A common vulnerability is impacting Firefox, LibreOffice, and others, the 7 problems with ATM security, and the Enterprise grade protection defeated with a batch script.

Plus some great questions, our answers, a rockin roundup, and much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

The 7 problems with ATM security

• Kaspersky presents a list of the 7 reasons why ATMs are so easily compromised, based on a talk given at the SAS2016 conference
• “Automated teller machines (ATM) have always a been a big target for criminals. In the past hunting for ATMs included some heavy tools like a cutting torch or explosives. However with the dawn of the Digital Age, everything has changed. Nowadays culprits can ‘jackpot’ an ATM without such special effects.”

1. ATMs are basically just computers (PCs)
2. That PC is likely running an old operating system (in early 2014, 95% of all ATMs still ran Windows XP)
3. The software other than the OS is also likely vulnerable. Many ATMs still have the bundled version of flash that came with stock Windows XP, which now has 9000 known vulnerabilities
4. ATMs have no software integrity control, no antivirus solutions, no authentication of an app that sends commands to cash dispenser.
5. Weak physical security for the PC part of the ATM. While the deposit box and cash dispenser are armored against attack, the PC is usually only hidden behind some thin plastic. “There is no money in that part of the ATM”
6. ATM control PCs have standard interfaces, that are not secured. Let me just plug this USB stick into your ATM, now it is my ATM
7. ATMs are increasingly directly connected to the Internet. You can find ATMs on Shodan

• ATMs are not replaced very often, so upgrades to the physical protections of the PC component will likely not happen very soon
• When was the last time you saw an ATM down for software updates?
• Maybe if the criminals keep stealing large amounts of money, the banks will be more interested in replacing the ATMs
• This of course doesn’t cover the private ATMs you often see in convenience stores

FireEye Detection Evasion and Whitelisting of Arbitrary Malware

• Researchers at Blue Frost Security have developed a way to evade the dynamic analysis of the FireEye suite of security appliances
• The FireEye appliance works by starting untrusted binaries and applications in virtualization and observing what they do
• If the application is found to be malicious, it is blocked
• Only applications allowed by the FireEye device can be run on the protected computers
• “The analysis engine evasion allows an attacker to completely bypass FireEye’s virtualization-based dynamic analysis on Windows and add arbitrary binaries to the internal whitelist of binaries for which the analysis will be skipped until the whitelist entry is wiped after a day”
• “FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.”
• “No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.”
• Let’s take the filename FOO%temp%BAR.exe which results in:
• copy malware.exe “%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe”
• The filename, directory name, or volume label syntax is incorrect.
• “The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”
• “Afterwards the behavioral analysis inside the virtual machine is started which is running for a certain amount of time looking for malicious behavior. Since the binary was not started in the virtual machine in the first place, an empty virtual machine will be analyzed and no malicious behavior will be detected.”
• “Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.”
• The issue was reported to FireEye on September 14th, and responded quickly
• FireEye released updates for some of its products on October 5th and 15th
• On December 31st FireEye published their Q4 security advisory
• FireEye Security Advisory
• On January 14th, FireEye asked that BFS delay publication of the vulnerability for another 30 days, as too many clients had not yet installed the update

Libgraphite Vulnerabilities Impact Firefox, OpenOffice, and Others

• Talos is releasing an advisory for four vulnerabilities that have been found within the Libgraphite library
• Which is used for font processing in Linux, Firefox, OpenOffice, and other major applications.
• The most severe vulnerability results from an out-of-bounds read which the attacker can use to achieve arbitrary code execution.
• A second vulnerability is an exploitable heap overflow.
• Finally, the last two vulnerabilities result in denial of service situations.
• To exploit these vulnerabilities, an attacker simply needs the user to run a Graphite-enabled application that renders a page using a specially crafted font that triggers one of these vulnerabilities.
• Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server (since Graphite supports both local and server-based fonts).
• Graphite is a package that can be used to create “smart fonts” capable of displaying writing systems with various complex behaviors.
• Basically Graphite’s smart fonts are just TrueType Fonts (TTF) with added extensions.
• The issues that Talos identified include the following:

• An exploitable denial of service vulnerability exists in the font handling of Libgraphite. A specially crafted font can cause an out-of-bounds read potentially resulting in an information leak or denial of service.
• A specially crafted font can cause a buffer overflow resulting in potential code execution.
• An exploitable NULL pointer dereference exists in the bidirectional font handling functionality of Libgraphite. A specially crafted font can cause a NULL pointer dereference resulting in a crash.

• If a malicious font is provided then an arbitrary length buffer overflow can occur when handling context items.
• The first denial of service issue results from a NULL pointer dereference.

• The second denial of service issue results from an out of bounds read that can not only cause a DoS, but it can also cause a leak of information. When reading an invalid font where the local table size is set to 0, an out of bounds read will occur.

• Known Vulnerable Versions:

• Libgraphite 2-1.2.4

• Firefox 31-42
• Firefox ESR before 38.6.1

Feedback:

• Booting on ZFS

• Open Source Security Systems?

• openHAB

• OpenSSL vs OpenSSH

• pfSense Question

Make sure you patch your linux machines for the glibc vulnerability

• In-Depth Analysis
• Additional Coverage
• FreeBSD base unaffected, but update your linux emulation ports

Round Up:

• Why you should side with Apple, not the FBI, in the San Bernardino iPhone case
• Distribution packages considered insecure
• Google Cloud Platform Blog: Google and Red Hat announce cloud-based scalable file servers
• ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
• U.S. Hacked Into Iran’s Critical Civilian Infrastructure For Massive Cyberattack, New Film Claims
• IRS warns of a 400% increase in phishing and malware for this tax year
• Hospital paid hackers 40 bitcoins to get its network back
• “changing the date to May 1970 or earlier can prevent your iOS device from turning on after a restart” Public WiFi + Rouge NTP server = Bucket of bricked iPhones
• Bitcoin startup Butterfly Labs settles with FTC for $38.6M, but it can’t pay
• Mine 30% more bitcoins be allowing errors
• First tech expert on NSA Advisory board: Steve Bellovin, co-director of Columbia’s Cybersecurity and Privacy Center, and author of such papers as “Keys Under Doormats”, a spectacular broadside against government backdoors in crypto
• Ringo Starr’s twitter account hacked after email address of digital marketing manager compromised
• Cryptolocker-like malware found signed with real code-signing certificate, likely stolen
• Backblaze releases 2015Q4 study on hard drive reliability, and why they use Seagate drives

The post Weaponized Comic Sans | TechSNAP 254 first appeared on Jupiter Broadcasting.

Google wants to improve your search experience for you automatically, with your microphone. We debate if this is the straw that breaks the camel’s back or just a nice feature.

Plus the Core Infrastructure initiative throws a little money around, the US Navy is sticking with XP & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

— Episode Links —

• Core Infrastructure Initiative Funds Three New Projects

• Popular Security Software Came Under Relentless NSA and GCHQ Attacks – The Intercept

• The US Navy’s Warfare Systems Command Just Paid Millions To Stay On Windows XP

• Microsoft stealthily backs away from free Windows 10 promise

• Pebble Time now available to pre-order from Best Buy for $200

• A response to some recent comments…

KICKSTARTER OF THE WEEK: Phree – Make the world your paper by OTM Technologies Ltd

The post Chromium Bugging Bug | Tech Talk Today 187 first appeared on Jupiter Broadcasting.

Thunderbolt 3 promise to unify the connector and usher in peace and tranquility. But when will we see it ship? Microsoft has prices & ship dates for Windows 10, Apple has a major Mac Flaw & Google wants to kinda give you better privacy controls.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Intel Announces Thunderbolt 3 With USB-C, Single-Cable Support for Dual 4K Displays at 60Hz – Mac Rumors
• Thunderbolt 3 embraces USB Type-C connector, doubles bandwidth to 40Gbps | Ars Technica UK
• Apple, Feeling Heat From Spotify, to Offer Streaming Music Service – WSJ
• New exploit leaves most Macs vulnerable to permanent backdooring | Ars Technica
• Google Centralizes Privacy And Security Controls On New Web Dashboard | TechCrunch
• Hello World: Windows 10 Available on July 29
• Microsoft: Windows 10 Home costs $119, Pro costs $199
• Blocks Wearables will start taking orders for its modular smartwatch this summer | The Verge

The post Google's Creepiness Controls | Tech Talk Today 177 first appeared on Jupiter Broadcasting.

A 0-day exploit is attacking Microsoft Windows boxes all over the web, thanks to a weaponized power power presentation. No, I’m not kidding. The details are fascinating.

Old ATMs become more and more of a target & it’s not because of Windows XP, and great big batch of your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Older ATMs being targeted more and more often by Malware attacks

• Krebs describes the growing trend in ATM “Jackpotting”
• Formerly, the most common attack against ATMs was skimming, installing small physical devices to read the card data and capture the PIN of victims who use the ATM, and then creating fake cards to empty the victims’ accounts
• The new trend, installing Malware on the computer that operates ATM, allows the attackers to drain all of the cash out of the ATM, without requiring compromised accounts with large balances
• The fraud is harder to detect because money does not go missing from bank accounts in real time, the theft may not be discovered until the ATM is emptied and stops dispensing cash
• Some of the malware is even smart enough to interfere with the ATM’s reports back to the bank about the level of cash available, that might tip the bank off to the fact that the ATM is infected
• “Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR.”
• In an Interview with Owen Wild, NCR’s “global marketing director, security compliance solutions”, Krebs learned:
• More than half of the ATM install base is using a model that was discontinued 7 years ago (Windows XP Based?)
• Most of the attacks involve physically assaulting the ATM, removing the top of front casing to access the standard PC inside, and then infecting the machine via CD or USB stick
• “What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.”
• When asked about Windows XP: “Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play.”
• It would seem that installing malware on the machine would affect newer versions of Windows almost as easily, so Windows XP might not actually be that big of a factor in these cases
• “Most of these attacks come down to two different ways of jackpotting the ATM. The first is what we call “black box” attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”

Sandworm Team – not a worm, but still a big deal

• “Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.”
• This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”
• The vulnerability exploits a flaw in the Microsoft OLE functionality
• It allows a PowerPoint or other office document to have an embedded file, or to embed and external untrusted resource
• This can cause remote code execution, allowing the attacker to run any code they wish as the user who is opening the document
• In the case of at least on attack, the embedded file was a .inf that then installed malware on the system
• Many users still run with administrative rights, giving the malware full control of the target system
• iSight Partners says: “We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams”, “As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia”
• “For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya”
• Trend Micro also found this same flaw being used against SCADA systems: “These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email.”, which downloads the Black Energy malware
• Researcher Post
• Technical Analysis by HP Security Research
• Additional Coverage – ZDNet
• Microsoft Security Bulletin

Delivering malicious Android apps hidden in image files

• Researchers have discovered a way to deliver Android malware by embedding the encrypted form in an image file
• The attack was demonstrated at Black Hat Europe last week in Amsterdam
• The tool encrypts a malicious .APK in such a way that it appears to be a .JPG or .PNG image file
• Then, they developed a simple wrapper .APK that includes that image file, and the ability to decrypt it
• Thus, the malicious app remains hidden from reverse engineering, anti-virus, and the Google Bouncer, so can be listed in the Google Play Store
• “In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader”
• Work was inspired by a previous exploit, Android/Gamex.A!tr that hid its payload in a .zip file named logos.png, with the added twist that the .zip was valid and innocuous, but if XOR’s with a key (18), it was also a valid .zip file containing a malware payload
• It turns out that .zip files do not require the header to be at the beginning of the file, so by simply concatenating a .png and a .zip file, the file will look like a valid .png, but can also be extracted as a valid .zip file
• PDF: Slides
• Example Code, Create a .PNG, .JPG, .FLV, or .PDF
• PDF: Paper

Feedback:

• Embed Browser For Steam

• Cheap NAS/Media Server

• Patch & System Management .:. Especially with all these recent bugs!

• Central Firewall Management

• But is it really your job to point out other peoples security issues?

• ZFS lag

• Windows Explorer and SMB Traffic – Ask the Performance Team – Site Home – TechNet Blogs

Round Up:

• Disney rendered its new animated film on a 55,000-core supercomputer
• Cisco finally fixed telnet bug from 2011 in Web Security Appliance, Email Security Appliance and Content Security Management Appliance
• Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard
• Ironic: Publisher of Brian Krebs’ book discloses credit card breach in online shopping cart
• Hungary plans new tax on Internet traffic, public calls for rally
• MongoDB Advisory: Using MongoDB on Linux on top of VMWare may cause namespace files to be improperly zeroed, resulting in left over data that when read later is interpreted as a corrupt namespace, rather than the expected empty space. Patch resolves issue by manually zeroing the file rather than using the kernel facility to zero the entire file
• T-Mobile to upgrade US Cellular network 2G encryption from A5/1 to A5/3 to make surveillance harder. Made similar changes in Germany last year after NSA revelations
• Week old Flash vulnerability already included in 2 major Exploit kits, being deployed on legitimate infected sites throughout the Internet
• Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
• Samsung acknowledges flaw in EVO 840 SSDs, issues Firmware update and “Data Migration Software” that re-writes data on the SSD to ‘refresh’ it, making reads faster again
• South Korea to rebuilt national ID system after a series of data breaches since 2004 have left 80% of the country exposed to identity theft. Many similar mistakes to US ID system, overuse across different sectors made the single ID number a ‘master key’ to a persons Identity, Inability to get a new ID number left victims with no recourse, and the ID numbers are based on date of birth and sex. Also, the government required the use of Microsoft ActiveX to provide digital signatures when interacting with banks and the government online

The post Weaponized PowerPoint | TechSNAP 185 first appeared on Jupiter Broadcasting.

China goes on a hacking spree, compromising a Point of Sale system is as simple as an ebay purchase.

Plus what’s bad about about GoodGoogle, your questions, our answers, and much much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

What can you find on a used POS terminal off ebay?

• Matt Oh, a senior malware researcher with HP, recently bought a single Aloha point-of-sale terminal — a brand of computerized cash register widely used in the hospitality industry — on eBay for US$200.
• The Aloha POS system is sold by NCR, which came under its wing with its acquisition of Radiant Systems in July 2011 for $1.2 billion. It is one of the most popular systems in the hospitality industry behind those of Micros Systems, which Oracle bought last month for $5.3 billion.
• Oh found default passwords, at least one security flaw and a leftover database containing the names, addresses, Social Security numbers and phone numbers of employees who had access to the system.
• Oh’s research illustrates the security issues facing the hospitality industry, outdated POS systems which it sometimes cannot afford to update.
• Companies don’t appear to be paying enough attention to security issues with their POS terminals, and older systems are often still in use, which may not be as secure.
• The Problem is also impacting the food industry, where there is little budget to upgrade POS systems.
• P.F. Chang’s was listed as a customer of Radiant Systems in an SEC filing in March 2011, a few months before Radiant’s acquisition by NCR.
• P.F. Chang’s disclosed a credit and debit card breach last month.
• P.F. Chang’s said on July 1 the breach remains under investigation. The company temporarily shut down its POS system and switched to an old-style manual imprinting system for processing payment cards to prevent further damage.
• HP Security Research Blog

Hackers breach three Israeli Defense firms behind Iron Dome

• Brian Krebs breaks the news that the three defense contractors responsible for the design and building of the Iron Dome missile defense system have had their computer systems breached
• Iron Dome intercepts inbound rockets and mortars and has been credited with intercepting approximately one-fifth of the more than 2,000 rockets that Palestinian militants have fired at Israel during the current conflict
• The attackers stole huge quantities of sensitive documents pertaining to the missile shield technology
• The breach occurred between Oct. 10, 2011 and August 13, 2012, but was not disclosed
• The three victims were: Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems
• The breach was investigated by Columbia, Md.-based threat intelligence firm Cyber Engineering Services Inc. (CyberESI)
• CyberESI managed to gain access to the secret communications infrastructure set up by the attackers, and from that learned that a very large volume of data had been exfiltrated from the victim networks
• The stolen material included a 900-page document that provides detailed schematics and specifications for the Arrow III missile, plus documents about Unmanned Aerial Vehicles (UAVs), ballistic rockets, and other related technical documents
• “Joseph Drissel, CyberESI’s founder and chief executive, said the nature of the exfiltrated data and the industry that these companies are involved in suggests that the Chinese hackers were looking for information related to Israel’s all-weather air defense system called Iron Dome.”
• Iron Dome is partially funded by the US Government, and was designed in cooperation with some US defense contractors
• “Most of the technology in the Arrow 3 wasn’t designed by Israel, but by Boeing and other U.S. defense contractors,” Drissel said. “We transferred this technology to them, and they coughed it all up. In the process, they essentially gave up a bunch of stuff that’s probably being used in our systems as well.”
• Many of the documents that were stolen have their distribution restricted by International Traffic in Arms Regulations (ITAR), a U.S. State Department control that regulate the defense industry, raising questions about the lack of timely disclosure
• “According to CyberESI, IAI was initially breached on April 16, 2012 by a series of specially crafted email phishing attacks. Drissel said the attacks bore all of the hallmarks of the “Comment Crew,” a prolific and state-sponsored hacking group associated with the Chinese People’s Liberation Army (PLA) and credited with stealing terabytes of data from defense contractors and U.S. corporations.”
• “Once inside the IAI’s network, Comment Crew members spent the next four months in 2012 using their access to install various tools and trojan horse programs on systems throughout company’s network and expanding their access to sensitive files. The actors compromised privileged credentials, dumped password hashes, and gathered system, file, and network information for several systems. The actors also successfully used tools to dump Active Directory data from domain controllers on at least two different domains on the IAI’s network.
• “Once the actors established a foothold in the victim’s network, they are usually able to compromise local and domain privileged accounts, which then allow them to move laterally on the network and infect additional systems,” the report continues. “The actors acquire the credentials of the local administrator accounts by using hash dumping tools. They can also use common local administrator account credentials to infect other systems with Trojans. They may also run hash dumping tools on Domain Controllers, which compromises most if not all of the password hashes being used in the network. The actors can also deploy keystroke loggers on user systems, which captured passwords to other non-Windows devices on the network.”
• “While some of the world’s largest defense contractors have spent hundreds of millions of dollars and several years learning how to quickly detect and respond to such sophisticated cyber attacks, it’s debatable whether this approach can or should scale for smaller firms.”

Chinese hackers breach National Research Council of Canada computers while they are working on new security system to prevent attacks

• The Canadian federal government revealed on Tuesday that the NRC’s computer networks were the target of a cyber attack, and had been shut down to contain the compromise
• The NRC is working with both the private sector and university research teams to create a physics-based computer encryption system
• “NRC is developing photonics-based, quantum-enhanced cyber security solutions … collaborating to develop technologies that address increased demands for high-performance security for communications, data storage and data processing.” says the NRC’s website.
• “NRC is continuing to work closely with its IT experts and security partners to create a new secure IT infrastructure”. “This could take approximately one year however; every step is being taken to minimize disruption.”
• The intrusion came from “a highly sophisticated Chinese state-sponsored actor,” said the Treasury Board. “We have no evidence that data compromises have occurred on the broader Government of Canada network.”
• The article states “… comes as the agency is working on an advanced computer encryption system that is supposed to prevent such attacks.”
• Encryption does not prevent your computer systems from being breached by attackers, especially if the attackers get a foothold via Phishing and other social engineering type attacks
• The encryption system is a defense against eavesdropping, and possibly can defend sensitive documents in cold storage, but it does not prevent systems from being compromised

Service offers to defeat your competitors online advertising

• Krebs brings us more news, this time about an online service that exhausts the daily advertising budget of your competitors, making your own advertisements less expensive and more visible
• A common scam involving Google’s AdSense service is “click fraud”. A fraudster sets up a website to display ads, then drives fake traffic to the site, and fake clicks on the ads
• The fraudster then gets paid by Google a portion of what the advertiser paid to show the ad
• However, Krebs found someone doing the opposite, defrauding the AdWords side of the business
• “GoodGoogle” is the name of one of these fraudster services. It promises to click the ads of your competitors, driving up their costs and exhausting their advertising budget early in the way (or early in each hour, depending on the Google settings)
• This means your own ads will be less expensive (your lower bid normally wouldn’t win, but if all of the higher bidders have expended their budget for the day, you are now the high bidder), and you cost your competitors more money
• “The prices range from $100 to block between three to ten ad units for 24 hours to $80 for 15 to 30 ad units. For a flat fee of $1,000, small businesses can use GoodGoogle’s software and service to sideline a handful of competitors’s ads indefinitely. Fees are paid up-front and in virtual currencies and the seller offers support and a warranty for his work for the first three weeks.”
• “Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at the University California, Berkeley, speculated that GoodGoogle’s service consists of two main components: A private botnet of hacked computers that do the clicking on ads, and advanced software that controls the clicking activity of the botted computers so that it appears to be done organically from search results”
• This could also be an interesting case of double-dipping, If the fraudster ran fake sites with content specific to the keywords his customers wanted to attack, he could make money via the click fraud from the AdSense side, while charging for his services from the AdWords side
• “Amazingly, the individual responsible for this service not only invokes Google’s trademark in his nickname and advertises his wares via instructional videos on Google’s YouTube service, but he also lists several Gmail accounts as points of contact. My guess is it will not be difficult for Google to shutter this operation, and possibly to identity this individual in real life.”

Feedback:

• RPMfusion.org Not Secure

• William asks on mumble asks if anyone knows of an alternative to the ZeusRAM , a SAS SSD used in many ZFS boxes, but that uses a PCI-E interface, rather than being limited by a SAS interface. Or a modern version of the DDR-Drive, a PCI-E “ram disk”, but using DDR3 or 4 and with a supercapacitor to survive a reboot. I found the ‘SATADIMM’, an SSD that fits in a RAM slot
  • There is also the ULLtraDIMM which actually interfaces with the CPU via the memory controller, but it is not clear how it works or how it interfaces with the operating system. Additional Video – Technical Explaination

Round-Up:

• Symantec Endpoint Protection 0day
• Turning your USB devices against you
• Tor attackers tried to peek into the Deep Web, anonymity network reveals
• New SSL rules go into effect November 1st, no more internal SSL certificates
• Apple’s multi-terabit, $100M CDN is live—with paid connection to Comcast
• Comcast now carries 1Tbit/s of IPv6 traffic
• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk
• Software that runs US bar exams fails
• Contries do not own their ccTLDs
• Social Engineering attack lets con artist defraud Apple out of over $300,000 in hardware over 42 occasions in 12 states
• How to invent a compression algorithm for a TV show
• Explaining the importance of Software Security

The post GoodGoogle BadUSB | TechSNAP 173 first appeared on Jupiter Broadcasting.

The TrueCrypt project has shut down, and we’ll run down what we think is the most likely answer to this sudden mystery is.

Plus the good news for openSSL, the top 10 Windows configuration mistakes, and big batch of your questions, our answers, and much much more!

Thanks to:

— Show Notes: —

TrueCrypt shuts down unexpectedly

• TrueCrypt is a cross-platform image or whole disk encryption system
• The website for TrueCrypt changed yesterday, stating that “it may contain unfixed security issues”
• The page states now that Windows XP is EOL and all supported versions of Windows support ‘BitLocker’ disk encryption, TrueCrypt is no longer necessary
• The website provides information about transitioning data from TrueCrypt to the OS disk encryption system for various different OSs
• The website has been updated with version 7.2 of TrueCrypt, which only allows the user to decrypt their files, not encrypt any new files
• This was originally thought to be a hack of the site, or a hoax
• The new binary is signed with the correct key, the same as previous versions of TrueCrypt, suggesting that this post is legitimate
• While the code is available, the license is restrictive
• The developers of TrueCrypt are anonymous
• GIST tracking various bits of information and speculating about possible causes
• ThreatPost coverage
• One of the suspicious things about the announcement is the recommendation to use BitLocker, the authors of TrueCrypt had previously expressed concerns about how BitLocker stores the secret keys in the TPM (Trusted Platform Module), which may also allow the NSA to access the secret key
• There is some speculation that this could be a ‘warrant canary’, the authors’ way to telling the public that they were forced to do something to TrueCrypt, or divulge something about TrueCrypt
• However, it is more likely that the developers just no longer have an interest in maintaining TrueCrypt
• The last major version release was 3 years ago, and the most recent release before the announcement was over a year ago. An actively developed project would likely have had at least some maintenance releases in that time
• The code for TrueCrypt was being audited after a crowdfunding effort. The first phase of the audit found no obvious backdoors, but the actual cryptography had not been analyzed yet.
• Additional Coverage – Krebs On Security

Core Infrastructure Initiative provides OpenSSL with 2 full time developers and funds a security audit

• The CII has announced its Advisory board and the list of projects it is going to support
• Advisory Board members include:
• longtime Linux kernel developer and open source advocate Alan Cox
• Matt Green of Open Crypto Audit Project
• Dan Meredith of the Radio Free Asia’s Open Technology Fund
• Eben Moglen of Software Freedom Law Center
• Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School
• Eric Sears of the MacArthur Foundation
• Ted T’so of Google and the Linux kernel community
• Projects identified as core infrastructure:
• Network Time Protocol
• OpenSSH
• OpenSSL
• Open Crypto Audit Project to conduct security audit of OpenSSL
• The security audit will be difficult due to the lack of a consistent style in the code and the maze of ifdef and ifndef segments
• the OCAP (Open Crypto Audit Project) team, which includes Johns Hopkins professor and cryptographer Matthew Green and Kenn White, will now have the money to fund an audit of OpenSSL
• OCAP was originally created by a crowdfunded project to audit TrueCrypt

The top 10 windows server security misconfigurations

• NCCGroup does what it calls ‘Build Surveys’, where they check production environments to ensure they are configured properly
• The following is the result of an analysis of their last 50 such surveys:
  • Missing Microsoft Patches: 82%
  • Insufficient Auditing: 50%
  • Third-Party Software Updates: 48%
  • Weak Password Policy: 38%
  • UAC Disabled for Administrator Account: 34%
  • Disabled Host-Based Firewall: 34%
  • Clear Text Passwords and Other Sensitive Information: 24%
  • Account Lockout Disabled: 20%
  • Out-of-Date Virus Definitions: 18%
  • No Antivirus Installed: 12%
• Conclusions: Everyone makes the same mistakes, over and over
• Most of these problems are trivial to fix
• Part of the problem is this culture of ‘patch averseness’, partly this is the fault of software vendors often issuing patches that break more things than they fix, but in general Microsoft has actually done a good job of ensuring their patches apply smoothly and do not break things
• Part of this is the fact that they only issue updates once a month, and only once they have been tested
• In the study, most of the machines that were missing patches, were missing patches that were more than a year old, so it isn’t just conservatism, but just a complete lack of proper patch management

Feedback:

• FreeBSD Developers Summit

• BSDCan 2014 videos

• Replacing failed disk in Freenas

• Am I too old?

• Bacula Retention and Storage Guidance

• VLAN Tag You\’re It

• Virtualisation as a Work LAN Solution

• devops is specialization

• DevOps – Wikipedia, the free encyclopedia

• Can you please talk about load balancing?

• Update on me not getting a job.

Round-Up:

• DISH Teams Up with Coinbase to Become Largest Company to Accept Bitcoin
• Post Mortem at Joyent — Opps, I accidently rebooted every server in the data center at once
• Official Google Blog: Getting to work on diversity at Google
• PeakScale’s list of PostMortems from all around the web
• YouTube starts rating U.S. ISPs, puts its weight behind settlement-free peering
• Why you don’t want to use AES-XTS encryption for anything except FDE
• Apple Forgets to Renew SSL Certificate, Breaking OS X Software Update [Fixed]
• Security concerns about HTTP/2.0 — rushing to finish and cutting corners
• Separate from the recent eBay hack, an XSS vulnerability that has not been fixed
• Last night on IRC to topic changes to VGA, and Peter Wemm dug out his old dual cpu Pentium 90mhz running FreeBSD
• Windows XP hack to get updates — Not a great idea

The post Tales from the TrueCrypt | TechSNAP 164 first appeared on Jupiter Broadcasting.

Adobe’s latest flaw has being exploited by an advanced persistent threat, we’ve got the details, Heartbleed follow ups, and getting started with Virtualization.

Plus our thoughts on the fate of net neutrality, your questions, our answers, and much much more!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

Adobe releases patch for critical Flash flaw affecting all OSs

• A new exploit has been discovered that works against all versions of Adobe Flash Player
• This is a zero-day exploit, meaning that even a fully patched computer can be exploited
• Adobe has since released the fix, and users are encouraged to apply the patch as soon as possible
• The attack used two different exploits, one general exploit against Flash and the other exploiting a flaw in Internet Explorer
• One of the malware files was detected by Kaspersky using a heuristic signature, but the other was new
• The exploits slightly alter the attack methodology if Windows 8 or newer is detected, to work around mitigations provided by the OS
• The first bit of malware (movie.swf) was generic, downloading more malware from a URL and running it
• The second bit of malware (include.swf) was very specific, targeting “Cisco MeetingPlace Express Add-In version 5”
• “This add-in is used by web-conference participants to view documents and images from presenter\’s screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system”
• This suggests that the malware was written with a very specific target in mind, rather than designed to target the general Internet
• The malware was hosted on an official Syrian government website, although it appears that the site may have been compromised to store the files there
• Kaspersky was not able to examine the payload of the second exploit because the files had already been taken down from the website, and there is evidence to suggest there was a 3rd payload (stream.swf)
• “We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer.”
• “It\’s likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this.”
• CVE-2015-0515
• Adobe Security Bulletin
• Additional Coverage – ARS Technica
• Additional Coverage – Krebs on Security
• Since IE uses a separate version of Flash from other browsers (Firefox, Chrome, Opera, etc), Windows users will need to apply the patch twice, one to their browser and once to IE, which is used as a component in many other applications including Skype and Steam

Exploit used in the wild against all versions of Internet Explorer 6 through 11

• As part of the same attack from the previous story, an exploit for all versions of Internet Explorer was found
• The exploit was used as part of a watering hole attack
• CVE-2014-1776
• This was to be the first of many 0day exploits that will not be fixed on Windows XP, however Microsoft issued a statement and released the update for Windows XP , inspite of the fact that it is no longer supported

[Heartbleed Followups]

• The heartbleed bug was used to attack and compromise a number of blackhat and underground forums – Many sites were compromised, upgraded OpenSSL but did not revoke SSL certificates or reset passwords
• US-CERT issues advisory warning business and users to update their Apple AirPort devices that are vulnerable to Heartbleed
• CERT has issued an advisory about the NetSSL library failing to properly validate wildcard certificates
• Whitehouse comments, says they did not know about Heartbleed before hand
• Even heartbleed can’t convince people to change their passwords and stop reusing passwords
• Android 4.1.1 has not received OpenSSL patches yet

Feedback:

• Kids WiFi

• Looking for virtualization advice

• XP in a VM

• What advice do you have to help tech geeks find their dream job?

• Suggestion for Brett for backup

• Mondo Rescue – Disaster recovery solution

Round-Up:

• Sony\’s 185TB data tape puts your hard drive to shame
• CERT issues advisory about Toshiba Point-of-Sales systems using weak hashing algorithm for passwords
• SanDisk Announces 4TB SSDs, 8TB & 16TB SSDs to Follow
• Phishers hack email accounts and divert home loan funds
• AOL Finally Admits They Were Hacked
• MIT students raise half million dollars to give every undergraduate student $100 in bitcoins next semester in an effort to build the first true cryptocurrency economy
• FCC chairman \’won\’t hesitate\’ to regulate broadband like a utility if proposed rules fail
• What the internet might look like without Net Neutrality
• Netflix researching “large-scale peer-to-peer technology” for streaming
• This trend shows with Net Neutrality is important — Sonic.net comments on net neutrality
• CISPA 3.0 introduced to the senate
• AT&T’s possible acquisition of DirecTV increases net neutrality concerns

The post Not Neutrality | TechSNAP 161 first appeared on Jupiter Broadcasting.

Are boutique distributions a bag of hurt for new users?

We love a good underdog, but sometimes our excitement gets the best of us and we recommend something that’s not appropriate for a switcher to land on.

Plus some quick thoughts on the beating open source is taking as fallout from the Heartbleed bug.

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

F.U.

• KDE Visual Design Group: Monday Report #11 – Go time!

• Is anyone else having problems with Gnome Terminal 3.12?

• On The Subject of Linux UX

• Linux Learners – LUP35

• Terminal v/s GUI // Slexy 2.0

• The big point for technical switchers everyone missed

• Steam Controller comes out this fall

Underdog Syndrome

• Recent discussions on LUP about switching
• End of XP brings this to front of mind.

• Ubuntu 14.04 this Sunday on LAS. The big dog on the desktop.

• These smaller, boutique distros are great for experienced enthusiasts.

• Sending users from the worlds most deployed desktop operating system to a niche distribution of a niche desktop operating system is a recipe for failure.

• Support community is always smaller.
• Random poorly crafted Google searches are less likely to show distro relevant results.

• Long term viability of really small teams is always questionable. Larger distros even if corporate backers or the large community dropped it – the code would go on. Smaller distros that’s not always the case.

• Do these concerns apply to the more esoteric desktops, ie Cinnamon, MATE?

Heartbleed Butt Hurt

• OSS name getting dragged through the mud.
• Why are we not focused on the patch turn around time?

• Ability to audit future code.

• Heartbleed Exposes a Problem With Open Source, But It\’s Not What You Think

A week after the Heartbleed OpenSSL vulnerability wreaked havoc across the web, the conversation is shifting from reaction to reflection. The discussion is no longer about what to do now, but what can be done to prevent another Heartbleed from happening in the future. In other words, we\’re entering the blame game chapter in this saga.

• Heartbleed: Open source\’s worst hour | ZDNet

Everyone just assumed that OpenSSL must be perfectly safe because, well OpenSSL has a reputation for being safe, therefore it was safe. Developers, website developers, security experts, one and all, it seems no one ever thought to actually use those eyeballs that successful open source relies upon to check the code to see if it really was safe.

• Did open source matter for Heartbleed? | ZDNet

Open source does not provide a meaningful inherent security benefit for OpenSSL and it may actually discourage some important testing techniques. Also, panhandling is not a good business model for important software like OpenSSL.

• Stop laying the blame for Heartbleed on open source | Open Source Software – InfoWorld

Security experts acknowledge that open source is the best model for crypto, so how do we drive improvements to the model for creating security-critical infrastructure?

The post Beware of Underdog | LINUX Unplugged 36 first appeared on Jupiter Broadcasting.

We update you on several big stories we’ve been following this week in this causal supporter show style edition of Unfilter. Plus our thoughts on Mozilla’s CEO stepping down, XP coming to an end, and more!

Direct Download:

Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

Video Feed | MP3 Feed | OGG Feed | HD Torrent | Mobile Torrent | iTunes

Become an Unfilter Supporter:

— Show Notes —

• Republic, Lost: How Money Corrupts Congress–and a Plan to Stop It: Lawrence Lessig

NSA is Crazy

Edward Snowden: US government spied on human rights workers

The US has spied on the staff of prominent human rights organisations, Edward Snowden has told the Council of Europe in Strasbourg, Europe’s top human rights body.

Giving evidence via a videolink from Moscow, Snowden said the National Security Agency – for which he worked as a contractor – had deliberately snooped on bodies like Amnesty International and Human Rights Watch.

Snowden, meanwhile, dismissed NSA claims that he had swiped as many as 1.7m documents from the agency’s servers in an interview with Vanity Fair.

He described the number released by investigators as “simply a scare number based on an intentionally crude metric: everything that I ever digitally interacted with in my career.”
He added: “Look at the language officials use in sworn testimony about these records: ‘could have,’ ‘may have,’ ‘potentially.’ They’re prevaricating. Every single one of those officials knows I don’t have 1.7m files, but what are they going to say? What senior official is going to go in front of Congress and say, ‘We have no idea what he has, because the NSA’s auditing of systems holding hundreds of millions of Americans’ data is so negligent that any high-school dropout can walk out the door with it’?”

In the Vanity Fair interview the whistleblower said he paid the bill in the Mira Hotel using his own credit card because he wanted to demonstrate he was not working for a foreign intelligence agency. “My hope was that avoiding ambiguity would prevent spy accusations and create more room for reasonable debate,” he told the magazine. “Unfortunately, a few of the less responsible members of Congress embraced the spy charges for political reasons, as they still do to this day.”

– Thanks for Supporting Unfilter –

• :-] Charles R
• :-] Tom F
• :-] Daniel G
• :-] Kalidasia Media Productions, LLC
• :-] Lotusware of North America
• :-] Wes M
• :-] Edward R

Thanks to our 375 Unfilter supporters!

• Supporter perk: Downloadable Pre and Post show. Extra clips, music, hijinks, and off the cuff comments. The ultimate Unfiltered experience. ‘

• Supporter perk: Exclusive BitTorrent Sync share of our production and non-production clips, notes, and more since the NSA scandal broke in episode 54. The ultimate Unfiltered experience, just got more ultimate.

• Supporter Perk: Past 5 supporters shows, in a dedicated bittorrent sync folder.

CIA Torture Scandal Marches On

Fury at attack on Dianne Feinstein by ex-CIA director Michael Hayden

The latest row broke on Sunday when Hayden, a former NSA and CIA director, said the Senate intelligence committee’s landmark report on torture and coercive interrogations was not objective because Feinstein, a California Democrat, was too “emotional”.

Ron Wyden, a member of the Senate intelligence committee, said on Monday that Michael Hayden’s attack on Feinstein, the committee chairperson, was “outrageous” and fitted a pattern of “misleading” the American public.

Check out + SomaFM: Listener Supported, Commercial Free Internet Radio

We need your donations to keep SomaFM on the air.
We still need to raise $27,641 this month (or $1,320 a day for the next 21 days) to meet our monthly budget. Thank you!!

• SomaFM: Secret Agent: The soundtrack for your stylish, mysterious, dangerous life. For Spies and PIs too! Commercial-free, Listener-supported Radio

If you’re a Supporter check your inbox!

Call us: 1.425.312.1756

Follow the Us:

• Unfilter on Reddit
• Chris on Twitter
• Chase’s Geek and Gaming Network
• Connect with Chase

The post Narrative of Negligence | Unfilter 92 first appeared on Jupiter Broadcasting.

XP support ends today and we’ll celebrate the occasion by debating what prevents technical users switching to Linux, address some common myths, and set a course for our new howto show.

Plus why Chase and Matt are wrong about DS9, blaming choice, your feedback, and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU

• Thoughts on Leo\’s Anti-Linux Spill

• Linux is easier for new users to use

How Hard Is It to Switch to Linux?

I was tired of things breaking from nowhere, or being frustrated with certain second-rate apps, and even though I learned a lot—and I LOVED the command line and package management—it just was too much trouble for me day-to-day. I never thought I\’d see Windows as an OS that \”just works,\” but compared to Linux, it really fit that bill in my experience.

What does a beginner need to know before switching to Ubuntu? – Ask Ubuntu

What are the first things I have to do when I completed the installation?

The post Windows eXPired | LINUX Unplugged 35 first appeared on Jupiter Broadcasting.

Researchers develop a new way to protect your passwords after they’ve been stolen, the little credit card scam making big money…

Then it’s a great batch of your questions, a rockin round up, and much much more!

On this week’s TechSNAP.

Thanks to:

— Show Notes: —

Researchers are NYU develop PolyPassHash, hard to crack password store

• PolyPassHash is designed to make it significantly harder to crack users’ passwords in the event the password database is leaked
• The system uses SSSS (Shamir’s Secret Sharing Scheme ) which is a system for dividing a secret key (in this case used to encrypt the password database) into many pieces, and requiring only a specific number of those pieces to be combined to return the key
• In the wikipedia example, the secret key is divided into 6 parts and the algorithm defined such that 3 of the parts must be combined in order to return the secret
• The SSSS algorithm is extensible, it allows the number of pieces that the secret is divided into to grow as long as the threshold (the number of pieces required to decrypt) is key fixed
• The SSSS algorithm is also flexible, allowing for some people (say the system administrator) to have more than 1 share
• In the Python reference implementation the threshold is set to 10
• This means that 10 pieces of the secret are required in order to decrypt the password file
• Each regular user’s password is 1 share of the secret, so when that user provides the correct password, 1 share is available
• In the reference implementation, there are 3 administrator users, each of who’s password is 5 shares of the secret, meaning the correct passwords for any 2 of the administrators will be able to decrypt the password database
• Currently PolyPassHash uses just the SHA256 of the users’ password and a random salt, rather than using sha256crypt() which does more than 1 SHA256 round on the password, and uses different mixes of the password and salt
• The drawback with PolyPassHash is that after a reboot, it is not possible for anyone to login until a sufficient number of users have entered the correct password to return the required number (the threshold) of shares to decrypt the password hashes
• There is a proposed solution to this, involving shortening the SSSS key such that some of the hash (the last few bytes) are not encrypted, and using that to authenticate the first few users until sufficient users have successfully logged in to decrypt the password database
• This compromises the security of the passwords because part of the plain hash is leaked, and it also means that an incorrect password could allow a user to login after a reboot before the threshold has been met
• PolyPassHash also has support for thresholdless accounts (accounts that do not have any shares), in order to protect larger systems (like Facebook or Gmail) where an attack may have compromised enough accounts to have sufficient shares to decrypt the entire database. In this case, only administrator (or maybe power user) accounts would have shares
• PolyPassHash also has support for other authentication systems, including things like biometrics, ssh keys, and smart cards, but also external systems like OAuth or OpenID (thresholdless accounts)
• In the case of SSH keys, instead of a password, the share of the SSSS is encrypted with the public key, and the user uses their SSH private key to decrypt the share
• New users cannot be added until the threshold has been reached, since the secret is required to generate a new share of the secret
• Research Paper

Who is behind sub-$15 credit card scam

• A service called ‘BLS Web Learn’ has been identified as being behind a scam that charged numerous credit and debit cards small fees of less than $15
• The scam centers around small charges that appear on your credit card bill, usually for small random amounts such as $9.84, $10.37, or $12.96
• The line item includes a toll free number (as most charges do), and you are encouraged by your bank to call this number and try to identify the charge and resolve any issues with the seller directly, rather than filing a chargeback
• In this case, since the card holder never ordered anything or authorized the charge, the service refunds the small amount
• They make their money off all of the people who don’t notice the small charge
• Unlike many scams, because they maintain the assertion that they are a legitimate business, and refund the charge when a cardholder complains, they do not rack up a large number of chargebacks, and their account with the credit card processor is not red flagged or shut down
• Krebs have investigated a similar case before, which appeared to be based in Malta
• The name of the ‘online learning’ company, and the credit card processor are different, but the scam seems very much the same
• The payment processor, BlueSnap, lists its offices in Massachusetts, California, Israel, Malta and London. Interestingly, the payment network used by the previous scam, Credorax, also lists offices in Massachusetts, Israel, London and Malta

Feedback:

• Who should play Allan Jude in Allan Jude: The Movie

• XP Fail

• Picture of the XP mess

• Checksum your SaaS

• Ubuntu Manpage: debsums – check the MD5 sums of installed Debian packages

• Mulitple Domain Names pointing to same IP address

• The debate continues re: ZFS and ECC

  • ECC is not required, but using non-ECC increases the risk of data loss. Using ECC RAM is the cheapest way to increase the uptime and reliability of the system

• Metal_Geek Needs help: I need help recovering data from a LUKS encrypted partition.

Round-Up:

• How Dropbox Knows When You’re Sharing Copyrighted Stuff
• TarSnap response to similar situation
• New wireless technology MU-MIMO promises to speed up congested WiFi networks
• How WhatsApp Grew to Nearly 500 Million Users, 11,000 cores, and 70 Million Messages a Second
• Dating site spams people, if you actually click through you might get the database password
• EU passes net neutrality law, votes to end throttling, site blocking
• Sophos researcher talks about Secure Credit Card Transactions
• Hack of Boxee.tv exposes password data, messages for 158,000 users
• Being an expert sucks
• Exclusive – NSA infiltrated RSA security more deeply than thought: Study
• FTC settles case about company who claimed to secure data with SSL but did not verify certificates
• Visual explaination of how SQL joins work

The post Not Sharing The Secret | TechSNAP 156 first appeared on Jupiter Broadcasting.

We debate the validity of recent anti-Linux comments made on a nationally syndicated radio show, and the more subtle and larger “built-in bias” many in the tech community still hold towards Linux.

Plus: Your follow up on the Mir/Wayland topic, Ubuntu’s Amazon lens goes opt-in, and more!

Thanks to:

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Show Notes:

FU

• Thanks to Popey for saving the Graphical Civil War!

• Ubuntu and the Great Display Server Debate

• Look at display server from a different angle // Slexy 2.0

• A brief addition to your Mir discussion.

April Fool: Should I Install Linux on an Old Computer?: The Tech Guy 1069 – YouTube

Leo Laporte goes over the pros and cons of installing Linux on an old computer.

Ubuntu To Make Amazon Product Results \’Opt-In’

But before anyone unpacks the party poppers in jubilation there are caveats to note: **Amazon results are not being removed entirely, **and the change is not going to take effect in Ubuntu 14.04 LTS.

• The headline is a little bit misleading. What actually is going to happen is that the next iteration of Unity8 will drop the concept of the \”Home scope\” in favour of a \”Scopes scope\”. That way, when you type a search term into the Dash, it\’s not a selection of results from different scopes that will surface, but a selection of scopes from which you choose the one you are interested in. So, yes, in a sense, that makes all scopes (and among them the Amazon scope) opt-in.

The post Drive-By Advice | LINUX Unplugged 34 first appeared on Jupiter Broadcasting.