difficult for an attacker to overflow the flash heap to run into the binary sections.
- “Vector.<*> length validation secret” – Many of the recent and previous exploits have worked by overwriting the length of the Vector objects, to make them overflow into other areas of memory. The previous two mitigations make it harder to do this, but Adobe have developed a validation technique to detect when the length has been altered unexpectedly. The Adobe mitigation works by storing a “validation secret”, a hash of the correct length and a secret value, the attack doesn’t know the secret value, so cannot write the correct hash, and Flash will exit with a runtime error. This mitigation is available in all Flash builds as of 18.0.0.209.
“Had they been widely available earlier, they likely would have blunted the effects of at least some of the three most recent zero-day vulnerabilities”
Hopefully these will propagate quickly and reduce the frequency of flash 0 days
Google Project Zero Blog Post

1.4M Vehicle Recall After Bug in Chrysler UConnect System

Fiat Chrysler Automobiles NV is recalling about 1.4 million cars and trucks equipped with radios that are vulnerable to hacking, the first formal safety campaign in response to a cybersecurity threat.
The recall covers about a million more cars and trucks than those initially identified as needing a software patch. The action includes 2015 versions of Ram pickups, Jeep Cherokee and Grand Cherokee SUVs, Dodge Challenger sports coupes and Viper supercars.
This isn’t the first time automobiles have been shown to be vulnerable to hacking. What elevates this instance is that researchers were able to find and disable vehicles from miles away over the cellular network that connects to the vehicles’ entertainment and navigation systems.
Fiat Chrysler’s UConnect infotainment system uses Sprint Corp.’s wireless network.
It’s not a Sprint issue but they have been “working with Chrysler to help them further secure their vehicles”.
Unauthorized remote access to certain vehicle systems was blocked with a network-level improvement on Thursday, the company said in a statement. In addition, affected customers will receive a USB device to upgrade vehicles’ software with internal safety features.
Senators Edward Markey of Massachusetts and Richard Blumenthal of Connecticut, both Democrats, introduced legislation on July 21 that would direct NHTSA and the Federal Trade Commission to establish rules to secure cars and protect consumer privacy.
The senators’ bill would also establish a rating system to inform owners about how secure their vehicles are beyond any minimum federal requirements.
Chrysler Recalls
After Jeep Hack, Chrysler Recalls 1.4M Vehicles for Bug Fix
Fiat Chrysler Automobiles (FCA) Uconnect Vulnerability
FCA Uconnect Vulnerability | ICS-CERT

Inside the “Business Club” crime gang

Krebs profiles the “Business Club” crime gang, which apparently managed to steal more than $100 million from European banks and businesses
The story centers on the “Gameover ZeuS” trojan and botnet. The commercial ZeuS malware had been popular for years for stealing banking credentials, but this was a closely held private version built for himself by the original author
“Last year’s takedown of the Gameover ZeuS botnet came just months after the FBI placed a $3 million bounty on the botnet malware’s alleged author — a Russian programmer named Evgeniy Mikhailovich Bogachev who used the hacker nickname “Slavik.””
“That changed today with the release of a detailed report from Fox-IT, a security firm based in the Netherlands that secretly gained access to a server used by one of the group’s members. That server, which was rented for use in launching cyberattacks, included chat logs between and among the crime gang’s core leaders, and helped to shed light on the inner workings of this elite group.”
“The chat logs show that the crime gang referred to itself as the “Business Club,” and counted among its members a core group of a half-dozen people supported by a network of more than 50 individuals. In true Oceans 11 fashion, each Business Club member brought a cybercrime specialty to the table, including 24/7 tech support technicians, third-party suppliers of ancillary malicious software, as well as those engaged in recruiting “money mules” — unwitting or willing accomplices who could be trained or counted on to help launder stolen funds.”
“Business Club members who had access to the GameOver ZeuS botnet’s panel for hijacking online banking transactions could use the panel to intercept security challenges thrown up by the victim’s bank — including one-time tokens and secret questions — as well as the victim’s response to those challenges. The gang dubbed its botnet interface “World Bank Center,” with a tagline beneath that read: “We are playing with your banks.””
“The Business Club regularly divvied up the profits from its cyberheists, although Fox-IT said it lamentably doesn’t have insight into how exactly that process worked. However, Slavik — the architect of ZeuS and Gameover ZeuS — didn’t share his entire crime machine with the other Club members. According to Fox-IT, the malware writer converted part of the botnet that was previously used for cyberheists into a distributed espionage system that targeted specific information from computers in several neighboring nations, including Georgia, Turkey and Ukraine.”
“Beginning in late fall 2013 — about the time that conflict between Ukraine and Russia was just beginning to heat up — Slavik retooled a cyberheist botnet to serve as purely a spying machine, and began scouring infected systems in Ukraine for specific keywords in emails and documents that would likely only be found in classified documents, Fox-IT found.”
The botnet was also used against Turkey
“The keywords are around arms shipments and Russian mercenaries in Syria,” Sandee said. “Obviously, this is something Turkey would be interested in, and in this case it’s obvious that the Russians wanted to know what the Turkish know about these things.”
“The espionage side of things was purely managed by Slavik himself,” Sandee said. “His co-workers might not have been happy about that. They would probably have been happy to work together on fraud, but if they would see the system they were working on was also being used for espionage against their own country, they might feel compelled to use that against him.”
The full Fox-IT report is available as a PDF here

Feedback:

Round Up:

The post Solving the Flash Plague | TechSNAP 226 first appeared on Jupiter Broadcasting.

Open-source Market Penetration | Tech Talk Today 127

chris — Wed, 04 Feb 2015 11:12:10 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The FCC Chairman makes it clear, he plans to push for Title II classification of the Internet. Is Net Neutrality going to save us all? We’ll debate & discuss the mounting counter battle.

Plus Valve is about to reveal their openGL replacement & we take a look at an open source device that’s NSFW.

Direct Download:

RSS Feeds:

Show Notes:

FCC Chairman Tom Wheeler: This Is How We Will Ensure Net Neutrality

After more than a decade of debate and a record-setting proceeding that attracted nearly 4 million public comments, the time to settle the Net Neutrality question has arrived. This week, I will circulate to the members of the Federal Communications Commission (FCC) proposed new rules to preserve the internet as an open platform for innovation and free expression. This proposal is rooted in long-standing regulatory principles, marketplace experience, and public input received over the last several months.

Broadband network operators have an understandable motivation to manage their network to maximize their business interests. But their actions may not always be optimal for network users. The Congress gave the FCC broad authority to update its rules to reflect changes in technology and marketplace behavior in a way that protects consumers. Over the years, the Commission has used this authority to the public’s great benefit.

AT&T previews lawsuit it plans to file against FCC over net neutrality | Ars Technica

AT&T seems resigned to the near-certainty that the Federal Communications Commission will reclassify broadband as a common carrier service in order to enforce net neutrality rules. But it isn’t going to let the decision stand without a legal challenge, and the company is already telling the world what it’s going to argue in court.

“I have no illusions that any of this will change what happens on February 26,” when the FCC is expected to vote, AT&T Federal Regulatory VP Hank Hultquist wrote in a blog post yesterday. “But when the FCC has to defend reclassification before an appellate court, it will have to grapple with these and other arguments. Those who oppose efforts at compromise because they assume Title II rests on bullet proof legal theories are only deceiving themselves.”

Toshiba releases super-secure Encrypted USB Flash Drive with hardware-based encryption

“Available in 4GB ($95), 8GB ($112), 16GB ($140) and 32GB ($200) capacities, the Toshiba Encrypted USB Flash Drive uses a built-in mini-keyboard to authenticate access, incorporating a rechargeable battery so the user can enter a secure code before plugging into a USB port. Users simply enter their secure PIN and plug the drive into any USB 2.0 port on a compatible device. Once access is granted, the drive ‘unlocks’ the media, permitting clearance to all of the content stored on the drive. When the drive is removed from a USB port, the drive automatically re-locks and encrypts the stored media”, says Toshiba.

Serious bug in fully patched Internet Explorer puts user credentials at risk | Ars Technica

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users’ browsing sessions. Microsoft officials said they’re working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1.

The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions of Internet Explorer running the latest patches to visit maliciously crafted pages.

glNext: The Future of High Performance Graphics (Presented by Valve)

Join us for the unveiling of Khronos’ glNext initiative, the upcoming cross-platform graphics API designed for modern programming techniques and processors. glNext will be the singular choice for developers who demand peak performance in their applications. We will present a technical breakdown of the API, advanced techniques and live demos of real-world applications running on glNext drivers and hardware.

KICKSTARTER OF THE WEEK: The Mod – Multivibrating Open-Source Dildo | Indiegogo

The Mod is a great vibrator. It’s made from 100% silicone.
Its three powerful motors create amazing sensations, ranging from a lovely low
frequency rumble to patterns that move up and down the shaft. It is USB rechargeable,
and its built in buttons make it easy to control vibration patterns and
intensities.

The post Open-source Market Penetration | Tech Talk Today 127 first appeared on Jupiter Broadcasting.

Women and Their Games | Tech Talk Today 43

chris — Fri, 15 Aug 2014 12:07:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

OnePlus steps in it again by asking men to vote on pictures of women in their community, a new USB connector is near, and its amazing. Data shows women are often more serious about gaming then men and the ultimate telemarketer burn.

Direct Download:

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

OnePlus asks women to participate in degrading contest to get a smartphone

The startup OnePlus recently launched its first smartphone, the One, and to deal with production issues it’s been letting people buy them by invitation only, slowly offering them to more people as more are produced. It’s a weird system, and today OnePlus began supplementing it with a horribly conceived and deeply sexist contest that allows women to jump the line if they’re willing to have a bunch of internet dudes vote on their appearance. The contest asks women to draw the OnePlus logo on their body (or on a sheet of paper that they’re holding) and then take a photo of themselves and post it in OnePlus’ forums. From there, the 50 “most well liked” will get a free T-shirt and have the option of buying the phone.

OnePlus is calling it the “Ladies First” contest, and it’s basically as awful as it sounds. To say nothing of the fact that the prize is merely the opportunity to buy a phone at full price, the entire conceit is that the male fans of OnePlus are honoring women by voting on them. “In true gentlemen fashion and because chivalry is not dead, we are giving the lovely ladies of OnePlus a chance to skip the invite line,” OnePlus staffer Jerry writes. Jerry introduces the contest by writing that “OnePlus wants to give a shout out to the few but beautiful female fans in our community.”

OnePlus launches, then deletes ‘Ladies First’ promo contest – CNET

After letting the contest continue for a few hours, it looks like OnePlus finally made the right decision to take the forum offline. In a blog post on its contest page, the company acknowledged the contest was in poor taste, and called on the community for ideas on how to better get women involved in tech.

Reversible USB Type-C connector finalized: Devices, cables, and adapters coming soon

The USB Promoter Group has announced that the greatest invention in the known universe — the reversible Type-C USB connector — is finally ready for mass production.

The USB Implementers Forum will now take the Type-C spec and start building devices, cables, and adapters that support the new reversible connector. We could begin seeing Type-C USB devices over the next few months, but considering the lack of backwards compatibility (an adapter is required) and the mass proliferation of Micro-USB chargers, it may take a little while for Type-C to reach critical mass.

It’s essentially two USB 3.1 SuperSpeed connectors (which have the standard four pins, plus five more to enable 10Gbps connections). If you plug the connector in one way, the top set of pins are used; if you plug it in the other way, the bottom set of pins are used. It’s pretty simple.

The Type-C connector also supports the new USB Power Delivery spec (also finalized today), which allows for up to 100 watts to be carried over a USB cable (enough to charge a laptop or power most peripherals, including a monitor).

Report: Women Spend More On Mobile Games Than Men

The mobile ad firm found that Flurry based on a sample of games that reach a total of 1.1 million devices on the Flurry platform, women actually make 31 percent more in-app purchases than men. Other than that, it found that women also spend 35 percent more time in gaming apps, and have 42 percent more retention over seven days on average compared to men.

Flurry notes that the data is measured on a worldwide basis, but “there is very little difference in the numbers when we looked at the US audience only.”

The new report comes as a Kim Kardashian mobile game has taken the world by storm. The New York Times reporting that game developer Glu Mobile said it generated $1.6 million in revenue during the first five days of the game’s release — and since the game is free, this money is streaming in from in-app purchases. An analyst even told the newspaper that the game could generate $200 million worth of revenue on an annual basis.

Males, however, are passionate about certain kinds of mobile games. Flurry also measured the amount of time that gamers spend in 19 categories of iOS games and found that men still spend more time in card/battle games, strategy, tower defense, sports and action/RPG. This shows that in general, hardcore mobile gaming still appeals mostly to men.

And now for a moment in Faux

Today is a good day…

Chris Blasko originally shared:

Today is a good day. I just had a call from a telemarketer. Did I yell and scream at them, you ask? Certainly not. Like a good IT administrator I put my skills to use for their benefit. Here’s how the conversation went:

Computer: “Press 9 to not be contacted in the future. Press 4 to speak to someone about your mortgage issues”

TM: “Hello, are you having problems paying your mortgage?”
Me: “Hi, this is the IT department. We intercepted your call as we detected a problem with you phone and need to fix it.”
TM: “Oh… ok, well what do we need to do?”
Me: “We’re going to need to fix the settings by pressing 4-6-8 and * at the same time”
TM: “Ok, nothing happened.”
Me: “Are you using the new Polycom phones that we deployed?”
TM: “No, it’s a Yealink”
Me: “Ok, I see. You haven’t had the new Polycom phone deployed to your desk yet. Let me check our technical documentations for the Yealink.”

Me: “Alright, do you see an “OK” button on your phone?”
TM: “Yes I do”
Me: “Alright, you’re going to press and hold that button for 10 seconds.”
TM: “OK, pressing it now”
Me: “Perfect, let me know if you get a password request”
TM: “OK, nothing has popped up ye—-“

That’s right. I made a telemarketer unwittingly factory reset his phone which means he will be unable to make anymore calls until someone is able to reconfigure his phone and that will take at least an hour or longer if they can’t do it right away!

The post Women and Their Games | Tech Talk Today 43 first appeared on Jupiter Broadcasting.

BSD Now vs. BSDTalk | BSD Now 27

chris — Thu, 06 Mar 2014 23:41:07 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The long-awaited meetup is finally happening on today\’s show. We\’re going to be interviewing the original BSD podcaster, Will Backman, to discuss what he\’s been up to and what the future of BSD advocacy looks like. After that, we\’ll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We\’ve got answers to user-submitted questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD and OpenBSD in GSOC2014

The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
Both FreeBSD and OpenBSD were accepted, and we\’d love for anyone listening to check out their GSOC pages
The FreeBSD wiki has a list of things that they\’d be interested in someone helping out with
OpenBSD\’s want list was also posted
DragonflyBSD and NetBSD were sadly not accepted this year

Yes, you too can be an evil network overlord

A new blog post about monitoring your network using only free tools
OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
There\’s also details about flowd and nfsen, more great tools to make network monitoring easy
If you\’re listening, Peter… stop ignoring our emails and come on the show! We know you\’re watching!

BSDMag\’s February issue is out

The theme is \”configuring basic services on OpenBSD 5.4\”
There\’s also an interview with Peter Hansteen
Topics also include locking down SSH, a GIMP lesson, user/group management, and…
Linux and Solaris articles? Why??

Changes in bcrypt

Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
There is a bug in bcrypt when hashing long passwords – other OSes need to update theirs too! (FreeBSD already has)
\”The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor \’b\’.\”
As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
Lots of specifics in the email, check the full post

This episode was brought to you by

Interview – Will Backman – bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

Xorg has long since required root privileges to run the main server
With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
Now you can set the \”machdep.allowaperture\” sysctl to 0 and still use a GUI

OpenSSH 6.6 CFT

Shortly after the huge 6.5 release, we get a routine bugfix update
Test it out on as many systems as you can
Check the mailing list for the full bug list

Creating an OpenBSD USB drive

Since OpenBSD doesn\’t distribute any official USB images, here are some instructions on how to do it
Step by step guide on how you can make your very own
However, there\’s some recent emails that suggest official USB images may be coming soon… oh wait

PCBSD weekly digest

New PBI updates that allow separate ports from /usr/local
You need to rebuild pbi-manager if you want to try it out
Updates and changes to Life Preserver, App Cafe, PCDM

Feedback/Questions

espressowar writes in: https://slexy.org/view/s2JpJ5EaZp
Antonio writes in: https://slexy.org/view/s2QpPevJ3J
Christian writes in: https://slexy.org/view/s2EZLxDfWh
Adam writes in: https://slexy.org/view/s21gEBZbmG
Alex writes in: https://slexy.org/view/s2RnCO1p9c

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We especially want to hear some tutorial ideas that you guys would like to see, so let us know
Also, if you\’re a NetBSD or DragonflyBSD guy listening, we want to talk to you! We\’d love more interviews related to those, whether you\’re a developer or not
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post BSD Now vs. BSDTalk | BSD Now 27 first appeared on Jupiter Broadcasting.

ZFS Turntables | TechSNAP 143

chris — Thu, 02 Jan 2014 17:54:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

2014 starts out with a bang, the NSA spying catalog is leaked, back doors are running wild, and thieves use a simple USB drive to steal thousands of dollars.

Then it’s a great big batch your questions, and our answers!

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

NSA Spy tool catalogue

Der Spiegel displays the NSA’s 50 page catalogue of spy tools and “Tailored Access Operations”
Many of the digital weapons are \”remotely installable\”
While others require physical access to the device, called an \”interdiction\”
The malware is installed into the hardware, usually intercepted sometime between leaving the manufacturer and arriving at the customer
The malware is often persistent, meaning it will survive upgrades, and sometimes even reflashing the BIOS or firmware
Some of the implants were new hardware, they provided the NSA with RF communications with the target system, allowing them to control or reinfect the system, or exfiltrate data
The attack against Dell servers, known as ARKSTREAM reflashed the BIOS from a USB stick (so as not to require the attacker to have any technical skills) to implant the infection
The NSA has nearly complete backdoor access to Apple\’s iPhone
EFF: Everything we know about the NSA Spying
One case involved Julian Assange\’s current home at the Ecuadorian Embassy in London, where visitors were surprised to receive welcome messages from a Ugandan telephone company. It turned out the messages were coming from a foreign base station device installed on the roof, masquerading as a cell tower for surveillance purposes
The program also targeted hard drive manufacturers: Western Digital, Seagate, Maxtor and Samsung
Responses:
Dell
Juniper
Cisco

Thieves use USB sticks to compromise ATMs

The attackers physically cut holes in the ATM to be able to access the USB port, then once they had infected the machines with their own code, they patched the holes to avoid discovery
Once infected, the thieves just had to approach the ATM and enter a 12 digit code to get access
“Analysis of software installed onto four of the affected machines demonstrated that it displayed the amount of money available in each denomination of note and presented a series of menu options on the ATM\’s screen to release each kind”
The mastermind behind the attack designed it such that it required two-factor authentication, to ensure that the mules with the USB sticks could not ‘go rogue’
The researchers added the organisers displayed \”profound knowledge of the target ATMs\” and had gone to great lengths to make their malware code hard to analyse.
However, they added that the approach did not extend to the software\’s filenames – the key one was called hack.bat.

FreeNAS Mini from iXsystems

Canadian Federal Departments consider banning USB devices

After a number of incidents where USB sticks have been lost or stolen, the Canadian government is considering banning USB devices
A week-long investigations led security officials to conclude it was “impossible to assess [the] compromise” related to the loss of the device
Nor was it clear who was telling the truth about the number of hands the one small device passed through: Employees pointed fingers at each other, with none knowing where the USB key ended up
Another USB key that was neither password protected nor encrypted was found on a downtown Ottawa sidewalk by a Good Samaritan. It contained protected information — albeit out-of-date details — of a federal project
File servers are behind firewalls, support auditing and stronger access control, and are a better solution
However, since any unsophisticated user can easily use a USB stick, they tend to get used to circumvent IT policy

Feedback:

Round Up:

The post ZFS Turntables | TechSNAP 143 first appeared on Jupiter Broadcasting.

Summer of Bitcoin | Plan B 16

chris — Tue, 23 Jul 2013 18:43:36 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

A series of events kick off this week that lay the foundation for a very productive Bitcoin summer, plus a popular Bitcoin gambling site sells for a record breaking amount, a Bitcoin Ponzi scheme is busted, your emails of the week, and a few surprises!

Downloads:

RSS Feeds:

MP3 Feed | Video Feed | Torrent Feed | iTunes Audio | Ogg Feed

— Feedback —

Erupter Follow Up:

Raspberry Pi: USB Block Erupter Mining

Help spread the word on iTunes with a Rating and Review:

iTunes – Plan B by Jupiter Broadcasting

Call or txt the Show:

1 (352) 587-5262

(352) 58-PLANB

— Discussion —

Stossel discusses the gold standard and bitcoin

Bring Back a Gold Standard? | Fox Business Video

Economist Ben Powell and Laissez Faire Books executive editor Jeff Tucker on investing in gold and the bitcoin

SatoshiDice sells for 126,315 BTC

Bitcoin company acquisitions begin: SatoshiDice sells for $11.5m

Blockchain-based betting game SatoshiDice has been sold for 126,315 BTC, which at the time of writing was worth around $11.47 million.

SEC Charges Texas Man in Bitcoin Ponzi Scheme

SEC Charges Operator of Bitcoin Savings and Trust with Fraud

The SEC charged Shavers with violating the Securities Act of 1933 for unlawfully selling unregistered securities, as well as intentionally misleading and defrauding investors. Their alert provides an overview of Ponzi schemes — a fund that pays earlier investors with new investors\’ money, often promising returns far exceeding alternative opportunities. The SEC document also explains that virtual currencies may be seen as especially attractive to those looking to conduct fraud as a result of the perceived ability to remain anonymous. Importantly, the filing also notes, \”Any investment in securities in the United states remains subject to the jurisdiction of the seC regardless of whether the investment is made in U.S. dollars or a virtual currency.\”

SEC.gov | SEC Charges Texas Man With Running Bitcoin-Denominated Ponzi Scheme

The Securities and Exchange Commission today charged a Texas man and his company with defrauding investors in a Ponzi scheme involving Bitcoin, a virtual currency traded on online exchanges for conventional currencies like the U.S. dollar or used to purchase goods or services online.

The SEC alleges that Shavers promised investors up to 7 percent weekly interest based on BTCST’s Bitcoin market arbitrage activity, which supposedly included selling to individuals who wished to buy Bitcoin “off the radar” in quick fashion or large quantities. In reality, BTCST was a sham and a Ponzi scheme in which Shavers used Bitcoin from new investors to make purported interest payments and cover investor withdrawals on outstanding BTCST investments.

Shavers also diverted investors’ Bitcoin for day trading in his account on a Bitcoin currency exchange, and exchanged investors’ Bitcoin for U.S. dollars to pay his personal expenses.

The SEC issued an investor alert today warning investors about the dangers of potential investment scams involving virtual currencies promoted through the Internet.

“Fraudsters are not beyond the reach of the SEC just because they use Bitcoin or another virtual currency to mislead investors and violate the federal securities laws,” said Andrew M. Calamari, Director of the SEC’s New York Regional Office.

SEC investor alert PDF… Ponzi Schemes using Virtual Currencies

The Movie by Project Bitcoin

Bitcoin: The Movie by Project Bitcoin — Kickstarter

A documentary about the socioeconomic impact that Bitcoin is making around the world. Comprised of interviews from global Bitcoin users

Bitcoin Pick

— Watch Live —

Tuesday 2pm PDT / 5pm EDT / 9pm GMT

JbLive.tv

— Plan B Subreddit —

Plan B Show

— Contact us —

— Music —

Thanks to Ronald Jenkees and his fantastic track 7 Times

— Support the Show —

Donate to the network with your worthless fiat or your fancy bitcoins!
Tip address:

1HE36CMdeYCF9N7rmpfa5BwKMGb1PfkNyD

The post Summer of Bitcoin | Plan B 16 first appeared on Jupiter Broadcasting.