TechSNAP - Episodes Tagged with “Sysadmin Podcast”

430: All Good Things

Jupiter Broadcasting — Fri, 29 May 2020 00:15:00 -0700

It's a storage showdown as Jim and Wes bust some performance myths about RAID and ZFS.

Plus our favorite features from Fedora 32, and why Wes loves DNF.

Links:

429: Curious About Caddy

Jupiter Broadcasting — Fri, 15 May 2020 00:15:00 -0700

Jim and Wes take the latest release of the Caddy web server for a spin, investigate Intel's Comet Lake desktop CPUs, and explore the fight over 5G between the US Military and the FCC.

Links:

428: RAID Reality Check

Jupiter Broadcasting — Fri, 01 May 2020 00:15:00 -0700

We dive deep into the world of RAID, and discuss how to choose the right topology to optimize performance and resilience.

Plus Cloudflare steps up its campaign to secure BGP, and why you might want to trade in cron for systemd timers.

Links:

427: Gigahertz Games

Jupiter Broadcasting — Fri, 17 Apr 2020 00:15:00 -0700

Jim finally gets his hands on an AMD Ryzen 9 laptop, some great news about Wi-Fi 6e, and our take on FreeBSD on the desktop.

Plus Intel's surprisingly overclockable laptop CPU, why you shouldn't freak out about 5G, and the incredible creativity of the Demoscene.

Links:

426: Storage Stories

Jupiter Broadcasting — Fri, 03 Apr 2020 00:15:00 -0700

We take a look at Cloudflare's impressive Linux disk encryption speed-ups, and explore how zoned storage tools like dm-zoned and zonefs might help mitigate the downsides of Shingled Magnetic Recording.

Plus we celebrate WireGuard's inclusion in the Linux 5.6 kernel, and fight some exFAT FUD.

Links:

WireGuard VPN makes it to 1.0.0—and into the next Linux kernel — It's a good day for WireGuard users—DKMS builds will soon be behind us.
Linux 5.6 Is The Most Exciting Kernel In Years With So Many New Features
fs: New zonefs file system — zonefs is a very simple file system exposing each zone of a zoned block device as a file. This is intended to simplify implementation of application zoned block device raw access support by allowing switching to the well known POSIX file API rather than relying on direct block device file ioctls and read/write.
Ama-ZNS! Zonefs File-System Will Land with Linux® 5.6
What is Zoned Storage and the Zoned Storage Initiative? — Zoned Storage is a new paradigm in storage motivated by the incredible explosion of data. Our data-driven society is increasingly dependent on data for every-day life and extreme scale data management is becoming a necessity.
Linux Kernel Support - ZonedStorage.io
dm-zoned — The dm-zoned device mapper target exposes a zoned block device as a regular block device.
Device Mapper - ZonedStorage.io
What are PMR and SMR hard disk drives?
Beware of SMR drives in PMR clothing — WD and Seagate are both submarining Drive-managed SMR (DM-SMR) drives into channels, disguised as "normal" drives.
Beware of SMR drives in PMR clothing [Reddit]
The exFAT filesystem is coming to Linux—Paragon software’s not happy about it — When software and operating system giant Microsoft announced its support for inclusion of the exFAT filesystem directly into the Linux kernel back in August, it didn't get a ton of press coverage. But filesystem vendor Paragon Software clearly noticed this month's merge of the Microsoft-approved, largely Samsung-authored version of exFAT into the VFS for-next repository, which will in turn merge into Linux 5.7—and Paragon doesn't seem happy about it.
The New Microsoft exFAT File-System Driver Is Set To Land With Linux 5.7
Speeding up Linux disk encryption - The Cloudflare Blog — Encrypting data at rest is vital for Cloudflare with more than 200 data centres across the world. In this post, we will investigate the performance of disk encryption on Linux and explain how we made it at least two times faster for ourselves and our customers.
Add inline dm-crypt patch and xtsproxy Crypto API patch

425: Ryzen Gets Real

Jupiter Broadcasting — Fri, 20 Mar 2020 00:15:00 -0700

We take a look at AMD's upcoming line of Ryzen 4000 mobile CPUs, and share our first impressions of Ubuntu 20.04's approach to ZFS on root.

Plus Let's Encrypt's certificate validation mix-up, Intel's questionable new power supply design, and more.

Links:

424: AMD Inside

Jupiter Broadcasting — Fri, 06 Mar 2020 00:15:00 -0800

Cloudflare recently embarked on an epic quest to choose a CPU for its next-generation server build, so we explore the importance of requests per watt, the benefits of full memory encryption, and why AMD won.

Plus Mozilla's rollout of DNS over HTTPS has begun, a big milestone for Let's Encrypt, and more.

Links:

423: Hopeful for HAMR

Jupiter Broadcasting — Fri, 21 Feb 2020 18:00:00 -0800

We explore the potential of heat-assisted magnetic recording and get excited about a possibly persistent L2ARC.

Plus Jim's journeys with Clear Linux, and why Ubuntu 18.04.4 is a maintenance release worth talking about.

Links:

Ubuntu 18.04.4 LTS: here's what's new — It's not as shiny and exciting as entirely new versions, of course, but it does pack in some worthwhile security and bugfix upgrades, as well as support for more and newer hardware.
18.04.4 - Ubuntu Wiki
MobaXterm — Enhanced terminal for Windows with X11 server, tabbed SSH client, network tools and much more.
Linux distro review: Intel’s own Clear Linux OS — There's not much question that Clear Linux is your best bet if you want to turn in the best possible benchmark numbers. The question not addressed here is, what's it like to run Clear Linux as a daily driver? We were curious, so we took it for a spin.
Clear Linux* Project — Clear Linux OS is an open source, rolling release Linux distribution optimized for performance and security, from the Cloud to the Edge, designed for customization, and manageability.
swupd — Documentation for Clear Linux* project
clr-boot-manager: Kernel & Boot Loader Management
Cannot compile zfs for 5.5-rc2 · Issue #9745 · zfsonlinux/zfs
Persistent L2ARC might be coming to ZFS on Linux — The primary ARC is kept in system RAM, but an L2ARC device can be created from one or more fast disks. In a ZFS pool with one or more L2ARC devices, when blocks are evicted from the primary ARC in RAM, they are moved down to L2ARC rather than being thrown away entirely. In the past, this feature has been of limited value, both because indexing a large L2ARC occupies system RAM which could have been better used for primary ARC and because L2ARC was not persistent across reboots.
Persistent L2ARC by gamanakis · Pull Request #9582 · zfsonlinux/zfs — This feature implements a light-weight persistent L2ARC metadata structure that allows L2ARC contents to be recovered after a reboot. This significantly eases the impact a reboot has on read performance on systems with large caches.
LINUX Unplugged 303: Stateless and Dateless — We visit Intel to figure out what Clear Linux is all about and explain a few tricks that make it unique.
LINUX Unplugged Blog: Clear Linux OS 2019
HAMR don’t hurt ’em: laser-assisted hard drives are coming in 2020 — Although the 2012 "just around the corner" HAMR drives seem to have been mostly vapor, the technology is a reality now. Seagate has been trialing 16TB HAMR drives with select customers for more than a year and claims that the trials have proved that its HAMR drives are "plug and play replacements" for traditional CMR drives, requiring no special care and having no particular poor use cases compared to the drives we're all used to.
HAMR Milestone: Seagate Achieves 16TB Capacity on Internal HAMR Test Units
Western Digital debuts 18TB and 20TB near-MAMR disk drives
Previously on TechSNAP 341: HAMR Time — We've got bad news for Wifi-lovers as the KRACK hack takes the world by storm; We have the details & some places to watch to make sure you stay patched. Plus, some distressing revelations about third party access to your personal information through some US mobile carriers. Then we cover the ongoing debate over HAMR, MAMR, and the future of hard drive technology & take a mini deep dive into the world of elliptic curve cryptography.

422: Multipath Musings

Jupiter Broadcasting — Fri, 07 Feb 2020 00:15:00 -0800

We take a look at a few exciting features coming to Linux kernel 5.6, including the first steps to multipath TCP.

Plus the latest Intel speculative execution vulnerability, and Microsoft's troubled history with certificate renewal.

Links:

421: Firewall Fun

Jupiter Broadcasting — Fri, 24 Jan 2020 00:15:00 -0800

We explore the latest round of Windows vulnerabilities and Jim shares his journey adding OPNsense to his firewall family.

Plus a look back at Apollo-era audio that's still relevant today with the surprising story of the Quindar tones.

Links:

413: The Coffee Shop Problem

Jupiter Broadcasting — Fri, 04 Oct 2019 00:15:00 -0700

We peer into the future with a quick look at quantum supremacy, debate the latest DNS over HTTPS drama, and jump through the hoops of HTTP/3.

Plus when to use WARP, the secrets of Startpage, and the latest Ryzen release.

Links:

412: Too Good To Be True

Jupiter Broadcasting — Fri, 20 Sep 2019 00:15:00 -0700

It's TechSNAP story time as we head out into the field with Jim and put Sure-Fi technology to the test.

Plus an update on Wifi 6, an enlightening Chromebook bug, and some not-quite-quantum key distribution.

Links:

RF Chirp tech: Long distance, incredible penetration, low bandwidth | Ars Technica — Recently, I took the company's technology for a spin with a pair of hand-held demo communicators about the size of a kid's walkie-talkie. They don't do much—just light up with a signal strength reading on both devices, whenever a transmit button on either is pressed—but that's enough to get a good indication of whether the tech will work to solve a given problem.
Wi-Fi 6 Is Officially Here: Certification Program Begins — Finally, along with the launch of the certification program itself, the Wi-Fi Alliance has already certified its first dozen devices.
Say hello to 802.11ax: Wi-Fi 6 device certification begins today | Ars Technica — Today, the Wi-Fi Alliance launched its Wi-Fi Certified 6 program, which means that the standard has been completely finalized, and device manufacturers and OEMs can begin the process of having the organization certify their products to carry the Wi-Fi 6 branding.
Someone sent us 21 more pictures of the leaked Pixel 4 XL - The Verge
iPhone 11, iPhone 11 Pro, and iPhone 11 Pro Max: Hands-on with Apple’s new phones | Ars Technica
Some Chromebooks mistakenly declared themselves end-of-life last week | Ars Technica — A lot of Chromebook and Chromebox users don't realize this, but all ChromeOS devices have an expiration date. Google's original policy was for devices to be supported for five years, but the company has recently extended that time to 6.5 years.
LINUX Unplugged 318: Manjaro Levels Up
Fear the Man in the Middle? This company wants to sell quantum key distribution | Ars Technica
Gentle intro to Quantum Key Distribution (QKD) – Lahiru Madushanka
The Super-Secure Quantum Cable Hiding in the Holland Tunnel - Bloomberg — Banks and governments are testing quantum key distribution technology to guard their closest secrets.
Quantum Key Distribution - QKD — This paper provides an overview of quantum key distribution targeted towards the computer science community. A brief description of the relevant principles from quantum mechanics is provided before surveying the most prominent quantum key distribution protocols present in the literature.
TechSNAP 403: Keeping Systems Simple
Linux Headlines — Linux and open source headlines every weekday, in under 3 minutes.

411: Mobile Security Mistakes

Jupiter Broadcasting — Fri, 06 Sep 2019 00:15:00 -0700

We take a look at a few recent zero-day vulnerabilities for iOS and Android and find targeted attacks, bad assumptions, and changing markets.

Plus what to expect from USB4 and an upcoming Linux scheduler speed-up for AMD's Epyc CPUs.

Links:

Google says hackers have put ‘monitoring implants’ in iPhones for years | Technology | The Guardian — Their location was uploaded every minute; their device’s keychain, containing all their passwords, was uploaded, as were their chat histories on popular apps including WhatsApp, Telegram and iMessage, their address book, and their Gmail database.
Project Zero: A very deep dive into iOS Exploit chains found in the wild — We discovered exploits for a total of fourteen vulnerabilities across the five exploit chains: seven for the iPhone’s web browser, five for the kernel and two separate sandbox escapes.
Project Zero: In-the-wild iOS Exploit Chain 1 — This exploit provides evidence that these exploit chains were likely written contemporaneously with their supported iOS versions; that is, the exploit techniques which were used suggest that this exploit was written around the time of iOS 10. This suggests that this group had a capability against a fully patched iPhone for at least two years.
Project Zero: In-the-wild iOS Exploit Chain 3 — It’s difficult to understand how this error could be introduced into a core IPC library that shipped to end users. While errors are common in software development, a serious one like this should have quickly been found by a unit test, code review or even fuzzing.
Project Zero: JSC Exploits — In this post, we will take a look at the WebKit exploits used to gain an initial foothold onto the iOS device and stage the privilege escalation exploits. All exploits here achieve shellcode execution inside the sandboxed renderer process (WebContent) on iOS.
Project Zero: Implant Teardown — There is no visual indicator on the device that the implant is running. There's no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system. The implant is primarily focused on stealing files and uploading live location data. The implant requests commands from a command and control server every 60 seconds.The implant has access to all the database files (on the victim’s phone) used by popular end-to-end encryption apps like Whatsapp, Telegram and iMessage.
iPhone Hackers Caught By Google Also Targeted Android And Microsoft Windows, Say Sources — Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China.
Google's Shocking Decision To Ignore A Critical Android Vulnerability In Latest Security Update — Despite immediately acknowledging the vulnerability and confirming in June that it will be fixed, Google had not provided an estimated time frame for the patch.
Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn | Threatpost — “In the unlikely event an attacker succeeds in exploiting this bug, they would effectively have complete control over the target device,” he told Threatpost. Once an attacker obtains escalated privileges, “it means they could completely take over a device if they can convince a user to install and run their application,”
Why 'Zero Day' Android Hacking Now Costs More Than iOS Attacks | WIRED — "During the last few months, we have observed an increase in the number of iOS exploits, mostly Safari and iMessage chains, being developed and sold by researchers from all around the world. The zero-day market is so flooded by iOS exploits that we've recently started refusing some them"
Linux 5.4 Kernel To Bring Improved Load Balancing On AMD EPYC Servers — The scheduler topology improvement by SUSE's Matt Fleming changes the behavior as currently it turns out for EPYC hardware the kernel has failed to properly load balance across NUMA nodes on different sockets.
USB4 is coming soon and will (mostly) unify USB and Thunderbolt | Ars Technica — The USB Implementers Forum published the official USB4 protocol specification. If your initial reaction was "oh no, not again," don't worry—the new spec is backward-compatible with USB 2 and USB 3, and it uses the same USB Type-C connectors that modern USB 3 devices do.

410: Epyc Encryption

Jupiter Broadcasting — Fri, 23 Aug 2019 00:00:00 -0700

It's CPU release season and we get excited about AMD's new line of server chips. Plus our take on AMD's approach to memory encryption, and our struggle to make sense of Intel's Comet Lake line.

Also, a few Windows worms you should know about, the end of the road for EV certs, and an embarrassing new Bluetooth attack.

Links:

A detailed look at AMD’s new Epyc “Rome” 7nm server CPUs | Ars Technica — The short version of the story is, Epyc "Rome" is to the server what Ryzen 3000 was to the desktop—bringing significantly improved IPC, more cores, and better thermal efficiency than either its current-generation Intel equivalents or its first-generation Epyc predecessors.
AMD Rome Second Generation EPYC Review: 2x 64-core Benchmarked — Ever since the Opteron days, AMD's market share has been rounded to zero percent, and with its first generation of EPYC processors using its new Zen microarchitecture, that number skipped up a small handful of points, but everyone has been waiting with bated breath for the second swing at the ball. AMD's Rome platform solves the concerns that first gen Naples had, plus this CPU family is designed to do many things: a new CPU microarchitecture on 7nm, offer up to 64 cores, offer 128 lanes of PCIe 4.0, offer 8 memory channels, and offer a unified memory architecture based on chiplets.
AMD EPYC Rome Still Conquering Cascadelake Even Without Mitigations - Phoronix — Out of curiosity, I've run some unmitigated benchmarks for the various relevant CPU speculative execution vulnerabilities on both the Intel Xeon Platinum 8280 Cascadelake and AMD EPYC 7742 Rome processors for seeing how the performance differs.
Intel’s line of notebook CPUs gets more confusing with 14nm Comet Lake | Ars Technica — Going by Intel's numbers, Comet Lake looks like a competent upgrade to its predecessor Whiskey Lake. The interesting question—and one largely left unanswered by Intel—is why the company has decided to launch a new line of 14nm notebook CPUs less than a month after launching Ice Lake, its first 10nm notebook CPUs.
A look at the Windows 10 exploit Google Zero disclosed this week | Ars Technica — On Tuesday, Tavis Ormandy of Google's Project Zero released an exploit kit called ctftool, which uses and abuses Microsoft's Text Services Framework in ways that can effectively get anyone root—er, system that is—on any unpatched Windows 10 system they're able to log in to
Patch new wormable vulnerabilities in Remote Desktop Services (CVE-2019-1181/1182) – Microsoft Security Response Center — Today Microsoft released a set of fixes for Remote Desktop Services that include two critical Remote Code Execution (RCE) vulnerabilities, CVE-2019-1181 and CVE-2019-1182. Like the previously-fixed ‘BlueKeep’ vulnerability (CVE-2019-0708), these two vulnerabilities are also ‘wormable’, meaning that any future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.
KNOB Attack — TL;DR: The specification of Bluetooth includes an encryption key negotiation protocol that allows to negotiate encryption keys with 1 Byte of entropy without protecting the integrity of the negotiation process. A remote attacker can manipulate the entropy negotiation to let any standard compliant Bluetooth device negotiate encryption keys with 1 byte of entropy and then brute force the low entropy keys in real time.
Troy Hunt: Extended Validation Certificates are (Really, Really) Dead — With both browsers auto-updating for most people, we're about 10 weeks out from no more EV and the vast majority of web users no longer seeing something they didn't even know was there to begin with! Oh sure, you can still drill down into the certificate and see the entity name, but who's really going to do that? You and I, perhaps, but we're not exactly in the meat of the browser demographics.
Google wants to reduce lifespan for HTTPS certificates to one year | ZDNet — Scott Helme argues that the security benefits of shorter SSL certificate lifespans have nothing to do with phishing or malware sites, but instead with the SSL certificate revocation process. Helme claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked.

409: Privacy Perspectives

Jupiter Broadcasting — Fri, 09 Aug 2019 00:15:00 -0700

We examine why it's so difficult to protect your privacy online and discuss browser fingerprinting, when to use a VPN, and the limits of private browsing.

Plus Apple's blaring bluetooth beacons and Facebook's worrying plans for WhatsApp.

Links:

Apple bleee. Everyone knows What Happens on Your iPhone – hexway — If Bluetooth is ON on your Apple device everyone nearby can understand current status of your device, get info about battery, device name, Wi-Fi status, buffer availability, OS version and even get your mobile phone number
Facebook Plans on Backdooring WhatsApp - Schneier on Security — In Facebook's vision, the actual end-to-end encryption client itself such as WhatsApp will include embedded content moderation and blacklist filtering algorithms. These algorithms will be continually updated from a central cloud service, but will run locally on the user's device, scanning each cleartext message before it is sent and each encrypted message after it is decrypted.
Signal — Privacy that fits in your pocket.
xkcd: Security — Turns out it's a $5 wrench, even better!
Jim Salter on Twitter — I wonder why #privacy wonks aren't talking about browser fingerprinting more frequently? Privacy Badger, Ghostery, etc don't do a damn thing to prevent or mitigate Canvas / WebGL #fingerprinting.
Browser Fingerprinting: What Is It and What Should You Do About It? - PixelPrivacy — Browser fingerprinting is a powerful method that websites use to collect information about your browser type and version, as well as your operating system, active plugins, timezone, language, screen resolution and various other active settings.
Canvas Fingerprinting - BrowserLeaks.com — The technique is based on the fact that the same canvas image may be rendered differently in different computers. This happens for several reasons. At the image format level – web browsers uses different image processing engines, image export options, compression level, the final images may got different checksum even if they are pixel-identical. At the system level – operating systems have different fonts, they use different algorithms and settings for anti-aliasing and sub-pixel rendering.
WebGL Browser Report - WebGL Fingerprinting - WebGL 2 Test - BrowserLeaks.com — WebGL Browser Report checks WebGL support in your web browser, produce WebGL Device Fingerprinting, and shows the other WebGL and GPU capabilities more or less related web browser identity.
AmIUnique — Device fingerprinting or browser fingerprinting is the systematic collection of information about a remote device, for identification purposes. Client-side scripting languages allow the development of procedures to collect very rich fingerprints: browser and operating system type and version, screen resolution, architecture type, lists of fonts, plugins, microphone, camera, etc.
Panopticlick — Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software. However, we only do so with your explicit consent, through the TEST ME button below.
How private is your browser’s Private mode? Research into porn suggests “not very” | Ars Technica — This leaves browser fingerprinting as a method to tie your profiles together—and unfortunately, Incognito mode doesn't appear to help.
Privacy Tools - Encryption Against Global Mass Surveillance — You are being watched. Private and state-sponsored organizations are monitoring and recording your online activities. privacytools.io provides services, tools and knowledge to protect your privacy against global mass surveillance.
‘Fingerprinting’ to Track Us Online Is on the Rise. Here’s What to Do. - The New York Times — Fingerprinting involves looking at the many characteristics of your mobile device or computer, like the screen resolution, operating system and model, and triangulating this information to pinpoint and follow you as you browse the web and use apps. Once enough device characteristics are known, the theory goes, the data can be assembled into a profile that helps identify you the way a fingerprint would.
Digital 'Fingerprinting' Is The Next Generation Tracking Technology | The Takeaway | WNYC Studios — This growing technology is almost invisible, making it impossible for users to opt-out of the tracking system. As it becomes more popular, tech companies are developing new ways to try and protect consumers from this form of tracking. But is it going to work?
New Warning Issued Over Google's Chrome Ad-Blocking Plans — The plans, dubbed Manifest V3, represent a major transformation to Chrome extensions including a revamp of the permissions system. As a result, modern ad blockers such as uBlock Origin—which uses Chrome’s webRequest API to block ads before they’re downloaded–won’t work.
Comment on Chrome extension manifest v3 proposal by gorhill — The blocking ability of the webRequest API is still deprecated, and Google Chrome's limited matching algorithm will be the only one possible, and with limits dictated by Google employees. It's annoying that they keep saying "the webRequest API is not deprecated" as if developers have been worried about this -- and as if they want to drown the real issue in a fabricated one nobody made.
CanvasBlocker
Ghostery
Disconnect

403: Keeping Systems Simple

Jupiter Broadcasting — Fri, 10 May 2019 21:00:00 -0700

We’re back from LinuxFest Northwest with an update on all things WireGuard, some VLAN myth busting, and the trade-offs of highly available systems.

Links:

TechSNAP Episode 390: What’s Up with WireGuard
WireGuard Sent Out Again For Review — WireGuard lead developer Jason Donenfeld has sent out the ninth version of the WireGuard secure network tunnel patches for review. If this review goes well and lands in net-next in the weeks ahead, this long-awaited VPN improvement could make it into the mainline Linux 5.2 kernel.
CloudFlare announces Warp VPN — Using Cloudflare’s existing network of servers, Internet users all over the world will be able to connect to Warp VPN through the 1.1.1.1 app. In the same vein, Warp VPN will not significantly increase battery usage by using an efficient protocol called WireGuard.
CloudFlare Launches "BoringTun" As Rust-Written WireGuard User-Space Implementation - Phoronix — CloudFlare took to creating BoringTun as they wanted a user-space solution as not to have to deal with kernel modules or satisfying certain kernel versions. They also wanted cross platform support and for their chosen implementation to be very fast, these choices which led them to writing a Rust-based solution.
cloudflare/boringtun — BoringTun is an implementation of the WireGuard® protocol designed for portability and speed.
VPN protocol WireGuard now has an official macOS app — You can already download the WireGuard app on Android and iOS, but today’s release is all about macOS.
WireGuard Windows Pre-Alpha — I've been mostly absent these last weeks, due to being completely absorbed in Windows programming. I think we're finally getting to the state where we might really benefit from testing of the "pre-alpha".
Wintun – Layer 3 TUN Driver for Windows — Wintun is a very simple and minimal TUN driver for the Windows kernel, which provides userspace programs with a simple network adapter for reading and writing packets. It is akin to Linux's /dev/net/tun and BSD's /dev/tun.
WireGuard for Kubernetes: Introducing Gravitational Wormhole — Wormhole is a Kubernetes network plugin that combines the simplicity of flannel with encrypted networking from WireGuard.
gravitational/wormhole: Wireguard based overlay network CNI plugin for kubernetes
NetworkManager 1.16 — NetworkManager 1.16 is a big feature release bringing support for WireGuard VPN tunnels
Portal Cloud - Subspace — Subspace is an open source WireGuard® VPN server that supports connecting all of your devices to help secure your internet access.
subspacecloud/subspace — A simple WireGuard VPN server GUI
jimsalterjrs/wg-admin — Simple CLI utilities to manage a WireGuard server
5 big misconceptions about virtual LANs — In the real world, VLANs are anything but simple.
High Availability vs. Fault Tolerance vs. Disaster Recovery — You need IT infrastructure that you can count on even when you run into the rare network outage, equipment failure, or power issue. When your systems run into trouble, that’s where one or more of the three primary availability strategies will come into play: high availability, fault tolerance, and/or disaster recovery.
High Availability: Concepts and Theory — Running server operations using clusters of either physical or virtual computers is all about improving both reliability and performance over and above what you could expect from a single, high-powered server.
RPO and RTO: Understanding the Differences — Recovery time objective refers to how much time an application can be down without causing significant damage to the business. Recovery point objectives refer to your company’s loss tolerance: the amount of data that can be lost before significant harm to the business occurs.
JupiterBroadcasting/Talks — Public repository of crew talks, slides, and additional resources.
Command Line Threat Hunting — That viruses and malware are Windows problems is a misnomer that is often propagated through the Linux community and it's an easy one to believe until you start noticing strange behavior on your system. What do you do next? Join Ell Marquez and Tony Lambert in discussing a common sense approach to threat detection using only command line tools.
Fear the Man in the Middle? This company wants to sell quantum key distribution — For now, Quantum XChange has only said about a dozen companies are part of the pilot. But with the appetite for quantum solutions in the US increasing—the National Quantum Initiative was just signed into law at the end of 2018 to advance the tech—this could be an opportune time to enter the market, so long as the service lives up to its billing.

402: Snapshot Sanity

Jupiter Broadcasting — Thu, 25 Apr 2019 16:45:00 -0700

We continue our take on ZFS as Jim and Wes dive in to snapshots, replication, and the magic on copy on write.

Plus some handy tools to manage your snapshots, rsync war stories, and more!

Links:

sanoid: Policy-driven snapshot management and replication tools. — Sanoid is a policy-driven snapshot management tool for ZFS filesystems. When combined with the Linux KVM hypervisor, you can use it to make your systems functionally immortal.
Syncoid — Sanoid also includes a replication tool, syncoid, which facilitates the asynchronous incremental replication of ZFS filesystems.
Copy-on-write - Wikipedia
ZFS Paper
The Magic Behind APFS: Copy-On-Write — The brand-new Apple File System (APFS) that landed with macOS High Sierra brings a handful of important new features that rely on a technique called copy-on-write (CoW).
Chapter 19. The Z File System (ZFS)

401: Everyday ZFS

Jupiter Broadcasting — Thu, 11 Apr 2019 22:15:00 -0700

Jim and Wes sit down to bust some ZFS myths and share their tips and tricks for getting the most out of the ultimate filesystem.

Plus when not to use ZFS, the surprising way your disks are lying to you, and more!

Links:

ZFS - Ubuntu Wiki — ZFS is a combined file system and logical volume manager designed and implemented by a team at Sun Microsystems led by Jeff Bonwick and Matthew Ahrens.
Performance tuning - OpenZFS — Make sure that you create your pools such that the vdevs have the correct alignment shift for your storage device's size. if dealing with flash media, this is going to be either 12 (4K sectors) or 13 (8K sectors).

400: Supply Chain Attacks

Jupiter Broadcasting — Thu, 28 Mar 2019 20:15:00 -0700

We break down the ASUS Live Update backdoor and explore why these kinds of supply chain attacks are on the rise.

Plus an update from the linux vendor firmware service, your feedback, and more!

Links:

Joren Verspeurt on Twitter — The explanation you gave for unsupervised wasn't correct, that was just using a net that was trained in a supervised way. Unsupervised learning doesn't involve labels at all. A good example: clustering. You say "there are x clusters" and it learns a way of grouping similar items.
Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers — The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems.
Malicious updates for ASUS laptops — A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.
Asus Live Update Patch Now Availabile — Asus has emitted a non-spyware-riddled version of Live Update for people to install on its notebooks, which includes extra security features to hopefully detect any future tampering.
ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups — ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
The Messy Truth About Infiltrating Computer Supply Chains — The Defense Intelligence Agency believed that China’s capability at exploiting the BIOS “reflects a qualitative leap forward in exploitation that is difficult to detect”
Inside the Unnerving CCleaner Supply Chain Attack — Security researchers at Cisco Talos and Morphisec made a worst nightmare-type disclosure: the ubiquitous computer cleanup tool CCleaner had been compromised by hackers for more than a month. The software updates users were downloading from CCleaner owner Avast—a security company itself—had been tainted with a malware backdoor. The incident exposed millions of computers and reinforced the threat of so-called digital supply chain attacks, situations where trusted, widely distributed software is actually infected by malicious code.
ShadowPad: How Attackers hide Backdoor in Software used by Hundreds of Large Companies around the World — ShadowPad is an example of how dangerous and wide-scale a successful supply-chain attack can be. Given the opportunities for reach and data collection it gives to the attackers, most likely it will be reproduced again and again with some other widely used software component.
Gaming industry still in the scope of attackers in Asia — Yet again, new supply-chain attacks recently caught the attention of ESET Researchers. This time, two games and one gaming platform application were compromised to include a backdoor.
Microsoft Security Intelligence Report Volume 24 is now available — Software supply chain attacks are another trend that Microsoft has been tracking for several years. One supply chain tactic used by attackers is to incorporate a compromised component into a legitimate application or update package, which then is distributed to the users via the software. These attacks can be very difficult to detect because they take advantage of the trust that users have in their software vendors. The report includes several examples, including the Dofoil campaign, which illustrates how wide-reaching these types of attacks are and what we are doing to prevent and respond to them.
Microsoft Security Intelligence Report Volume 24
Supply Chain Attacks Spiked 78 Percent in 2018
Supply Chain Security: A Talk by Bunnie Huang — I recently gave an invited talk about supply chain security at BlueHat IL 2019. I was a bit surprised at the level of interest it received, so I thought I’d share it here for people who might have missed it.
Attack inception: Compromised supply chain within a supply chain poses new risk — The plot twist: The app vendor’s systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.
Supply Chain Attacks and Secure Software Updates — In general, a supply chain attack involves first hacking a trusted third party who provides a product or service to your target, and then using your newly acquired, privileged position to compromise your intended target.
Bad USB, Very Bad USB — The best defense for this type of attack is to only use devices that do not have reprogrammable firmware. Outside of this, it is important to only use USB drives that you trust completely, because after plugging in an untrusted device, you will never know if there is an invisible threat running on your computer.
Reflections on Trusting Trust by Ken Thompson
LVFS Project Announcement - The Linux Foundation — The Linux Foundation welcomes the Linux Vendor Firmware Service (LVFS) as a new project. LVFS is a secure website that allows hardware vendors to upload firmware updates. It’s used by all major Linux distributions to provide metadata for clients, such as fwupdmgr, GNOME Software and KDE Discover.
LVFS: Vendor Status
Two new supply-chain attacks come to light in less than a week — Called “Colourama,” the package looked similar to Colorama, which is one of the top-20 most-downloaded legitimate modules in the Python repository. The doppelgänger Colourama package contained most of the legitimate functions of the legitimate module, with one significant difference: Colourama added code that, when run on Windows servers, installed a Visual Basic script.
Malicious code found in npm package event-stream downloaded 8 million times in the past 2.5 months

399: Ethics in AI

Jupiter Broadcasting — Fri, 15 Mar 2019 19:30:00 -0700

Machine learning promises to change many industries, but with these changes come dangerous new risks. Join Jim and Wes as they explore some of the surprising ways bias can creep in and the serious consequences of ignoring these problems.

Links:

Microsoft’s neo-Nazi sexbot was a great lesson for makers of AI assistants — What started out as an entertaining social experiment—get regular people to talk to a chatbot so it could learn while they, hopefully, had fun—became a nightmare for Tay’s creators. Users soon figured out how to make Tay say awful things. Microsoft took the chatbot offline after less than a day.
Microsoft's Zo chatbot is a politically correct version of her sister Tay—except she’s much, much worse — A few months after Tay’s disastrous debut, Microsoft quietly released Zo, a second English-language chatbot available on Messenger, Kik, Skype, Twitter, and Groupme.
How to make a racist AI without really trying | ConceptNet blog — Some people expect that fighting algorithmic racism is going to come with some sort of trade-off. There’s no trade-off here. You can have data that’s better and less racist. You can have data that’s better because it’s less racist. There was never anything “accurate” about the overt racism that word2vec and GloVe learned.
Microsoft warned investors that biased or flawed AI could hurt the company’s image — Notably, this addition comes after a research paper by MIT Media Lab graduate researcher Joy Buolamwini showed in February 2018 that Microsoft’s facial recognition algorithm’s was less accurate for women and people of color. In response, Microsoft updated its facial recognition models, and wrote a blog post about how it was addressing bias in its software.
AI bias: It is the responsibility of humans to ensure fairness — Amazon recently pulled the plug on its experimental AI-powered recruitment engine when it was discovered that the machine learning technology behind it was exhibiting bias against female applicants.
California Police Using AI Program That Tells Them Where to Patrol, Critics Say It May Just Reinforce Racial Bias — “The potential for bias to creep into the deployment of the tools is enormous. Simply put, the devil is in the data,” Vincent Southerland, executive director of the Center on Race, Inequality, and the Law at NYU School of Law, wrote for the American Civil Liberties Union last year.
A.I. Could Worsen Health Disparities — A recent study found that some facial recognition programs incorrectly classify less than 1 percent of light-skinned men but more than one-third of dark-skinned women. What happens when we rely on such algorithms to diagnose melanoma on light versus dark skin?
Responsible AI Practices — These questions are far from solved, and in fact are active areas of research and development. Google is committed to making progress in the responsible development of AI and to sharing knowledge, research, tools, datasets, and other resources with the larger community. Below we share some of our current work and recommended practices.
The Ars Technica System Guide, Winter 2019: The one about the servers — The Winter 2019 Ars System Guide has returned to its roots: showing readers three real-world system builds we like at this precise moment in time. Instead of general performance desktops, this time around we're going to focus specifically on building some servers.
Introduction to Python Development at Linux Academy — This course is designed to teach you how to program using Python. We'll cover the building blocks of the language, programming design fundamentals, how to use the standard library, third-party packages, and how to create Python projects. In the end, you should have a grasp of how to program.

398: Proper Password Procedures

Jupiter Broadcasting — Thu, 28 Feb 2019 18:00:00 -0800

We reveal the shady password practices that are all too common at many utility providers, and hash out why salts are essential to proper password storage.

Plus the benefits of passphrases, and what you can do to keep your local providers on the up and up.

Links:

Plain wrong: Millions of utility customers’ passwords stored in plain text | Ars Technica — In September of 2018, an anonymous independent security researcher (who we'll call X) noticed that their power company's website was offering to email—not reset!—lost account passwords to forgetful users. Startled, X fed the online form the utility account number and the last four phone number digits it was asking for. Sure enough, a few minutes later the account password, in plain text, was sitting in X's inbox.
The LinkedIn Hack: Understanding Why It Was So Easy to Crack the Passwords | — LinkedIn stated that after the initial 2012 breach, they added enhanced protection, most likely adding the “salt” functionality to their passwords. However, if you have not changed your password since 2012, you do not have the added protection of a salted password hash. You may be asking yourself–what on earth are hashing and salting and how does this all work?
How Developers got Password Security so Wrong — As time has gone on; developers have continued to store passwords insecurely, and users have continued to set them weakly. Despite this, no viable alternative has been created for password security.
Adding Salt to Hashing: A Better Way to Store Passwords — A salt is added to the hashing process to force their uniqueness, increase their complexity without increasing user requirements, and to mitigate password attacks like rainbow tables.
Why Do Developers Get Password Storage Wrong? A Qualitative Usability Study — We were interested in exploring two particular aspects: Firstly, do developers get things wrong because they do not think about security and thus do not include security features (but could if they wanted to)? Or do they write insecure code because the complexity of the task is too great for them? Secondly, a common suggestion to increase security is to offer secure defaults.
OWASP Password Storage Cheatsheet — This article provides guidance on properly storing passwords, secret question responses, and similar credential information.
Secure Salted Password Hashing - How to do it Properly — If you're a web developer, you've probably had to make a user account system. The most important aspect of a user account system is how user passwords are protected. User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. The best way to protect passwords is to employ salted password hashing. This page will explain why it's done the way it is.
Plain Text Offenders — We’re tired of websites abusing our trust and storing our passwords in plain text, exposing us to danger. Here we put websites we believe to be practicing this to shame.
Cybersecurity 101: Why you need to use a password manager | TechCrunch — Think of a password manager like a book of your passwords, locked by a master key that only you know.
On the Security of Password Managers - Schneier on Security — There's new research on the security of password managers, specifically 1Password, Dashlane, KeePass, and Lastpass. This work specifically looks at password leakage on the host computer. That is, does the password manager accidentally leave plaintext copies of the password lying around memory?
LinuxFest Northwest 2019 — It's the 20th anniversary of LinuxFest Northwest! Come join your favorite Jupiter Broadcasting hosts at the Pacific Northwest's premier Linux event.
SCALE 17x — The 17th annual Southern California Linux Expo – will take place on March. 7-10, 2019, at the Pasadena Convention Center. SCaLE 17x expects to host 150 exhibitors this year, along with nearly 130 sessions, tutorials and special events.
Jupiter Broadcasting Meetups — The best place to find out when Jupiter Broadcasting has a meetup near you! Also stay tuned for upcoming virtual study groups.

396: Floating Point Problems

Jupiter Broadcasting — Thu, 31 Jan 2019 20:45:00 -0800

Jim and Wes are joined by OpenZFS developer Richard Yao to explain why the recent drama over Linux kernel 5.0 is no big deal, and how his fix for the underlying issue might actually make things faster.

Plus the nitty-gritty details of vectorized optimizations and kernel preemption, and our thoughts on the future of the relationship between ZFS and Linux.

Special Guest: Richard Yao.

Links:

LinuxFest Northwest 2019 — Join a bunch of JB hosts and community celebrating the 20th anniversary!
Choose Linux — The show that captures the excitement of discovering Linux.
Linux 5.0: _kernel_fpu{begin,end} no longer exported — The latest kernels removed the old compatibility headers.
ZFS On Linux Landing Workaround For Linux 5.0 Kernel Support — So while these symbols are important for SIMD vectorized checksums for ZFS in the name of performance, with Linux 5.0+ they are not going to be exported for use by non-GPL modules. ZFS On Linux developer Tony Hutter has now staged a change that would disable vector instructions on Linux 5.0+ kernels.
Re: x86/fpu: Don't export __kernel_fpu_{begin,end}() — My tolerance for ZFS is pretty non-existant. Sun explicitly did not want their code to work on Linux, so why would we do extra work to get their code to work properly?
The future of ZFS in FreeBSD — This state of affairs has led to a general agreement among the stakeholders that I have spoken to that it makes sense to rebase FreeBSD's ZFS on ZoL. Brian Behlendorf has graciously encouraged me to add FreeBSD support directly so that we might all have a singleshared code base.
Dephix: Kickoff to The Future — OpenZFS has grown over the last decade, and delivering our application on Linux provides great OpenZFS support while enabling higher velocity adoption of new environments.
The future of ZFS on Linux [zfs-discuss] — Do you realize that we don’t actually need the symbols that the kernel removed. It All they do is save/restore of register state while turning off/on preemption. Nothing stops us from doing that ourselves. It is possible to implement our own substitutes using code from either Illumos or FreeBSD or even write our own. Honestly, I am beginning to think that my attempt to compromise with mainline gave the wrong impression. I am simply tired of this behavior by them and felt like reaching out to put an end to it. In a few weeks, we will likely be running on Linux 5.0 as if those symbols had never been removed because we will almost certainly have our own substitutes for them. Having to bloat our code because mainline won’t give us access to trivial functionality is annoying, but it is not the end of the world.
LINUX Unplugged Episode 284: Free as in Get Out
BSD Now 279: Future of ZFS
BSD Now 157: ZFS, The “Universal” File-system

395: The ACME Era

Jupiter Broadcasting — Sun, 20 Jan 2019 20:45:00 -0800

We welcome Jim to the show, and he and Wes dive deep into all things Let’s Encrypt.

The history, the clients, and the from-the-field details you'll want to know.

Links:

Let’s Encrypt and CertBot – JRS Systems
Automatic Certificate Management Environment (ACME) — The surprisingly readable IETF draft.
How It Works - Let's Encrypt
ACME Client Implementations
Certbot — Certbot is EFF's tool to obtain certs from Let's Encrypt.
acme-nginx: python acme client for nginx — A particularly simple client that is useful for understanding the protocol details.
Caddy - The HTTP/2 Web Server with Automatic HTTPS
mod_md: Let's Encrypt (ACME) support for Apache httpd
Traefik - The Cloud Native Edge Router
Looking Forward to 2019 - Let's Encrypt — We’re now serving more than 150 million websites while maintaining a stellar security and compliance track record. Most importantly though, the Web went from 67% encrypted page loads to 77% in 2018, according to statistics from Mozilla. This is an incredible rate of change!
Let's Encrypt ACME v2 API Announcements — Now that the draft standard is in last-call and the pace of major changes has slowed, we’re able to release a “v2” API that is much closer to what will become the final ACME RFC.
Let's Encrypt disables TLS-SNI-01 validation — The researcher noticed that "at least two" large hosting providers host many users on the same IP address and users are able to upload certificates for arbitrary names without proving they have control of a domain.
A Technical Deep Dive on Using Certbot to Secure your Mailserver from the EFF — With the most recent release of Certbot v0.29.1, we’ve added some features which make it much easier to use with both Sendmail and Exim.

394: All About Azure

Jupiter Broadcasting — Thu, 10 Jan 2019 04:00:00 -0800

Wes is joined by a special guest to take a look back on the growth and development of Azure in 2018 and discuss some of its unique strengths.

Special Guest: Chad M. Crowell.

Links:

Under the sea, Microsoft tests a datacenter that’s quick to deploy, could provide internet connectivity for years
An Azure Infrastructure Year in Review
Azure File Sync now generally available
Microsoft's Newest OS is Based on Linux
Azure Sphere
What is Azure Stack?
Azure Outage Proves the Hard Way Availability Zones are a Good Idea
Microsoft Azure Infrastructure and Deployment on Linux Academy — In this course, we will cover an introduction to the Azure portal, followed by how to build infrastructure and deploy that infrastructure in real world scenarios.
Chad Crowell on Twitter

393: Back to our /roots

Jupiter Broadcasting — Thu, 03 Jan 2019 04:00:00 -0800

In a special new year’s episode we take a moment to reflect on the show’s past, its future, and say goodbye to an old friend.

Links:

Jim Salter — Jim Salter (@jrssnet) is an author, public speaker, small business owner, mercenary sysadmin, and father of three—not necessarily in that order. He got his first real taste of open source by running Apache on his very own dedicated FreeBSD 3.1 server back in 1999, and he's been a fierce advocate of FOSS ever since.
Jim Salter on Twitter
Dropbox Flaws | TechSNAP | 1
PSN Breech Details | TechSNAP 3
2089 Days Uptime | TechSNAP 300

392: Keeping up with Kubernetes

Jupiter Broadcasting — Wed, 12 Dec 2018 19:00:00 -0800

A security vulnerability in Kubernetes causes a big stir, but we’ll break it all down and explain what went wrong.

Plus the biggest stories out of Kubecon, and serverless gets serious.

Links:

Everything that was announced at KubeCon
CNCF to Host etcd — The Cloud Native Computing Foundation Technical Oversight Committee voted to accept etcd as an incubation-level hosted project.
Introduction to Knative — Knative is a framework from the folks at Google and Pivotal focused on “serverless” style event driven functions.
IBM Embraces Knative to Drive Serverless Standardization — Knative is not the first open-source functions-as-a-service effort that IBM has backed. Back in 2016, IBM announced the OpenWhisk effort, which is now run as an open-source project at the Apache Software Found.
How Google Is Improving Kubernetes Container Security — "We go beyond what's in open source and put additional restrictions in place to secure users"
Demystifying Kubernetes CVE-2018-1002105 — With a specially crafted request, users that are authorized to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
The silent CVE in the heart of Kubernetes apiserver
Crossplane: An Open Source Multicloud Control Plane
security.christmas — This year we will prepare you for the Christmas celebration, by giving you small presents of knowledge every day, which will teach you about the world of security.
Introducing the Helm Hub — This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.

Episode 391: Firecracker Fundamentals

Jupiter Broadcasting — Thu, 29 Nov 2018 14:00:00 -0800

We break down Firecracker Amazon’s new open source kvm powered, virtual machine monitor, and explore what makes it different from the options on the market now.

Plus some good news for OpenBGP and the wider internet community, and a handy tool for inspecting docker images.

Links:

Firecracker – Lightweight Virtualization for Serverless Computing — Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.
Firecracker — Firecracker is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant containers and functions-based services.
Firecracker Design Docs
Firecracker Roadmap
QEMU — QEMU is a generic and open source machine emulator and virtualizer.
Qemu : Security vulnerabilities
VENOM Vulnerability — VENOM, CVE-2015-3456, is a security vulnerability in the virtual floppy drive code used by many computer virtualization platforms. This vulnerability may allow an attacker to escape from the confines of an affected virtual machine (VM) guest and potentially obtain code-execution access to the host.
s2n — s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority.
OpenBGPD - Adding Diversity to the Route Server Landscape — Thanks to the RIPE NCC Community Project Fund we were able to revive the OpenBGPD daemon and bring more diversity to the Route Server landscape.
OpenBGPD — OpenBGPD is a FREE implementation of the Border Gateway Protocol, Version 4. It allows ordinary machines to be used as routers exchanging routes with other systems speaking the BGP protocol.
LSI Questions from Anton
ServeTheHome
Sennheiser Headset Software Could Allow Man-in-the-Middle SSL Attacks — When users have been installing Sennheiser's HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store. To make matters worse, the software was also installing an encrypted version of the certificate's private key that was not as secure as the developers may have thought.
evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
dive: A tool for exploring each layer in a docker image

Episode 390: What’s Up with WireGuard

Jupiter Broadcasting — Thu, 22 Nov 2018 10:30:00 -0800

WireGuard has a lot of buzz around it and for many good reasons. We’ll explain what WireGuard is specifically, what it can do, and maybe more importantly, what it can’t.

Special Guest: Jim Salter.

Links:

How to easily configure WireGuard — At its core, all WireGuard does is create an interface from one computer to another.
Jessie Frazelle's Blog: Installing and Using Wireguard, obviously with containers — What is cool about Wireguard is it integrates into the Linux networking stack.
WireGuard Didn't Make it To The Mainline Linux Kernel This Cycle — The code continues to be improved upon but looks like it came up just short of making it into this current development cycle.
WireGuard VPN review: A new type of VPN offers serious advantages — Fewer lines of code, simpler setup, and better algorithms make a strong case.
The Current Status of WireGuard VPNs - Are We There Yet?
Using a free VPN? Why not skip the middleman and just send your data to President Xi?
Feedback from Cody
NRE Labs — NRE Labs is a no-strings-attached, community-centered initiative to bring the skills of automation within reach for everyone
Introduction to Antidote — Antidote is an open-source project aimed at making automated network operations more accessible with fast, easy and fun learning.
StackStorm — From simple if/then rules to complicated workflows, StackStorm lets you automate DevOps your way.
wireguard-private-networking: Build your own multi server private network using wireguard and ansible
Algo: Set up a personal IPSEC or WireGuard VPN in the cloud

Episode 386: What Makes Google Cloud Different

Jupiter Broadcasting — Thu, 04 Oct 2018 16:45:00 -0700

We bring on our Google Cloud expert and explore the fundamentals, demystify some of the magic, and ask what makes Google Cloud different.

Plus how Google hopes Roughtime will solve one of the web’s biggest problems, some great emails, and more!

Special Guest: Matt Ulasien.

Links:

Cloudflare Embraces Google Roughtime, Giving Internet Security a Boost — The internet infrastructure firm Cloudflare will now support a free timekeeping protocol known as Roughtime, which helps synchronize the internet's clocks and validate timestamps.
Roughtime: Securing Time with Digital Signatures — Roughtime lacks the precision of NTP, but aims to be accurate enough for cryptographic applications, and since the responses are authenticated, man-in-the-middle attacks aren’t possible
Google Cloud rolls out security feature for container images — All container images built using Cloud Build, Google's fully-managed CI/CD platform, will now be automatically scanned for OS package vulnerabilities
Tweets by Matthew Ulasien (@mulasien)
Google Cloud Weekly | 10.03.2018
Matthew Ulasien - Quora
Google Certified Professional Cloud Architect
Feedback: Can't Even Google This One!
Feedback: The Button Pusher Problem
Feedback: Can I monitor that?
Pingdom
Site24x7
prometheus/blackbox_exporter: Blackbox prober exporter
Kubernetes the Hard Way - Course
How do Kubernetes Deployments work? An adversarial perspective. — What is happening when a Deployment rolls out a change to your app? What does it actually do when a Pod crashes or is killed? What happens when a Pod is re-labled so that it's not targeted by the Deployment?
Kubernetes: The Surprisingly Affordable Platform for Personal Projects — I think that Kubernetes makes sense for small projects and you can have your own Kubernetes cluster today for as little as $5 a month.
Kubernetes for personal projects? No thanks! — I have read multiple times this article about running Kubernetes to run small projects and thought I could share why I think that might not be a great idea.
KubeDirector: The easy way to run complex stateful applications on Kubernetes — KubeDirector is an open source project designed to make it easy to run complex stateful scale-out application clusters on Kubernetes.
Kubernetes On Bare Metal — This guide will take you from nothing to a 2 node cluster, automatic SSL for deployed apps, a custom PVC/PV storage class using NFS, and a private docker registry.
Introducing DigitalOcean Kubernetes in Limited Availability

Episode 385: 3 Things to Know About Kubernetes

Jupiter Broadcasting — Thu, 27 Sep 2018 16:15:00 -0700

Kubernetes expert Will Boyd joins us to explain the top 3 things to know about Kubernetes, when it’s the right tool for the job, and building highly available production grade clusters.

Plus the privacy improvements that could be coming to HTTPS, and a new SSH auditing tool hits the open source scene.

Special Guest: Will Boyd.

Links:

Open Sourcing HASSH — HASSH is a network fingerprinting standard invented within the Detection Cloud team at Salesforce.
ESNI: A Privacy-Protecting Upgrade to HTTPS — Today, Cloudflare is announcing a major step toward closing this privacy hole and enhancing the privacy protections that HTTPS offers. Cloudflare has proposed a technical standard for encrypted SNI, or “ESNI,” which can hide the identities of the sites you visit—particularly when a large number of sites are hosted on a single set of IP addresses
What's new in Kubernetes 1.12?
Kubernetes the Hard Way — Kubernetes The Hard Way guides you through bootstrapping a highly available Kubernetes cluster with end-to-end encryption between components and RBAC authentication.
Install Minikube
Creating a single master cluster with kubeadm
10 open-source Kubernetes tools for highly effective SRE and Ops Teams
Clonezilla — Clonezilla is a partition and disk imaging/cloning program similar to True Image or Norton Ghost.

Episode 381: Here Comes Cloud DNS

Jupiter Broadcasting — Wed, 29 Aug 2018 15:45:00 -0700

To make DNS more secure, we must move it to the cloud! At least that’s what Mozilla and Google suggest. We breakdown DNS-over-HTTPS, why it requires a “cloud” component, and the advantages it has over traditional DNS.

Plus new active attacks against Apache Struts, and a Windows 10 zero-day exposed on Twitter.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Firefox Nightly Secure DNS Experimental Results
DNS-over-HTTPS
DNS over HTTPS
A cartoon intro to DNS over HTTPS
Discussion of draft-ietf-doh-dns-over-https in the IETF's DOH Working Group
High performance DNS over HTTPS client & server
Cloudflare Resolver for Firefox
Active Attacks Detected Using Apache Struts Vulnerability CVE-2018-11776
Windows 10 Zero-Day Vulnerability Exposed On Twitter
Netdata: Get control of your servers. — netdata is a system for distributed real-time performance and health monitoring. It provides unparalleled insights, in real-time, of everything happening on the system it runs (including applications such as web and database servers), using modern interactive web dashboards.
State of Software Distribution - 2018 — Few enterprises possess the ability to deploy the latest software and security patches at scale, putting their cybersecurity and business performance at risk. In the 2018 State of Software Distribution Report, we explore why IT decision makers say they struggle to keep up with the software distribution needs of the modern enterprise.

Episode 380: Terminal Fault

Jupiter Broadcasting — Thu, 16 Aug 2018 16:30:00 -0700

Microsoft’s making radical changes to Windows 10, and a new type of speculative execution attack on Intel’s processors is targeting cloud providers.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 379: SegmentSmack is Whack

Jupiter Broadcasting — Fri, 10 Aug 2018 14:30:00 -0700

Take down a Linux or FreeBSD box with just 2kpps of traffic, own Homebrew in 30 minutes, and infiltrate an entire network via the Inkjet printers.

It’s a busy TechSNAP week.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 378: Two-Factor Fraud

Jupiter Broadcasting — Thu, 02 Aug 2018 18:30:00 -0700

Reddit’s Two Factor procedures fail, while Google’s prevents years of attacks. We’ll look at the different approaches, and discuss the fundamental weakness of Reddit’s approach.

Plus a Spectre attack over the network, BGP issues take out Telegram, and more!

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 377: Linux Under Pressure

Jupiter Broadcasting — Wed, 01 Aug 2018 10:30:00 -0700

Some new tools will give you better insights into your system under extreme load, and we flash back to the days of AOL and discuss the new way social hackers are spreading malware.

Plus the death of a TLD, the return of SamSam, and more!

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

psi: pressure stall information for CPU, memory, and IO v2 — PSI aggregates and reports the overall wallclock time in which the tasks in a system (or cgroup) wait for contended hardware resources.
Chinese “hackers” are sending malware via snail mail — The trick is simple: a package arrives with a Chinese postmark containing a rambling message and a small CD. The CD, in turn, contains a set of Word files that include script-based malware. These scripts run when the victims access them on their computers, presumably resulting in compromised systems.
The death of a TLD
SamSam: The (almost) $6 million ransomware — Through original analysis, interviews and research, and by collaborating closely with industry partners and a specialist cryptocurrency monitoring organisation, Sophos has uncovered new details about how the secretive and sophisticated SamSam ransomware is used, who’s been targeted, how it works and how it’s evolving.
Open sourcing oomd, a new approach to handling OOMs — As our infrastructure has scaled, we’ve found that an increasing fraction of our machines and networks span multiple generations. One side effect of this multigenerational production environment is that a new software release or configuration change might result in a system running healthily on one machine but experiencing an out-of-memory (OOM) issue on another.
Tyler's recent job story

Episode 375: Surprise Root Access

Jupiter Broadcasting — Thu, 19 Jul 2018 20:15:00 -0700

Google's Cloud Platform suffers an outage, and iPhones in India get owned after a very specific attack.

Plus how a malware author built a massive 18,000 strong Botnet in one day, and Cisco finds more "undocumented" root passwords.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 374: Quantum Resistant Encryption

Jupiter Broadcasting — Fri, 13 Jul 2018 05:00:00 -0700

Good progress is being made on post-quantum resilient computing. We’ll explain how they’re achieving it, the risks facing traditional cryptography.

Plus how bad defaults led to the theft of military Drone docs, new attacks against LTE networks, more!

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 373: FreeBSD Already Does That

Jupiter Broadcasting — Thu, 05 Jul 2018 07:45:00 -0700

Allan Jude and Wes sit-down for a special live edition of the TechSNAP program.

Joined by Jed and Jeff they have a wide ranging organic conversation.

Special Guest: Allan Jude.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Episode 372: Logs and Metrics and Traces, Oh My!

Jupiter Broadcasting — Thu, 14 Jun 2018 16:45:00 -0700

Netflix has learned the hard way how to utilize all the logs, we cover their lessons in their journey to build a fully observable system.

Plus the Lazy State FPU bug that cropped up this week, backdoored Docker images, your questions, and more!

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 371: They Never Learn

Jupiter Broadcasting — Thu, 07 Jun 2018 15:15:00 -0700

Microsoft puts a data center under the ocean, and they might be onto something. The Zip Slip vulnerability sneaks into your software, and VPNFilter turns out to be more complicated than first known.

Plus the mass exploit of Drupalgeddon2 continues, we break down why, a batch of questions, and more.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Episode 370: Hidden in Plain Sight

Jupiter Broadcasting — Fri, 01 Jun 2018 08:00:00 -0700

We explain how the much hyped VPNFilter malware actually works, and its rather surprising sophistication.

Plus a clear break down of the recent Kubernetes news, how a 40 year old tel-co protocol is being abused today, and a Git vulnerability you should know about.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 369: Another Pass at Bypass

Jupiter Broadcasting — Wed, 23 May 2018 14:00:00 -0700

We’ll explain how Speculative Store Bypass works, and the new mitigation techniques that are inbound.

Plus this week’s security news has a bit of a theme, and we share some great war stories sent into the show.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Episode 368: EFail Explained

Jupiter Broadcasting — Tue, 15 May 2018 12:45:00 -0700

The EFail hype-train has hit hypersonic speed, we’ll tap the breaks and explain who disclosed it, what it is, what it’s not, our recommendations, and early reactions.

Plus things to consider when deciding on-premises vs a cloud deployment, and the all business gadget from 1971 that kicked off the consumer electronics revolution.

Links:

The HP-35 — Consumer Electronics, an Origin Story
The people cost of building out a Kubernetes cluster on-prem | Operos
EFAIL — EFAIL describes vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that leak the plaintext of encrypted emails.
efail-attack-paper.pdf
GnuPG Efail press release Response
No, PGP is not broken, not even with the Efail vulnerabilities - ProtonMail Blog — Recently, news broke about potential vulnerabilities in PGP, dubbed Efail. However, despite reports to the contrary, PGP is not actually broken, as we will explain in this post.
Eric's War Story is VERY Familiar
When it rains it pours for Steve
Critical Cisco WebEx Bug Allows Remote Code Execution
Cisco WebEx and 3rd Party Support Utilities

Episode 367: FreeNAS Uber Build

Jupiter Broadcasting — Tue, 08 May 2018 17:00:00 -0700

Our FreeNAS build is complete and Allan’s back to cover the final details. Plus the new GPU attack against Android phones, and a perfect example of poor IoT security.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Drive-by Rowhammer attack uses GPU to compromise an Android phone | Ars Technica — JavaScript based GLitch pwns browsers by flipping bits inside memory chips.
Rooting a Logitech Harmony Hub — Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network
A Complete Guide to FreeNAS Hardware Design, Part I: Purpose and Best Practices — If it’s imperative that your ZFS based system must always be available, ECC RAM is a requirement. If it’s only some level of annoying (slightly, moderately…) that you need to restore your ZFS system from backups, non-ECC RAM will fit the bill.
FreeNAS: A Worst Practices Guide
Jason likes Hubble
Bryan Nuked an email server once...
Humble Book Bundle: DevOps by Packt (pay what you want and help charity) — This software engineering bundle is Packt with information! Streamline your processes with ebooks like Automate it!, DevOps for Networking, Mastering Ansible, and Continuous Delivery with Docker and Jenkins. You'll also get helpful videos including Mastering DevOps, Mastering Windows PowerShell 5 Administration, Learning Kubernetes, and more.

Episode 366: Catching up with Allan

Jupiter Broadcasting — Wed, 02 May 2018 15:00:00 -0700

We catch up with Allan Jude and he shares stories of hunting network bottlenecks, memories of old firewalls, and some classic ZFS updates.

Plus the vulnerabilities found in Volkswagen cars, and the lengths a security research went to create the ultimate honeypot laptop.

Special Guest: Allan Jude.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Volkswagen and Audi Cars Vulnerable to Remote Hacking — esearchers also gained access to the IVI system's root account, which they say allowed them access to other car data.
It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out. — For the last two years, I have carried a “honeypot” laptop with me every time I’ve traveled; this computer was intended to attract (and then detect) tampering.
chipsec — Platform Security Assessment Framework
UEFITool — UEFI firmware image viewer and editor
Haven Project — Haven is for people who need a way to protect their personal spaces and possessions without compromising their own privacy, through an Android app and on-device sensors
Mr S. Delivers on his DO FreeNAS Guide
OZ Shares a War Story
Dave's REALLY Close Call...
Karl Gives us the CTO View on new Hires
Our Approach to Employee Security Training | PagerDuty — These are both training courses that we developed in-house and delivered ourselves.

Episode 365: The Unfixable Exploit

Jupiter Broadcasting — Tue, 24 Apr 2018 17:00:00 -0700

Hardware flaws that can’t be solved, human errors at the physical layer, and spoofing cellular networks with a $5 dongle.

Sponsored By:

iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Sysadmin unplugged wrong server, ran away, hoped nobody noticed • The Register — ‘I was a snot-nosed kid fresh out of college and thought I knew everything!’
Spoofing Cell Networks with a USB to VGA Adapter | Hackaday — Available through the usual overseas suppliers for as little has $5 USD, these devices can be used unmodified to transmit low-power FM, DAB, DVB-T, GSM, UMTS and GPS signals.
ShofEL2, a Tegra X1 and Nintendo Switch exploit — The Tegra X1 (also known as Tegra210) SoC inside the Nintendo Switch contains an exploitable bug that allow taking control over early execution, bypassing all signature checks.
Atlanta spends more than $2 million to recover from ransomware attack — . It appears that firms Secureworks and Ernst & Young were paid $650,000 and $600,000, respectively, for emergency services while Edelman was paid $50,000 for crisis communication services. Overall, the funds seemingly applied to the ransomware attack response add up to approximately $2.7 million.
Google Chrome 66 Released Today Focuses on Security — The biggest change is that Google Chrome will start showing SSL certificate errors for all Symantec certs issued before June 1, 2016. This is "stage two" of Google's long-term plan on distrusting Symantec certificates altogether.
Where to get started with monitoring?
defunkt uses a fool tools for his network
Brian shares some love for Zabbix
VMware Patches Pwn2Own VM Escape Vulnerabilities — VMware on Tuesday patched a series of vulnerabilities uncovered earlier this month at Pwn2Own. The flaws enabled an attacker to execute code on a workstation and carry out a virtual machine escape to attack a host server.
balena - A Moby-based container engine for IoT — A Moby-based container engine for IoT

Episode 364: The Case for Monitoring

Jupiter Broadcasting — Wed, 18 Apr 2018 12:00:00 -0700

We cover all the bases this week in our TechSNAP introduction to server monitoring.

Why you should monitor, what you should monitor, the basics of Nagios, the biggest drawbacks of Nagios, its alternatives, and our lessons learned from the trenches.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Why Bother with Server Monitoring? — Once a network or server has been installed, how do you know it is working as it should? Just like a car or any appliance, it may need maintenance or parts replaced to keep it in top working order. Network and server monitoring allows the Network Administrator to see how hardware and software are performing. We can look for certain signs or warnings that the system is not working efficiently and take action to fix things to prevent system degradation or failure.
What is Nagios? — Monitoring of network services such as SMTP, POP2, HTTP, NNTP, ICMP, SNMP, FTP, SSH.
A Real Example Of Nagios Monitoring — There are two major problems the monitoring solves: alerting and trending. Alerting is to notify the person in charge about a major event like service failing to work. Trending is to track the change of something over time – disk or memory usage, replication lag etc.
graphios — A program to send nagios perf data to graphite (carbon) / statsd / librato / influxdb
Sensu — Sensu’s platform is the solution to the monitoring problems you’re facing today, and the right foundation for your organization tomorrow. From bare metal to Kubernetes—get complete visibility across every system, every protocol, every time.
Sensu: Finally the Nagios Replacement I Have Been Looking For! – Chariot Solutions
Icinga 2 — With the RESTful API of Icinga 2 you can update your configurations on the fly or show live information about current problems on your custom dashboards. You can process check results from third party tools or tell the Core to run actions interactively. The interface is secured with SSL. Access control can be configured fine grained and per user.
Nagios Vs. Icinga: the real story of one of the most heated forks in free software
Phill Barber's Blog: Nagios vs Sensu vs Icinga2
Prometheus — Power your metrics and alerting with a leading open-source monitoring solution.
nagios - Docker Hub — Nagios Core with Nagiosgraph, check_nrpe, custom checks & XMPP Notifications
Previous TechSNAP Coverage: Keeping it Up | TechSNAP 20
Dax was inspired by last weeks episode

Episode 363: Tips from the Top

Jupiter Broadcasting — Thu, 12 Apr 2018 13:00:00 -0700

Getting started or getting ahead in IT is a moving target, so we’ve crowd sourced some of the best tips and advice to help.

Plus a tricky use of zero-width characters to catch a leaker, a breakdown of the new BranchScope attack, and a full post-mortem of the recent Travis CI outage.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Invisibly inserting usernames into text with Zero-Width Characters — Zero-width characters are invisible, ‘non-printing’ characters that are not displayed by the majority of applications.
Incident Post-Mortem and Security Advisory — On Tuesday, 13 March 2018 at 12:04 UTC a database query was accidentally run against our production database which truncated all tables.
As predicted, more branch prediction processor attacks are discovered — New attack focuses on a different part of the branch prediction system.
BranchScope: A New Side-Channel Attack on Directional Branch Predictor - asplos18.pdf
Mathew has a neat use for Terraform
Del says Learn just one thing...
Mat Man has some great tips
Ben says you might already be doing it
Mr S with a advice from recruiting stand point.

Episode 362: Rebuilding it Better

Jupiter Broadcasting — Thu, 05 Apr 2018 04:00:00 -0700

It’s a TechSNAP introduction to Terraform, a tool for building, changing, and versioning infrastructure safely and efficiently.

Plus a recent spat of data leaks suggest a common theme, Microsoft’s self inflicted Total Meltdown flaw, and playing around with DNS Rebinding attacks for fun.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

The Under Armour Hack Was Even Worse Than It Had To Be — When Under Armour announced that its nutrition app MyFitnessPal had suffered a data breach impacting the information of roughly 150 million users, things actually didn't seem so bad.
Panerabread.com Leaks Millions of Customer Records — Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.
No, Panera Bread Doesn’t Take Security Seriously – PB — This post establishes a canonical timeline so subsequent reporting doesn’t get confused.
Total Meltdown — In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself.
Terraform by HashiCorp — HashiCorp Terraform enables you to safely and predictably create, change, and improve infrastructure. It is an open source tool that codifies APIs into declarative configuration files that can be shared amongst team members, treated as code, edited, reviewed, and versioned.
Terraforming 1Password - AgileBits Blog — Most of the 2 hours and 39 minutes of downtime were related to data migration. The 1Password.com database is just under 1TB in size (not including documents and attachments), and it took almost two hours to complete the snapshot and restore operations.
Whonow — A malicious DNS server for executing DNS Rebinding attacks on the fly

Episode 361: It's All in the Log

Jupiter Broadcasting — Thu, 29 Mar 2018 08:00:00 -0700

Embarrassing flaws get exposed when the logs get reviewed, Atlanta city government gets shut down by Ransomware, and the cleverest little Android malware you’ll ever meet.

Plus we go from a hacked client to a Zero-day discovery, answer some questions, ask a few, and more!

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes — My verification test is below. Note that it gets stored in on-disk, collected logs (non-volatile logs).
Thousands of servers found leaking 750MB worth of passwords and keys — Leaky etcd servers could be a boon to data thieves and ransomware scammers.
Atlanta city government systems down due to ransomware attack — FBI called in as some city services are interrupted, employees told to turn off PCs.
Android malware found inside apps downloaded 500,000 times | ZDNet — Cybercriminals have distributed malware to hundreds of thousands of Android users by hiding it inside a series of apparently harmless apps.
From hacked client to 0day discovery — The client’s account had been blocked because it was spotted sending spam. Once connected to the service, it was clear that the monthly quota of the account was almost reached and that the latest emails sent shown on the dashboard had content that were clearly spam.
Listener Feedback from Jeff S
Listener Feedback from Tyler

Episode 360: AMD Flaws Explained

Jupiter Broadcasting — Thu, 22 Mar 2018 12:00:00 -0700

We cut through the noise and explain in clear terms what’s really been discovered. The botched disclosure of flaws in AMD products has overshadowed the technical details of the vulnerabilities, and we aim to fix that..

Plus another DNS Rebinding attack is in the wild and stealing Ethereum, Microsoft opens up a new bug bounty program, Expedia gets hacked, and we perform a TechSNAP checkup.

Sponsored By:

iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Microsoft Offers New Bug Bounties for Spectre, ... — Microsoft last week announced new bug bounties for speculative execution side-channel vulnerabilities. These vulnerabilities, of which Spectre and Meltdown were the first known examples, represent a new class of problem and Microsoft would like to know what else might be lurking in the neighborhood.
Microsoft patches RDP vulnerability. — Microsoft announced this week that they’ve released a preliminary fix for a vulnerability rated important, and present in all supported versions of Windows in circulation (basically any client or server version of Windows from 2008 onward).
Firefox Master Password System Has Been Poorly Secured for the Past 9 Years — For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature.
Firefox Lockbox Extension — The Lockbox extension is a simple, stand-alone password manager that works with Firefox for desktop. It’s the first of several planned experiments designed to help us test and improve password management and online security.
How your ethereum can be stolen through DNS rebinding — Most of the ethereum clients run a JSON-RPC service on port 8545 on localhost, but since it’s on localhost, we can’t access it directly from user’s browser due to SOP.
TechSNAP Episode 353: Too Many Containers
“AMD Flaws” Technical Summary | Trail of Bits Blog — Most of the discussion after the public announcement of the vulnerabilities has been focused on the way they were disclosed rather than their technical impact. In this post, we have tried to extract the relevant technical details from the CTS whitepaper so they can be of use to the security community without the distraction of the surrounding disclosure issues.
Ivan is not happy with our memcrashed coverage — Discussion re:"memcrashed" on latest TechSNAP left me very mad. I think hosts did not properly explain the issue.
PSA: Chrome distrusts certificates issued by Symantec starting today — This was announced back in September for v66, but we have machines running 65.0.3325.162 that display the full page "NET::ERR_CERT_AUTHORITY_INVALID" warning so it seems they jumped the gun a bit.
Follow up: fail2ban AWS access controls
Mr S Has a Handy pfSense how-to
Running pfSense on a DigitalOcean droplet

Episode 359: Netflix’s Dark Capacity

Jupiter Broadcasting — Thu, 15 Mar 2018 20:00:00 -0700

Netflix has a few tricks we can learn from, and the story of clever malware that was operating undetected since 2012.

Plus we discuss Let's Encrypt’s Wildcard support and explain what ACME v2 is.

Then we detail the bad position Samba 4 admins are in, and the real cause of these recent 1.7Tbps DDoS attacks.

Sponsored By:

Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Hardcoded Password Found in Cisco Software — Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
Potent malware that hid for six years spread through routers — "The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor."
CVE 2018-1057: Authenticated Samba users can change other users' password — On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers).
CVE-2018-1057 - SambaWiki Workarounds — Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password.
ACME v2 and Wildcard Certificate Support is Live — We’re pleased to announce that ACMEv2 and wildcard certificate support is live!
It just got much easier to wage record-breaking DDoSes — Within days of the new technique going public, security firms reported it being used in a record-setting 1.3 terabit-per-second DDoS against Github and then, two days later, a record-topping 1.7 Tbps attack against an unnamed US-based service provider.
The real cause of large DDoS — All the gigantic headline-grabbing attacks are what we call "L3" (Layer 3 OSI[1]). This kind of attack has a common trait - the malicious software sends as many packets as possible onto the network.
Project Nimble – Netflix TechBlog — We set ourselves an aggressive goal of being able to fail over traffic in less than 10 minutes.
Follow Up: Alex has a tip for Alex
Question: Oliver asks about a fail2ban replacement
S3Scanner — Scan for open S3 buckets and dump
Chromium is also a Snap

Episode 358: A Future Without Servers

Jupiter Broadcasting — Thu, 01 Mar 2018 08:00:00 -0800

The term serverless gets thrown around a lot, but what does it really mean? What are the benefits and the drawbacks? It’s a TechSNAP introduction to Serverless Architecture.

Plus new research with ideas to dramatically improve private web browsing, the growing problem of tracking security vulnerabilities with CVE’s, and much more!

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

Revamp of 'Pwned Passwords' Boosts Privacy and Size of Database — In V2 of Pwned Passwords, launched last week, Hunt updated his password data set from 320 million passwords to 501 million new passwords, pulled from almost 3,000 breaches over the past year.
Finding Pwned Passwords with 1Password — Troy Hunt and his friends from Cloudflare found a brilliant way to check if my password is leaked without ever needing to send my password to their service. Their server never receives enough information to reconstruct my password.
Troy Hunt: I've Just Added 2,844 New Data Breaches With 80M Records To Have I Been Pwned
Apple’s China data migration includes iCloud keys, making data requests easier for authorities — Now, according to Apple, for the first time the company will store the keys for Chinese iCloud accounts in China itself. That means Chinese authorities will no longer have to use the U.S. courts to seek information on iCloud users and can instead use their own legal system to ask Apple to hand over iCloud data for Chinese users, legal experts said.
Microsoft’s Big Email Privacy Case Heads to the Supreme Court Tomorrow — The 2013 warrant involved a drug case, and the Justice Department asked Microsoft to turn over emails that were stored in its Ireland data center. Microsoft objected, arguing that the DoJ could not use a domestic warrant to conduct an international search and that it should instead acquire the data through a treaty process with the Irish government.
Researchers Propose Improved Private Web Browsing System — The newly proposed system keeps all the data that the browse loads into memory encrypted until it is displayed on the screen, the researchers say. Users no longer type a URL into the browser, but access the Veil website and enter the URL there. With the help of a blinding server, the Veil format of the requested page is transmitted.
Nearly 8,000 Security Flaws Did Not Receive a CVE ID in 2017 — A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.
What is Serverless Architecture? What are its criticisms and drawbacks? — Serverless architectures refer to applications that significantly depend on third-party services (knows as Backend as a Service or “BaaS”) or on custom code that’s run in ephemeral containers (Function as a Service or “FaaS”), the best known vendor host of which currently is AWS Lambda.
Serverless Security: What's Left to Protect?
OpenFaaS - Serverless Functions Made Simple — Serverless Functions Made Simple for Docker and Kubernetes
open-lambda: An open source serverless computing platform — An open source serverless computing platform
Iron.io - DevOps Solutions from Startups to Enterprise
Apache OpenWhisk is a serverless, open source cloud platform
Feedback: David's Drive Tips
Question: Alex has BIG cloud storage requirements....
Crostini - Linux App Containers on ChromeOS — In other words, the Crostini/Terminal feature could be to Chrome OS what the Windows Subsystem for Linux is for Windows 10: a way that developers, power users, and Linux enthusiasts can run native Linux software on a device that’s not running a traditional Linux distribution.

Episode 356: The Concern with Containers

Jupiter Broadcasting — Thu, 15 Feb 2018 13:00:00 -0800

The problems containers can’t solve, nasty security flaws in Skype and Telegram, and Cisco discovers they have a bigger issue on their hands then first realized.

And the latest jaw-dropping techniques to extract data from air-gapped systems.

Sponsored By:

Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Skype can't fix a nasty security bug without a massive code rewrite — The bug grants a low-level user access to every corner of the operating system.
Zero-day vulnerability in Telegram — The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.
Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability — After further investigation, Cisco has identified additional attack vectors and features that are affected by this vulnerability. In addition, it was also found that the original fix was incomplete so new fixed code versions are now available.
Microsoft To Embrace Decentralized Identity Systems Built On Bitcoin And Other Blockchains — In a new post today, Microsoft announced their embrace of public blockchains, such as Bitcoin and Ethereum, for use in decentralized identity systems.
XRballer comments on The Stolen XRB has already been Redistributed/Sold Off — But this check was only on java-script client side, you find the js which is sending the request, then you inspect element - console, and run the java-script manually, to send a request for withdrawal of a higher amount than in your balance.
Containers Will Not Fix Your Broken Culture — Spoiler alert: the solutions to many difficulties that seem technical can be found by examining our interactions with others. Let's talk about five things you'll want to know when working with those pesky creatures known as humans.
Escaping Sensitive Data from Faraday-Caged, Air-Gapped Computers via Magnetic Fields — In this paper, we show how attackers can bypass Faraday cages and air-gaps in order to leak data from highly secure computers.
Feedback: BeyondCorp
Feedback: Mgmt
Feedback: SuperMicro Mobo?
Super Micro Computer X8DTN+

Episode 355: Operation FreeNAS Rescue

Jupiter Broadcasting — Thu, 08 Feb 2018 11:00:00 -0800

We save our FreeNAS Mini from the edge, and perform an emergency migration to much larger hardware.

Plus 12 tips for secure authentication, the future of network security where there is no LAN, a botnet exploiting Android ADB, and your questions.

Sponsored By:

iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

In just 24 hours, 5,000 Android devices are conscripted into mining botnet — A fast-moving botnet that appeared over the weekend has already infected thousands of Android devices with potentially destructive malware that mines digital coins on behalf of the unknown attackers, researchers said.
12 best practices for user account, authorization and password management — Account management, authorization and password management can be tricky. For many developers, account management is a dark corner that doesn't get enough attention. For product managers and customers, the resulting experience often falls short of expectations.
Google’s Zero Trust 'BeyondCorp' Infrastructure Shows Future Of Network Security — Google started changing its network security policies to a new model of “zero trust,” which treats its own internal network as the insecure Internet. Google released a new paper detailing how this new model works for its network security policies.
Google dedicates engineering team to accelerate development of WordPress ecosystem — Google's partnership with WordPress aims to jump-start the platform's support of the latest web technologies -- particularly those involving performance & mobile experience. And they're hiring WordPress experts.
UNIXSurplus — UNIXSurplus is a multi-level provider of new and refurbished custom built servers, storage solutions and computer equipment.
FreeNAS Storage Operating System — FreeNAS is an operating system that can be installed on virtually any hardware platform to share data over a network. FreeNAS is the simplest way to create a centralized and easily accessible place for your data. Use FreeNAS with ZFS to protect, store, backup, all of your data. FreeNAS is used everywhere, for the home, small business, and the enterprise.

Episode 354: Here Come the Script Kiddies

Jupiter Broadcasting — Thu, 01 Feb 2018 18:00:00 -0800

AutoSploit has the security industry in a panic, so we give it a go. To our surprise we discover systems at the DOD, Amazon, and other places vulnerable to this automated attack. We’ll tell you all about it, and what these 400 lines of Python known as AutoSploit really do.

Plus injecting arbitrary waveforms into Alexa and Google Assistant commands, making WordPress bulletproof, and how to detect and prevent excessive port scan attacks.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!

Links:

Audio Adversarial Examples — We have constructed targeted audio adversarial examples on speech-to-text transcription neural networks: given an arbitrary waveform, we can make a small perturbation that when added to the original waveform causes it to transcribe as any phrase we choose.
Keylogger found on thousands of WordPress-based sites, stealing every keypress as you type — But, in a twist, this particular attack isn’t just interested in mining Monero. While the website’s front-end is digging for cryptocurrencies, the back-end is secretly hosting a keylogger designed to steal unsuspecting users’ login credentials.
Qubes Air: Generalizing the Qubes Architecture | Qubes OS — Qubes Air is the next step on our roadmap to making the concept of “Security through Compartmentalization” applicable to more scenarios. It is also an attempt to address some of the biggest problems and weaknesses plaguing the current implementation of Qubes, specifically the difficulty of deployment and virtualization as a single point of failure. While Qubes-as-a-Service is one natural application that could be built on top of Qubes Air, it is certainly not the only one. We have also discussed running Qubes over clusters of physically isolated devices, as well as various hybrid scenarios. I believe the approach to security that Qubes has been implementing for years will continue to be valid for years to come, even in a world of apps-as-a-service.
Making network authentication simple in a Bring Your Own Device environment — In this article, we explore in depth the challenges we faced regarding compatibility, security, and user experience, and the solutions we came up with. We explain how we combined 802.1X authentication (wired & wireless) and per-subscriber VLANs to offer our users a quality Internet experience.
“Autosploit” tool sparks fears of empowered “script kiddies” — "AutoSploit attempts to automate the exploitation of remote hosts."
AutoSploit: Automated Mass Exploiter — Clone the repo. Or deploy via Docker.
How To Use psad to Detect Network Intrusion Attempts — The key to using psad effectively is to configure danger levels and email alerts appropriately, and then follow up on any problems. This tool, coupled with other intrusion detection resources like tripwire can provide fairly good coverage to be able to detect intrusion attempts.
Portainer: Simple management UI for Docker
What is iSCSI (Internet Small Computer System Interface)

Episode 353: Too Many Containers

Jupiter Broadcasting — Thu, 25 Jan 2018 16:00:00 -0800

We introduce you to Kubernetes, what problems it solves, why everyone is talking about it, and where it came from. Also who shouldn’t be using Kubernetes, and the problems you can run into when scaling it.

Plus how you can store files in others DNS resolver cache, Project Zero finds a new BitTorrent client flaw, and more.

Sponsored By:

Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

DNSFS. Store your files in others DNS resolver caches — The DNSFS code is a relatively simple system, every file uploaded is split into 180 byte chunks, and those chunks are “set” inside caches by querying the DNSFS node via the public resolver for a TXT record. After a few seconds the data is removed from DNSFS memory and the data is no longer on the client computer.
BPF - the forgotten bytecode — BPF is an absolutely marvelous and flexible way of filtering packets.
dnsfs: Store your data in others DNS revolvers cache — Store your data in others DNS revolvers cache
Unauthenticated LAN remote code execution in AsusWRT — However due to a number of coding errors, it is possible for an unauthenticated attacker in the LAN to achieve remote code execution in the router as the root user.
AI is moving towards acceptance in cyber security, says Check Point — Artificial intelligence is well on its way to being a useful tool in the cyber security professional’s kit, but according to Check Point, there are still big challenges to overcome.
Alphabet is launching a new CyberSecurity unit. — Alphabet, the parent company of Google, announced today that they will be launching Chronicle, a new business unit that will focus on Cyber Security, using their servers and infrastructure. The new organization hopes to focus on machine learning and artificial intelligence to assist in the fight against cybercrime moving forward.
Google Project Zero claims new BitTorrent flaw could enable cyber crooks get into users' PCs — According to Project Zero, the client is vulnerable to a DNS re-binding attack that effectively tricks the PC into accepting requests via port 9091 from malicious websites that it would (and should) ordinarly ignore.
CVE-2018-5702: Mitigate dns rebinding attacks against daemon by taviso · Pull Request #468
Blizzard Fixes DNS Rebinding Flaw that Put All the Company's Users at Risk
What is DNS rebinding, in layman's terms?
An Introduction to Kubernetes — Kubernetes, at its basic level, is a system for managing containerized applications across a cluster of nodes. In many ways, Kubernetes was designed to address the disconnect between the way that modern, clustered infrastructure is designed, and some of the assumptions that most applications and services have about their environments.
What is Kubernetes? — Kubernetes was originally developed and designed by engineers at Google. Google was one of the early contributors to Linux container technology and has talked publicly about how everything at Google runs in containers. (This is the technology behind Google’s cloud services.) Google generates more than 2 billion container deployments a week—all powered by an internal platform: Borg. Borg was the predecessor to Kubernetes and the lessons learned from developing Borg over the years became the primary influence behind much of the Kubernetes technology.
Scaling Kubernetes to 2,500 Nodes — We’ve been running Kubernetes for deep learning research for over two years. While our largest-scale workloads manage bare cloud VMs directly, Kubernetes provides a fast iteration cycle, reasonable scalability, and a lack of boilerplate which makes it ideal for most of our experiments.
Feedback: Talk more about Windows — I listened to your intro to change management and it seemed like it will be very Linux centric ("everything is she"). I'm future segments, please try to include windows desktop and server OS as well.
Question: Starting with Ansible Quick — Are there any way to get started other than writing a playbook and trying it out with trial and error?
Ansible Best Practises: A project structure that outlines some best practises of how to use ansible — A project structure that outlines some best practises of how to use ansible
ansible-console: An Interactive REPL for Ansible — omething found out recently is that Ansible has an interactive REPL of sorts in ansible-console for doing some adhoc things on a collection of hosts.
Introduction To Ad-Hoc Commands — Ansible Documentation — An ad-hoc command is something that you might type in to do something really quick, but don’t want to save for later.
About the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan - Apple Support — This document describes the security content of macOS High Sierra 10.13.3, Security Update 2018-001 Sierra, and Security Update 2018-001 El Capitan.

Episode 352: Stop Using apt-get

Jupiter Broadcasting — Mon, 22 Jan 2018 21:00:00 -0800

And start using configuration management. Embrace reproducibility of systems, and streamlined management with TechSNAP’s introduction to Configuration Management.

Plus the news of the week that could impact your systems, feedback, and more.

Sponsored By:

Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com

Links:

SamSam Ransomware Hits Hospitals, City Councils, ICS Firms — The SamSam crew usually scans the Internet for computers with open RDP connections and they break into networks by brute-forcing these RDP endpoints to spread to more computers.
RDP hijacking — how to hijack RDS and RemoteApp sessions transparently to move through an… — How you can very easily use Remote Desktop Services to gain lateral movement through a network, using no external software.
EFF and Lookout Uncover New Malware Espionage Campaign Infecting Thousands Around the World — The trojanized apps, including Signal and WhatsApp, function like the legitimate apps and send and receive messages normally. However, the fake apps also allow the attackers to take photos, retrieve location information, capture audio, and more.
Lenovo Discovers and Removes Backdoor in Networking Switches — Lenovo engineers have discovered a backdoor in the firmware of RackSwitch and BladeCenter networking switches. The company released firmware updates earlier this week.
Intel says Meltdown / Spectre patch causes reboots in computers with newer processors too — Data center performance can degrade by up to 25 percent for certain workloads.
VMware pulled Spectre patches on Friday. — Affected updates are the ones for ESXi under VMSA-2018-0004 that contained CPU microcode. Despite these being the affected patches, all of the patches under VMSA-2018-004 have been pulled.
Spectre Mitigation Added To GCC 8, Seeking Backport To GCC 7 — The set of Spectre mitigation patches for the GNU Compiler Collection (GCC) were accepted to mainline and will be part of GCC 8 with the GCC 8.1 stable release that will likely be due out around March. This is on top of many other changes/features of GCC 8.
New Linux Method to Check your System — grep . /sys/devices/system/cpu/vulnerabilities/*
AMD Processor Security — AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week.
Skyfall and Solace
An Introduction to Configuration Management | DigitalOcean — As a broader subject, configuration management (CM) refers to the process of systematically handling changes to a system in a way that it maintains integrity over time. Even though this process was not originated in the IT industry, the term is broadly used to refer to server configuration management
Configuration Management on the Desktop — It installs GNOME, sets up my wallpaper, applies my GTK/icon themes, sets up my keyboard shortcuts, etc. It also sets up my SSH keys, user dotfiles, OpenSSH config, and much more.

Episode 351: Performance Meltdown

Jupiter Broadcasting — Thu, 11 Jan 2018 16:00:00 -0800

The types of workloads that will see the largest performance impacts from Meltdown, tools to test yourself, and the outlook for 2018.

Plus a concise breakdown of Meltdown, Spectre, and side-channel attacks like only TechSNAP can.

Then we run through the timeline of events, and the scuttlebutt of so called coordinated disclosure. We also discuss yet another security issue in macOS High Sierra, a backdoor in popular storage appliances, your questions, and more!

Sponsored By:

Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

Meltdown and Spectre — Meltdown and Spectre exploit critical vulnerabilities in modern processors.
The Meltdown and Spectre CPU Bugs, Explained
How we got to Spectre and Meltdown A Timeline My version of the timeline... — My version of the timeline on Spectre Meltdown. This post will be updated! If you want to add/correct something, please comment.
How Tier 2 cloud vendors banded together to cope with Spectre and Meltdown | TechCrunch — Eventually six cloud providers — Scaleway, DigitalOcean, Packet, Vultr, Linode and OVH — formed a consortium of sorts to help one another and share information. In order to make the process more efficient, they started a Slack channel with CEOs, CTOs and engineers from the various companies sharing information and fixes as they became available.
FreeBSD was made aware of Meltdown and Spectre in late December. There's currently no ETA for mitigation. — It looks like Dragonfly BSD has a patch, so hopefully that will be useful for FreeBSD.
heads up: Fix for intel hardware bug will lead to performance regressions — Upcoming versions of the linux kernel (and apparently also windows and others), will include new feature that apparently has been implemented with haste to work around an intel hardware bug.
AWS Developer Forums: Degraded performance — Immediately following the reboot my server running on this instance started to suffer from cpu stress.
Google is pushing Retpoline — With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.
PCID is now a critical performance/security feature on x86 — On any system that does not currently show "pcid" in the flags line of /proc/cpuinfo, Meltdown is a bigger issue than "install latest updates".
Spectre & Meltdown vulnerability/mitigation checker for Linux — A simple shell script to tell if your Linux installation is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
Microsoft PowerShell Script to check for Meltdown — To help customers verify that protections are enabled, Microsoft has published a PowerShell script that customers can run on their systems. Install and run the script by running the following commands.
Why Raspberry Pi isn't vulnerable to Spectre or Meltdown — To help us understand why, here’s a little primer on some concepts in modern processor design.
macOS High Sierra's App Store System Preferences Can Be Unlocked With Any Password — A bug report submitted on Open Radar this week has revealed a security flaw in the current version of macOS High Sierra that allows the App Store menu in System Preferences to be unlocked with any password.
Major macOS High Sierra Bug Allows Full Admin Access Without Password
WD My Cloud NAS devices have hard-wired backdoor — Lets anyone log in as user mydlinkBRionyg with the password abc12345cba.
Question: How could I measure all of these overhead performance hits? — My question: how could I measure all of these overhead performance hits, so I can put in a well educated request to adjust all of these components, so I have a computer that performs near its capacity?
Perfmon
Troubleshooting with the Windows Sysinternals Tools
ProcDump
Process Monitor - Replaces filemon
Question: MySQL Replication Woes — The problem is that during some larger deletes on the master, the tables on the slave get locked and the slave lag goes through the roof.. During this time all of my selects that have been sent to the slave are just sitting there and waiting for the table to unlock while the master is just fine.
Ask Noah 44: Red Hat with Brandon Johnson
BSD Now 228: The Spectre of Meltdown

Episode 349: All Natural Namespaces

Jupiter Broadcasting — Thu, 21 Dec 2017 19:00:00 -0800

Network Namespaces have been around for a while, but there may be be some very practical ways to use them that you’ve never considered. Wes does a deep dive into a very flexible tool.

Plus what might be the world’s most important killswitch, the real dollar values for stolen credentials and the 19 year old attack that’s back.

Sponsored By:

iXSystems: Get a system purpose built for you. Promo Code: Tell them we sent you!
Ting: Save $25 off a device, or get $25 in service credits! Promo Code: Visit techsnap.ting.com
Digital Ocean: Apply our promo snapocean after you create your account, and get a $10 credit. Promo Code: snapocean

Links:

The Market for Stolen Account Credentials — But oh, how times have changed! With dozens of sites in the underground now competing to purchase and resell credentials for a variety of online locations, it has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone.
Hackers shut down plant by targeting its safety system — FireEye reported that a plant of an unmentioned nature and location (other firms believe it's in the Middle East) was forced to shut down after a hack targeted its industrial safety system -- it's the first known instance of a breach like this taking place.
FireEye Report on TRITON — We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.
ROBOT Attack: 19-Year-Old Bleichenbacher Attack — Dubbed ROBOT (Return of Bleichenbacher's Oracle Attack), the attack allows an attacker to perform RSA decryption and cryptographic operations using the private key configured on the vulnerable TLS servers.
The ROBOT Attack - Offical Site
Robot-detect: Detection script for the ROBOT vulnerability — Tool to detect the ROBOT attack (Return of Bleichenbacher's Oracle Threat).
WannaCry: End of Year Retrospective — Since our Vantage team sinkholed and subsequently nullified the WannaCry attack on May 12th, 2017, we have been monitoring and maintaining the domain known as the WannaCry killswitch.
Why NSA spied on inexplicably unencrypted Windows crash reports — And, according to slides published this weekend by Der Spiegel, this information also includes crash reports from Microsoft's Windows Error Reporting facility built in to Windows.
Network namespaces — As the name would imply, network namespaces partition the use of the network—devices, addresses, ports, routes, firewall rules, etc.—into separate boxes, essentially virtualizing the network within a single running kernel instance.
namespaces - Linux manual page — A namespace wraps a global system resource in an abstraction that makes it appear to the processes within the namespace that they have their own isolated instance of the global resource. Changes to the global resource are visible to other processes that are members of the namespace, but are invisible to other processes. One use of namespaces is to implement containers.
Network Namespaces » ADMIN Magazine — With network namespaces, you can virtualize network devices, IPv4 and IPv6 protocol stacks, routing tables, ARP tables, and firewalls separately, as well as /proc/net, /sys/class/net/, QoS policies, port numbers, and sockets in such a way that individual applications can find a particular network setup without the use of containers.
How to Get the Network Namespace Associated With a Socket
Network devices as virtual Ethernet devices — Virtualize network devices as virtual Ethernet devices by configuring direct MacVTap connections or virtual switches.
Testing network software with pytest and Linux namespaces
Implementation of IEEE 802.1ab (LLDP) — LLDP is an industry standard protocol designed to supplant proprietary Link-Layer protocols such as EDP or CDP. The goal of LLDP is to provide an inter-vendor compatible mechanism to deliver Link-Layer notifications to adjacent network devices.
WireGuard Routing & Network Namespaces — This allows for some very cool properties. Namely, you can create the WireGuard interface in one namespace (A), move it to another (B), and have cleartext packets sent from namespace B get sent encrypted through a UDP socket in namespace A.
VRF for Linux — The concept of VRF was first introduced around 1999 for L3 VPNs, but it has become a fundamental feature for a networking OS. VRF provides traffic isolation at layer 3 for routing, similar to how you use a VLAN to isolate traffic at layer 2. Think multiple routing tables.
linux/vrf.txt at master · torvalds/linux · GitHub
Using VRFs with linux
Feedback - DHCPDECLINE over and over again
DHCP Snooping - Cisco
Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites — In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.