Show Notes: selfhosted.show/10

The post Compromised Cameras | Self-Hosted 10 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Whoosh! That was the sound of your bank’s hard drives being destroyed

• “ING Bank’s main data center in Bucharest, Romania, was severely damaged over the weekend during a fire extinguishing test. In what is a very rare but known phenomenon, it was the loud sound of inert gas being released that destroyed dozens of hard drives. The site is currently offline and the bank relies solely on its backup data center, located within a couple of miles’ proximity.”
• “The drill went as designed, but we had collateral damage”, ING’s spokeswoman in Romania told me, confirming the inert gas issue. Local clients were unable to use debit cards and to perform online banking operations on Saturday between 1PM and 11PM because of the test. “Our team is investigating the incident,” she said.”
• “The purpose of the drill was to see how the data center’s fire suppression system worked. Data centers typically rely on inert gas to protect the equipment in the event of a fire, as the substance does not chemically damage electronics, and the gas only slightly decreases the temperature within the data center.”
• “The gas is stored in cylinders, and is released at high velocity out of nozzles uniformly spread across the data center. According to people familiar with the system, the pressure at ING Bank’s data center was higher than expected, and produced a loud sound when rapidly expelled through tiny holes”
• “The bank monitored the sound and it was very loud, a source familiar with the system told us. “It was as high as their equipment could monitor, over 130dB”.”
• “here is still very little known about how sound can cause hard drive failure. One of the first such experiments was made by engineer Brendan Gregg, in 2008, while he was working for Sun’s Fishworks team. He recorded a video in which he explains how shouting in a data center can result in hard drives malfunction.”
• The test Brendan did was just a demonstration, the problem they were diagnosing in the video was caused by traffic on the street outside of the office basement data center. The rumble of the diesel bus engine as it pulled away from the stop on a regular basis caused latency on their hard drives
• “Researchers at IBM are also investigating data center sound-related inert gas issues. “[T]he HDD can tolerate less than 1/1,000,000 of an inch offset from the center of the data track—any more than that will halt reads and writes”, experts Brian P. Rawson and Kent C. Green wrote in a paper. “Early disk storage had much greater spacing between data tracks because they held less data, which is a likely reason why this issue was not apparent until recently.””
• “The Bank said it required 10 hours to restart its operation due to the magnitude and the complexity of the damage. A cold start of the systems in the disaster recovery site was needed. “Moreover, to ensure full integrity of the data, we’ve made an additional copy of our database before restoring the system,” ING’s press release reads.”
• “Over the next few weeks, every single piece of equipment will need to be assessed. ING Bank’s main data center is compromised “for the most part”, a source told us.”

Critical MySQL vulnerability

• “An independent research has revealed multiple severe MySQL vulnerabilities. This advisory focuses on a critical vulnerability with a CVEID of CVE-2016-6662 which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences.”
• “The vulnerability affects all MySQL servers in default configuration in all version branches (5.7, 5.6, and 5.5) including the latest versions, and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL Injection could be used as exploitation vectors.”
• The vulnerability also affects forks of MySQL including MariaDB and Percona
• “Official patches for the vulnerability are not available at this time for Oracle MySQL server. The vulnerability can be exploited even if security modules SELinux and AppArmor are installed with default active policies for MySQL service on major Linux distributions.”
• Oracle has decided to not release a patch until their next “Critical Patch Update” in the middle of October
• How does it work?
• “The default MySQL package comes with a mysqld_safe script which is used by many default installations/packages of MySQL as a wrapper to start the MySQL service process”
• This wrapper allows you to specify an alternate malloc() implementation via the mysql config file (my.cnf), to improve performance by using a specially designed library from Google performance team, or another implementation.
• The problem is that many MySQL tutorials, guides, how-tos, and setup scripts chown the my.cnf file to the mysql user. Even most MySQL security guides give this bad advice.
• “In 2003 a vulnerability was disclosed in MySQL versions before 3.23.55 that
  allowed users to create mysql config files with a simple statement:”
  SELECT * INFO OUTFILE ‘/var/lib/mysql/my.cnf’
• “The issue was fixed by refusing to load config files with world-writable permissions as these are the default permissions applied to files created by OUTFILE query.”
• This issue has been considered fixed for more than 10 years.
• However, a new vector has appeared:
  

  mysql> set global general_log_file = ‘/etc/my.cnf’;
  mysql> set global general_log = on;
  mysql> select ‘
  ‘> ; injected config entry
  ‘> [mysqld]
  ‘> malloc_lib=/tmp/mysql_exploit_lib.so
  ‘> ‘;
  1 row in set (0.00 sec)
  mysql> set global general_log = off;

• If MySQL has permission, it will write that content into that file
• Now, the config file will be invalid, and mysql will not like it because it contains excess lines, however:
• “mysqld_safe will read the shared library path correctly and add it to the LD_PRELOAD environment variable before the startup of mysqld daemon. The preloaded library can then hook the libc fopen() calls and clean up the config before it is ever processed by mysqld daemon in order for it to start up successfully.”
• Another issue is that the mysqld_safe script loads my.cnf from a number of locations, so even if you have properly security your config file, if one of the other locations is not locked down, MySQL could create a new config file in that location
• “The vulnerability was reported to Oracle on 29th of July 2016 and triaged by the security team. It was also reported to the other affected vendors including PerconaDB and MariaDB. The vulnerabilities were patched by PerconaDB and MariaDB vendors by the end of 30th of August.”
• “During the course of the patching by these vendors the patches went into public repositories and the fixed security issues were also mentioned in the new releases which could be noticed by malicious attackers. As over 40 days have passed since reporting the issues and patches were already mentioned publicly, a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor’s next CPU update that only happens at the end of October.”
• “No official patches or mitigations are available at this time from the vendor. As temporary mitigations, users should ensure that no mysql config files are owned by mysql user, and create root-owned dummy my.cnf files that are not in use. These are by no means a complete solution and users should apply official vendor patches as soon as they become available.”

Bugs in Cisco networking gear at center of hosting company bankruptcy fight

• “Game of War: Fire Age, your typical melange of swords and sorcery, has been one of the top-grossing mobile apps for three years, accounting for hundreds of millions of dollars in revenue. So publisher Machine Zone was furious when the game’s servers, run by hosting company Peak Web, went dark for 10 hours last October. Two days later, Machine Zone fired Peak Web, citing multiple outages, and later sued.”
• “Then came the countersuit. Peak Web argued in court filings that Machine Zone was voiding its contract illegally, because the software bug that caused the game outages resided in faulty network switches made by Cisco Systems, and according to Peak Web’s contract with Machine Zone, it wasn’t liable. In December, Cisco publicly acknowledged the bug’s existence—too late to help Peak Web, which filed for bankruptcy protection in June, citing the loss of Machine Zone’s business as the reason. The Machine Zone-Peak Web trial is slated for March 2017.”
• “There’s buggy code in virtually every electronic system. But few companies ever talk about the cost of dealing with bugs, for fear of being associated with error-prone products. The trial, along with Peak Web’s bankruptcy filings, promises a rare look at just how much or how little control a company may have over its own operations, depending on the software that undergirds it.”
• “Peak Web, founded in 2001, had worked with companies including MySpace, JDate, EHarmony, and Uber. Under its $4 million-a-month contract with Machine Zone, which began on April 1, 2015, it had to keep Game of War running with fewer than 27 minutes of outages a year, court filings show. According to Machine Zone, the hosting service couldn’t make it a month without an outage lasting almost an hour. Another in August of that year was traced to faulty cables and cooling fans, according to the publisher.”
• “Cisco’s networking equipment became a problem in September, says a person familiar with Peak Web’s operations, who requested anonymity to discuss the litigation. The company’s Nexus 3000 switches began to fail after trying to improperly process a routine computer-to-computer command, and because Cisco keeps its code private, Peak Web couldn’t figure out why. The person familiar with the situation says Cisco denied Peak Web’s requests for an emergency software fix, and as more switches failed over the next month, the hosting service’s staffers couldn’t move quickly enough to keep critical systems online.”
• “Finally, late in October, came the 10 hours of darkness. Three people familiar with Peak Web’s operations say the lengthy outage gave the company time to deduce that the troublesome command was reducing the switches’ available memory and causing them to crash. The company alerted Cisco. Machine Zone’s attorneys wrote that Peak Web has “aggressively sought to place the blame elsewhere for its failures” and that it could have prevented the downtime. In December, Cisco confirmed to Peak Web that it had replicated the bug and issued a fix, according to e-mails filed as evidence in the lawsuit.”
• “Networking equipment such as switches and routers, which carry the world’s internet and corporate data traffic, tend to be especially difficult to fix with a software patch”
• “In one previously unreported incident, in 2014, a glitch in a Cisco Invicta flash storage system corrupted data and disabled the emergency-room computer systems at Chicago’s Mount Sinai Hospital for more than eight hours, says a person familiar with the incident. Cisco later froze shipments of Invicta equipment and discontinued the product line. In another unreported case, a Cisco server in 2012 overheated inside a data center at chipmaking equipment manufacturer KLA-Tencor, forcing the facility to close and costing the company more than $50 million, according to a person familiar with the matter.”
• This is definitely a tough spot to be in. I have been on both sides of this, and even in the middle. I use the services of a larger ISP to provide service to my customers, so when a problem is with that upstream ISP, their SLA only covers a fraction of what I pay them, not what my customers pay me
• One of the worst cases for me was when a automated configuration error at an upstream ISP changed a bunch of switch ports from gigabit to 100mbps, severely degrading the performance of our servers, and interrupting an important live stream.
• While our ISP gave us a large credit to cover their screw up, it didn’t cover the lossed revenue we didn’t get because of the screw up, nor the even larger lost revenue of our customer. That customer left, so we ended up also missing out all of future revenue

Feedback:

• Followup from Episode 281

• VLAN is not for security, so how to secure my network?

• ZFS vs all the others

• Puppet vs Ansible

Round Up:

• Xiaomi Can Silently Install Any App On Your Android Phone Using A Backdoor
• Hunter Tip #2 Nullie the Elephant — BugBountyHQ post about where to look for bugs duringg your next bounty
• 324,000 Financial Records with CVV Numbers Stolen From A Payment Gateway
• Why Writing Correct Software Is Hard and why math (alone) won’t help us
• Google Cloud Platform Blog: Making ASP.NET apps first-class citizens on Google Cloud Platform
• Wells Fargo employees created millions of phony accounts to meet sales targets. Customers charged bank fees for accounts they didn’t ask for
• FBI director: Cover up your webcam
• Datanauts episode 50: Exploring LinkedIn’s open19 rack standard
• libTiff has dropped off of the internet
• When the vendor sales person doesn’t actually know what they are talking about
• How not to keep your wire-cutters from being stolen
• I’m used to seeing weird security products at work, but this is getting ridiculous. These better not have Bluetooth.

The post Buffalo Overflow | TechSNAP 284 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• SHADOW BROKERS HACK THE NSA!!! – YouTube
• Commentary: Evidence points to another Snowden at the NSA | Reuters
• How the NSA snooped on encrypted Internet traffic for a decade
• The NSA hack proves Apple was right to fight the FBI

• Behind the Scenes of iOS Security

• Android 7.0 Nougat is rolling out to Nexus devices starting today

• Everything that’s new in Android 7.0 Nougat (official)

• China’s Xiaomi Suits Up for a Debut on Apple’s U.S. Home Turf – Bloomberg

• Scientists Are Making Star Trek’s Phaser A Reality

• Laser Scientists Are Developing Star Trek’s Phaser – YouTube

Kickstarter of the Week

• VylyV: The Smart Shorts that Boost Your Manhood | Indiegogo

Submitted by: khaotic_kernel

The post Internet for your Things | TTT 257 first appeared on Jupiter Broadcasting.

A lot is happening in the world of Google this week & some of the new changes are big improvements for it’s users. Plus the new MacBook killer by Xiaomi that might really be killer & Washington State is suing Comcast.

Plus a really neat Kickstarter of the week, local streaming to a Chromecast & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links:

• New Android Trojan SpyNote leaks on underground forums

• Google has sold 30 million Chromecasts, 5 million in the past 2 months

• Localcast – Simple stream for Chromecast

• Google Account sign-in notifications are now sent directly to your Android device

• 90% of YouTube and Google Calendar connections are now encrypted with HTTPS

• Xiaomi takes on the MacBook with the $750 “Mi Notebook Air”

• Washington state sues Comcast, says it sold near-worthless service plans | Ars Technica

Kickstarter of the week:

• Time Flies: Levitating Nixie Clock by Tony Adams — Kickstarter

The post Google Gets Pushy | TTT 254 first appeared on Jupiter Broadcasting.

Behind the scenes on Ubuntu MATE’s new features pushing the Ubuntu platform forward for traditional desktops, why Apple’s latest court case proves Richard Stallman was right about owning your own software & there is real debate about Xiaomi’s new Linux laptop.

Plus the big EFF win that’s great for Linux users, the big problems facing x86 that are a wake up call to distro makers & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• World Without Linux Episode 2: Are We There Yet? – YouTube

Feedback:

• Ubuntu MATE 15.10 Press Kit

• I was not satisfied with podcatchers for the command line, so i build my own – podfox

• EFF Wins Petition to Inspect and Modify Car Software

Linux Academy

• Linux Academy | Linux and AWS Online Training

Intel x86 considered harmful (new paper)

So, today I’m releasing this first paper, finally. You can get the PDF
_here, and also the EPUB version
here._

_As mentioned, the paper is mostly a (hopefully systematic) survey of the various
problems and attacks presented against the x86 platform over the last 10 year_s.

• Qubes 3.0

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

DOJ dismisses Apple’s arguments against decrypting iOS communications

Federal courts should require Apple to unlock encrypted data because the operating system is “licensed, not sold,” to customers, the Justice Department argued in a reply brief in the U.S. District Court for the Eastern District of New York.

• Richard Stallman is the hero the internet needs

But suddenly he doesn’t seem crazy anymore. After the Snowden revelations, and all the other major and minor privacy breaches of the past few years, his paranoia now seems justified — even rational:

• He warned of the growing danger of DRM in his great short story The Right to Read (1997).
• He refuses to own a cellphone, on the grounds that it might be used as a tracking or covert listening device. This still sounds slightly paranoid, but looks increasingly possible.
• Stallman considers cloud computing dangerous. In 2008 I thought this was alarmist; now nobody trusts the cloud.
• He’s always held that proprietary software cannot be trusted. Windows 10’s shady behaviour proves that he has a point.

TING

• Ting – mobile that makes sense

Xiaomi’s Linux Laptop To Enter Production ‘Early Next Year’

The model with a 12.5-inch screen will be manufactured by Inventec (who make laptops for Acer, Toshiba and HP), with an initial order of 250,000 units.

The slightly larger device is to be made by Compal Electronics (known for manufacturing Apple devices, and various PlayStation, Xbox and Nintendo games consoles), with Xiaomi placing an order for 300,000 units.

Support Jupiter Broadcasting on Patreon

The post What's New MATE | LINUX Unplugged 116 first appeared on Jupiter Broadcasting.

A leak reveals the specs, price, and other details about the new Moto 360 smartwatch & is Xiaomi’s new MIUI 6 OS release a iOS rip off?

Plus the market share numbers you won’t believe, and if Linux distros were superheroes, which hero would they be? We debate!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Moto 360 Shows Up at Best Buy for $249, Outs List of Features | Droid Life

We are expecting to get official Moto 360 launch details when Motorola hosts press at a September 4 event in Chicago, but Best Buy may have gone ahead and let us in on all sorts of details early. According to a listing on Best Buy’s site for the Moto 360, we could end up paying $249.

MIUI 6 Full Review: Visually Stunning, Stunningly Simple – Xiaomi Mi 4 – MIUI Official Community

MIUI 6

I’m not sure who should be more upset. Apple, because this is such a preposterously shameless ripoff of iOS. Or Samsung, because Xiaomi is so much better at ripping off Apple than they are.

Update: Keep in mind, too, that Xiaomi VP Hugo Barra keeps insisting they don’t copy designs from Apple. Even Thom Holwerda agrees that this is just shameless.

Android, iOS gobble up even more global smartphone share | PCWorld

According to IDC, the total combined market share of Android and iOS swelled to 96.4 percent during the second quarter, up from 92.6 percent a year ago. That left just 2.5 percent of the market to Windows Phone, down from 3.4 percent in a year’s time.

Unfortunately for Microsoft’s Windows Phone, Apple’s iOS devices dominated the high end of the market, while Android—with 84.7-percent global share in smartphone operating systems—tended to dominate the low-end, sub-$200 market. That left precious little room for Windows Phone, even though recent efforts to lower the platform’s licensing costs should have helped propel it in the market.

“With many of its OEM partners focusing on the sub-$200 segments, Android has been reaping huge gains within emerging markets,” said Ramon Llamas, a research manager with IDC’s mobile phone team, in a statement. “During the second quarter, 58.6 percent of all Android smartphone shipments worldwide cost less than $200 off contract, making them very attractive compared to other devices. With the recent introduction of Android One, in which Google offers reference designs below $100 to Android OEMs, the proportion of sub-$200 volumes will climb even higher.”

If Linux Distros Were Superheroes Ubuntu Would Be Superman

If Ubuntu-based Linux distributions were comic book superheroes, who would be what and why? That’s the question I’ve been mulling over for the last half hour.

The post China's new Apple | Tech Talk Today 44 first appeared on Jupiter Broadcasting.

Amazon has gone to war on multiple fronts, and is asking for you to enlist. But we’ll cut through the crap and discuss what’s really at play. Plus Xiaomi gets caught red handed spying on their users, the Bitcoin hijack that’s super impressive & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Xiaomi phones send user data to remote servers: F-Secure

At first, F-Secure did not configure an Mi Cloud (Xiaomi’s equivalent of Apple’s iCloud that stores user data) account and simply inserted a sim card, connected the phone to Wi-Fi, turned on GPS, added a contact and made and received a call and exchanged messages. The company found that the phone number of contacts added to the phone book and from SMS messages received were also forwarded. The phone follows a similar pattern even when one configures an Mi Cloud account.

“Next we connected to and logged into Mi Cloud, the iCloud-like service from Xiaomi. Then we repeated the same test steps as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number,” writes F-Secure in its blog.

Xiaomi Makes its iMessage-Like Service Optional

Xiaomi is making the cloud messaging service that is automatically activated on its devices optional for user

• As a Google+ update from Hugo Barra, the former Google executive who is Xiaomi’s Global VP, explained:

These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change.

After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

Amazon wants you to ask Hachette’s CEO for lower e-book prices

• An Important Kindle request

Amazon Gets Increasingly Nervous

John Scalzi on Amazon/Hachette

John Scalzi:

Amazon is not your friend. Neither is any other corporation. It and they do what they do for their own interest and are more than willing to try to make you try believe that what they do for their own benefit is in fact for yours. It’s not. In this particular case, this is not about readers or authors or anyone else but Amazon wanting eBooks capped at $9.99 for its own purposes. It should stop pretending that this is about anything other than that. Readers, authors, and everyone else should stop pretending it’s about anything other than that, too.

Disney Disc Preorders Disappear From Amazon

Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins

Researchers at Dell’s SecureWorks security division say they’ve uncovered a series of incidents in which a bitcoin thief redirected a portion of online traffic from no less than 19 Internet service providers, including data from the networks of Amazon and other hosting services like DigitalOcean and OVH, with the goal of stealing cryptocurrency from a group of bitcoin users.

Though each redirection lasted just 30 second or so, the thief was able to perform the attack 22 times, each time hijacking and gaining control of the processing power of a group of bitcoin miners, the users who expend processing power to add new coins to the currency’s network.

The attacker specifically targeted a collection of bitcoin mining “pools”

The redirection technique tricked the pools’ participants into continuing to devote their processors to bitcoin mining while allowing the hacker to keep the proceeds. At its peak, according to the researchers’ measurements, the hacker’s scam was pocketing a flow of bitcoins and other digital currencies including dogecoin and worldcoin worth close to $9,000 a day.

The Dell researchers believe the bitcoin thief used a technique called BGP hijacking, which exploits the so-called border gateway protocol, the routing instructions that direct traffic at the connection points between the Internet’s largest networks. The hacker took advantage of a staff user account at a Canadian internet service provider to periodically broadcast a spoofed command that redirected traffic from other ISPs, starting in February and continuing through May of of this year.

In fact, the BGP bitcoin-stealing exploits represent less of a new vulnerability in bitcoin than the persistent fragility of the internet itself, Dell’s researchers say. If one Canadian ISP can be used to redirect large flows of the Internet to steal a pile of cryptocurrency, other attackers could just as easily steal massive drifts of Internet data for espionage or pure disruption. The Dell researchers suggest that companies set up monitoring through a service like BGPmon, which can detect BGP hijacking attacks. B

Dutch government funds safe Dorpbox alternative Localbox

submitted by clementl

This links to a page where you can download the server. It’s written in PHP with Symfony.

The downside is that there are only clients for Windows, Android and iOS. They are planning to release the source of those in this fall.

The post Amazon's Strongarm | Tech Talk Today 41 first appeared on Jupiter Broadcasting.