LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘DigiNotar’ Category

Stuffed War Stories | TechSNAP 33

without comments

post thumbnail

Microsoft’s flawed code signing infrastructure puts your machine at risk, find out how.

A batch of great audience submitted questions, and we share a few IT war stories!

All that and more, on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans

 


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

   
Subscribe via RSS and iTunes:

   

Show Notes:

AT&T customer data targeted in attack

  • The attackers used automated scripts to attempt to determine if phone numbers were linked to AT&T online accounts
  • Attempts were made against approximately 1 million of AT&Ts 100 million customers
  • The attackers appeared to already have a database of usernames and passwords, and were attempting to use brute force to link those credentials to phone numbers, in order to gain access to the accounts
  • AT&T appears to lack any type of Intrusion Detection System, or automated defences that block an IP address after many failed login attempts. The millions of attempts were likely not launched from a single IP address, but it still should have been blocked well before 1 million accounts had attempts against them
  • AT&T does not believe attackers were able to gain access to any accounts, but they are still investigating

South Korea blocks young games after midnight

  • The so called Cinderella law blocks users under the age of 16 from accessing online games after midnight
  • The articles are unclear about exactly how this is accomplished, but it appears it is enforced by the online gaming sites themselves, and teens using accounts created with their parents identities are not blocked
  • In South Korea, most websites require you to enter your national ID card number. Comments on sites cannot be left anonymously (previously covered on TechSNAP 23 )
  • Is this a sign of the level of censorship we can look forward to in the future?

RSA 512bit SSL certificates abused in the wild

  • SSL Certificates signed by a few authorities (which have since had their trust revoked) have had their private keys factored
  • Once you poses the private key for an SSL certificate, you can use it to pretend to be that site, and use any other capabilities that the certificate has
  • It was originally thought that the private keys were merely stolen by malware, but it seems that factoring RSA 512 has become somewhat trivial, taking only a matter of days or weeks with a reasonable cluster of modern machines. With malware authors having access to large botnets, or cloud computing platforms like Amazon EC2, these certificates can no longer be considered safe
  • A number of other vulnerable certificates were identified, many coming from DigiNotar, the certificate authority that was compromised by attackers and has since has its trust revoked and gone out of business.
  • Most all SSL certificate authorities require at least a 2048bit RSA key for new certificates
  • A normal HTTPS SSL certificate only has the ability to sign outbound messages, encipher symmetric keys, and to verify its identity as a TLS Client or Server.
  • The problem with the certificates issued by the Digisign Server ID CA, is that they lacked the basic key usage definitions and constraints. This allowed the certificates to be used for any purpose, including signing software. The certificates also lacked a properly defined CRL (Certificate Revocation List), so they could not be revoked.
  • The factored certificates were used to code-sign malware to remove or lessen the warnings given by windows when the code is executed
  • The compromised certificates have been used as far back as March 2010, and Microsoft did not act until recently, revoking the trust in the CA. Microsoft will still accept 512bit certificates without proper use definition or constraints.

Feedback:

Q: Do you guys trust Internet aggregator services?
A: It depends on the level of security they employ. Most of these sites are not very forthcoming with details on how they secure your data, or even how they work. A better solution would be something like OAuth to allow you to grant only certain permissions to each specific site, and allow you to easily revoke a sites access to your accounts.

Q: SSH on Port 2222?
A: Using a different port does reduce the number of attacks from automated bots, but it will not stop anyone targeting you specifically. The solution is always to use a protection system such as DenyHosts, SSHGuard or Fail2Ban. Also, if it makes sense in your setup, disable password authentication entirely, and only use SSH keys. Note: you should still use DenyHosts to prevent an aggressive botnet from bogging down your SSH server so legitimate users cannot log in. This used to happen to one of my servers that had 250 ip addresses, the bots would attack each ip at the same time, creating 1000 ssh connections at once.

Q: Why not just one boot loader to rule them all?

Q: How do I get started in Tech Support?

War Story

Administering a Windows Server with your eyes closed

When ScaleEngine first started, we were in a much smaller local data center. One of the disadvantages to this data center was that they did not provide KVM Carts, in order to work on a server, you had to remove it from the rack, and take it over to a little desk in the corner with a monitor and keyboard, but no network connection. At our new data center, we have KVM carts we can take over to our rack to work on servers without disconnecting them. If we need to disassemble the server, they provide a nice large quiet work area with ample power, ethernet drops and free coffee.

I had just built two new Windows 2008 R2 servers for one of our clients, and had installed them in the rack. Got them up and running, and they were serving their websites fine. However, I was not able to connect via Remote Desktop. How had I forgotten to enable remote desktop…

I really did not feel like waiting for the server to shutdown (windows servers take an extremely long time to shut down, partly because they overwrite the entire swap file for security reasons), then removing the server from the rack again, waiting for it to boot up, change the settings, shutdown etc.

So, I grabbed our spare USB keyboard and connected it to the server in the rack. Balancing the keyboard on my left hand, while typing with only my right, with no monitor. I waited 30 seconds for windows to detect the keyboard, and then entered control+alt+delete to open the login prompt. I heard the drive start ticking as it loaded the desktop, so I gave it a few minutes. Once I was logged in, windows+r to open the run prompt, and started cmd.exe. Then I issued the following commands which I had arduously looked up on my old cell phones very limited browser.

netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable
netsh firewall add portopening TCP 3389 RDesktop enable any

I issued each command twice, in case I might have made a typo, even though I was typing as carefully as I could, and slowly as I was doing it with one hand on an unsteady keyboard. Then to test it, I used pocketPutty on my cell phone, to SSH into one of my servers, and use netcat to see if port 3389 was open. It was. So I repeated the same procedure on the second windows server and again verified it via my cell phone before packing up and leaving the data center.

And that, is how I administered a pair of windows servers, with my eyes closed.

Round Up:

Pimp My Network | TechSNAP 27

without comments

post thumbnail

Facebook is fooled again, remote controlled voting machines, and Sony has another 93,000 accounts hacked, we’ll load you up on the details!

Then – We cover your best options for pimping your home network for speed!


Direct Download Links:

HD Video | Large Video | Mobile Video | WebM | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Facebook URL scanner easily fooled

  • Facebook has a malicious URL scanner that checks urls linked to in posts to make sure they do not contain content that could be harmful to users
  • The most simple content cloaking technique, displaying different content to different users (ie, look for the facebook bots user-agent string) and fool this system
  • In the example proof of concept attack, the url looks like a .jpg file, and will get a thumbnail in the facebook preview, but if you follow the link, you will be rickrolled
  • Proof of Concept

*

Sony Locks 93,000 Accounts After Hacking Attempt

  • Sony has suspended 93,000 accounts that were successfully accessed during a massive wave of failed login attempts.
  • This suggests that Sony does not have any automated systems for slowing, or blocking such brute force attacks.
  • The attack effected large numbers of users on both the PSN/SEN, and SOE
  • While Sony claims the the attackers must have had a list of username/password combinations from some other site that was attacked, the fact that 100s of thousands of accounts had attempts against them, and 93,000 succeeded, suggests one of a few hypothesises:
  • The attack used user data from the original sony hack (and/or users reset their passwords back to the same stolen passwords)
  • The flaw in the PSN password reset system that allowed attackers to reset other users’ passwords was more widespread that first though
  • Users were the victims of the multiple phishing attempts we saw around the the PSN compromise
  • Sony was compromised again
  • Additional Article
  • Sony CISO Statement

*

Diebold Voting machines susceptible to untraceable man in the middle attack

*

Feedback:

  • Dominic emails in:
    YOU’RE DOING IT WRONG

  • How to connect multiple switches

  • Q: When building physical network topology, say you have 5x 8 port switches, are you best to connect the router to port 1 of switch#1 then connect various other computers to the rest of the ports on switch#1 with the last port connecting to switch#2 which has one port to switch#3 and so on (essentially daisy chaining) or have one ‘master’ switch where each port of the switch connects to each of the other switches (2, 3, 4 and 5) then have the router and PCs plugged into those (I know its a bit overkill for a home network but its just in theory as I’ve had to deal with stuff like network loops and such before and wondering if there is any real advantage between the two methods).

  • A: The second setup you described is a proper ‘hierarchical networking model’, which usually consists of three layers. The first layer is the Access Layer, this is where individual computers are connected to the network, this is typically just a (relatively) low-end switch. The next layer, is the Distribution Layer, this is where a lot of routers and firewalls do their work, they usually also acts as the separation between departments, locations and regions. Typically computers in the same Access Layer can reach each other directly without going through a router. The top layer of the network is the Core Layer, this is the fastest part of the network, where data is exchanged between the different Distribution Layers. In your more limited setup, the ‘master’ switch would be the Core Layer, and exchange traffic between each of the different Access Layer switches. However, for your home this may not be the best setup. If all of the switches are 100mbit, then the links between the Core Layer switch, and the Access Layer switch can be a bottleneck. For example, if you had 2 pairs of clients communicating with each other on the same switch (so 4 machines, A<->B and C<->D), they could each communicate at 100mbit/second. However, if A and C are on Access Layer switch#2, and B and D are on Access Layer switch#3, then the bandwidth between #2 and #3 is limited to 100mbit total, and so each stream would only be able to use 50mbit/sec. However, if A and B are on one switch, and C and D are on another, then no data is exchange through the Core Layer at all. So a number of factors, especially your traffic patterns, must be considered when setting up your network topology. You do not have to worry about creating ‘loops’ or anything as long as each switch only has a single path to each other switch. Higher end switches (managed ones) will have ‘STP’ (Spanning Tree Protocol), which allows them to avoid loops even when they have multiple paths, while still adapts and using one of the extra paths if the preferred path is disconnected.

  • At my house, I have a 5 port gigabit switch, and 3 100mbit switches. My PC, Router/File Server, and Media center connect to the gigabit switch, the 4th port goes to the wireless AP, and the 5th to the switch in my bedroom. The remaining 100mbit switch (used for the machines in the rack in my living room) is fed off the wired ports for the wireless AP.

Round Up:

Written by chris

October 13th, 2011 at 9:11 pm

008: HTC Sues Apple with Google Patents

without comments

Linux News Podcast LinuxNewsPodcast 1802 008: HTC Sues Apple with Google PatentsComing up on episode 8 of the Linux News Podcast… HTC Sues Apple with Google Patents, Mainframe Ubuntu Linux?, and Microsoft, Google, and Mozilla are Completely Blocking DigiNotar.

TRANSCRIPT
HTC Sues Apple with Google Patents
http://www.linuxtechguy.com
The patent wars continue with HTC suing Apple with patents it acquired from Google. Apple began the fight in early March of 2010, and now HTC is returning the fire. This time loaded with nine patents bought from Google. The lawsuit contends the Mac computer, iPhone, iPod, iPad, iCloud and iTunes are infringing patents for a way to upgrade software wirelessly; a way to transfer data between a microprocessor and a support chip; a method to store user preferences, and a way to provide consistent contact between application software and a radio modem.

Mainframe Ubuntu Linux?
http://www.zdnet.com
ZDnet is reporting that, “Sources close to Canonical and IBM are telling me that Ubuntu may soon be certified on IBM’s System p mini-computers and blades and System z mainframes. When you think of “Ubuntu Linux,” you probably think of the community Linux distribution and the Linux desktop. That’s great, but Canonical, Ubuntu’s parent company, also wants you to think of Ubuntu as a server and cloud operating system platform. To that end, Canonical has been working with IBM to get Ubuntu certified on IBM’s high-end System P Power hardware line and System z mainframes…. If all goes well, Ubuntu will be officially supported on System p within the month and it will be certified on the Z mainframes by year’s end.”

Microsoft, Google, and Mozilla are Completely Blocking DigiNotar
http://us.generation-nt.com
GNT is reporting that, “Microsoft, Google and Mozilla are blocking all SSL certificated sent by the Dutch authority DigiNotar. A Windows update will be made available to operating systems including XP. Google released a new updated version of Google Chrome on Saturday and Mozilla has made Firefox version 6.0.2 available…. Apple is still running behind on the updating of Safari…. [Microsoft has said] “We’ve deemed all DigiNotar certificates to be untrustworthy and have moved them to the Untrusted Certificate Store.”

Hacking Causing Growing Uncertainty
http://www.securitypark.co.uk
Security Park is reporting that, “[I]t isn’t you that’s been hacked. It’s your information stored by the companies you trust that’s been compromised. Since the start of this year, globally, there have been 365 data loss incidents involving [over] 126 [million] records. According to research by analyst house, Juniper Research, 90% of organisations have suffered data breaches in one form or another over the past 12 months. Testament to this is the number of household brands that have inadvertently divulged the information of hundreds of individuals…. We conservatively estimate that the average family’s personal information has been breached 10 times since June…. We’ve all got used to locking our front doors and keeping valuables out of sight. Until we can trust organisations to give our virtual possessions the same protection we need to take steps to protect ourselves.”

Nemesys is Porting their Games to Linux
http://www.phoronix.com
Phoronix is reporting that, “Nemesys, a game studio run out of Budapest, is porting their game titles to Linux. The studio’s current titles include Fortix 2, A.C.S, and Ignite. Nemesys Ignite, in particular, is a very promising racing game that will surely roar things up for Linux…. A brief announcement concerning their love for Linux and porting their titles was made in a company blog post. “If you make a game, the users will come. More specifically, the Linux users… Everyone wants some entrainment on their platform of choice and we would like to deliver to such requests from the community. We’ve received a lot of inquiries over the past few months with our releases and upcoming titles from those that are curious about a Linux port. We can finally say, yes!”

Ice Cream Sandwich Coming in October or November
http://www.engadget.com
Engadget is reporting that, “Got your sights set on the next version of Android, codenamed Ice Cream Sandwich? We knew it was coming near the end of the year, but we now at least have a slightly more specific time frame straight from the horse’s mouth. Google’s own Eric Schmidt revealed in an interview…. that ICS — the highly-anticipated update to Android that will merge elements of Honeycomb and Gingerbread into one universal OS — can be expected to arrive in October or November. This matches up with rumors saying the Nexus Prime will be released in the tenth month, but it’s the first time we’ve heard anything official from Google.”

Opera Dragonfly
http://www.linuxjournal.com
The Linux Journal is reporting that, “Opera Software’s Opera Dragonfly is a new suite of open-source debugging tools for Web developers and designers that got its name because “it eats bugs”. The suite covers the full debugging work flow, from inspecting network access and downloaded resources to correcting JavaScript issues and seeing how CSS rules apply to the DOM. Opera Dragonfly supports all the newest Web technologies, including SVG and HTML5 APIs, such as Web Storage. Product benefits, says Opera, include a superior JavaScript debugger, a network inspector to discover why a site “turns to molasses” and a storage inspector to uncover how a site handles the data it collects. Opera Dragonfly loads automatically when one downloads the Opera browser.”

Rice University Double Capacity on 3G/4G Networks
http://www.osnews.com
OS News is reporting that, “The typical way to increase capacity on a network is to add more infrastructure, but that’s an expensive undertaking. It can also be time consuming and frustrating for network operators who have to get permission to put up new towers, or dig up the ground to lay cables. This is especially true in heavily populated areas where more antennas and traffic disruption are not what anyone wants to see. Rice University has come up with a groundbreaking solution, though. One that promises to at least double the capacity of existing networks with the addition of minimal extra hardware. That solution is full duplex wireless communication. This isn’t a new concept, but one that hasn’t been possible until now due to the inherent obstacles it throws up.”

KDE SC 4.7.1 Is Available for Download
http://news.softpedia.com
Softpedia is reporting that, “The KDE developers were to proud to announce last evening in a press release that the KDE Software Compilation 4.7.1 is now available for upgrade to existing KDE users. KDE Software Compilation 4.7.1 is a version that is focusing on fixing last-minute bugs and finishing the required documentation and translations. Today KDE released updates for its Workspaces, Applications, and Development Platform. These updates are the first in a series of monthly stabilization updates to the 4.7 series…. [These]  are recommended updates for everyone running 4.7.0 or earlier versions…. Because it only contains fixes and translation updates, the KDE Software Compilation 4.7.1 release will be a pleasant and safe update for everyone.”

Bacon Justifies Ubuntu Decisions
http://ostatic.com
OStatic is reporting that, “[It] Seems [that] Jono Bacon just can’t understand why users are still complaining about the drastic changes that came with Ubuntu 11.04 and the Unity desktop…. The issue for The Distro for Human Beings is that it doesn’t actually understand human beings…. People don’t like being told what to do, how to do it, where to do it, and how much we should enjoy doing it your way. You can try to dictate from up above how much better your way is, but you can’t make folks like it. You are there for the users and not the other way around. Without your users, you have no reason to be. Like many of your ilk, you’re under the impression that us lowly users are sheep… and must therefore follow your most exalted and elite judgment. You know best, right? We can’t possibly think for ourselves.”

SPONSOR
Roku – Instantly Play Movies & TV Episodes from the Internet! Starting at $59.99
Click here!

THEME MUSIC
Theme Music was “Legends of the North” by Mattias Westlund

RESOURCES
Bookstore – Get Linux software and books about Linux.
T-Shirts – Show your support with cool t-shirts, mugs, and more.
About Us – Introduces you to the podcast and the podcaster.
Privacy – Concerned about privacy, read our privacy policy.
Contact – Complaments, Problem, concerns, and suggestions welcomed.

CONNECT
Twitter Updates – Get the latest news updates and sneak peaks.
Facebook Page – Like the podcast and get the latest episodes in your friend stream.

SUBSCRIBE
RSS Feed
Add to iTunes
Add to Zune
Add to Google
Miro Player

Written by linuxpod

September 9th, 2011 at 3:55 pm

Rooted Trust | TechSNAP 22

without comments

post thumbnail

Remember the Man in the Middle attack on google from last week? Turns out it was far worse than though, we now have more details on the DigiNotar compromise, and a number of other important sites have had their DNS hijacked.

Plus we cover the advantages of running your own DNS server at home, and how Allan and Chris got their start in the world of IT!

All that and more, in this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

DigiNotar Hack Details

  • A company spokesman said that “several dozen” certificates had been acquired by the attackers.
  • The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531.
  • The first known-bad certificate, for Google.com, was created by attackers on July 10, 2011. Between July 19 and July 29, DigiNotar began discovering bad certificates during routine security operations, and blocking them.
  • But the attack didn’t come to light until August 27
  • Comodohacker said the attack against DigiNotar was payback for the Srebrenica massacre.
  • He also suggested that he wasn’t operating under the auspices of Iranian authorities, but that he may have given them the certificates.
  • Comodohacker also posted additional proof that he had the private key for the invalid google.com certificate, by using it to sign a copy of calc.exe, a feature a regular website SSL certificate should not have.
  • The DigiNotar hack has already had wide-ranging repercussions for the 9 million Dutch citizens–in a country with a population of 17 million–that use DigiD , a government website for accessing services, such as paying taxes.
  • According to news reports, the country’s lawyers have been forced to switch to fax and mail, to handle many activities that were supported by an intranet.
  • The Netherlands has also indefinitely extended the country’s tax deadline until DigiD can again be declared secure.
  • Mozilla has made this public statement: “This is not a temporary suspension, it is a complete removal from our trusted root program.”. Such harsh action was taken because DigiNotar did NOT notify everyone when the breech was discovered.
  • F-Secure Weblog says they were hacked by someone who was connected to “ComodoGate” — the hacking of another Certificate Authority earlier this year, by an Iranian attacker.

Removing the DigiNotar Root CA certificate : Ubuntu

Microsoft out-of-cycle patch to fix DigiNotar bogus certificates

Hacker claims to have compromised Other SSL Cert Authorities

  • Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack.

  • The hacker boasted he still has access to four other (unnamed) “high-profile” CAs and retains the ability to issue new rogue certificates, including code signing certificates.

  • ComodoHacker also claims to have compromised StartSSL, however issuance of invalid certificates was prevented by a policy change that required the CEO to manually offline approve each issued certificate. The HSM (Hardware Signing Module) being offline seems like the only way to be entirely sure that invalid certificates are not issued. A proper policy, more than just rubber stamping any certificate that doesn’t say google.com on it should be required.

  • GlobalSign on Tuesday announced that it would temporarily cease issuing any new certificates.
    “GlobalSign takes this claim very seriously and is currently investigating,” according to a statement released by the company

  • Is the fifth-largest CA

  • GlobalSign Suspends Issuance of SSL Certificates

  • BBC Article

DNS hack hits popular websites: Telegraph, Register, UPS, etc

  • Further websites which have been affected by the DNS hack include National Geographic, BetFair, Vodafone and Acer.
  • Instead of breaching the website itself, the hackers have managed to change the DNS records for the various sites affected.
  • Because of the way that DNS works, it may take some time for corrected DNS entries for the affected websites to propagate worldwide – meaning there could be problems for some hours even after the fix.
  • The attack was against the domain registrars Ascio and NetNames, both owned by the same parent company.
  • Apparently the attacker managed to use an SQL injection attack to gain access to the domain accounts, and change the name servers.
  • BBC Article

Feedback:

Home DNS Software:

A different kind of question for TechSNAP! : techsnap

Round-Up:

Bitcoin-Blaster:

007: Linux Kernel Gets Hosted at Github

without comments

Linux News Podcast LinuxNewsPodcast 1802 007: Linux Kernel Gets Hosted at GithubComing up on episode 7 of the Linux News Podcast… Linux Kernel Gets Hosted at Github, Dutch Government Takes Over DigiNotar, and Appsfire Announces Open Source UDID Replacement for iOS.

TRANSCRIPT
Linux Kernel Gets Hosted at Github
http://www.h-online.com
On our last newscast we told you about the Linux Project’s main site getting hacked. Well this week we learned that Linus Torvalds has temporarily moved the entire Linux kernel to Github. It appears that the main sever for kernel.org is not yet fully functional after being hacked. This announcement comes as the 5th release candidate of Linux 3.1 is published. Torvalds made it clear he plans to return to kernel.org once it is fully functional again.

Dutch Government Takes Over DigiNotar
http://www.h-online.com
The Dutch government took over operational control of DigiNotar, the digital certificate company that appears to have been hacked by someone in Iran apparently wanting to spy on activists in their country. We are now learning that 530 fake SSL digital certificates were issued for such sites as Facebook, Yahoo, Microsoft, Skype, Twitter, Tor, and WordPress, and even included intelligent agencies such as the CIA and MI6. This incident has highlighted the fragility of the SSL/TLS certificate trust model in use on the net today.

Appsfire Announces Open Source UDID Replacement for iOS
http://techcrunch.com
Appsfire is attempting to create an open source solution to the problem Apple created by phasing out developer access to the Unique Device Identifier on iOS devices. It is called OpenUDID. It is designed to replace all that was lost, and in which everyone can participate. It also said it will provide a system that will enable users to opt-out if they wish. All mobile app developers are invited to join in the testing process now.

Reflecting on Chrome as Browser Hits Third Birthday
http://arstechnica.com
Three years ago Google launched its Chrome browser. Since that time Google’s Web Browser has attracted a large number of users and has made an impact on other browsers in the process. Chrome’s speed and distinctive minimalist design has won over a number of Linux users. There is even talk that Chrome may become Ubuntu’s browser. We’ll see what the next three years hold.

OpenSSH 5.9 Arrives
http://www.h-online.com
The development team for the Secure Shell known as OpenSSH has released version 5.9. The newest update include a number of updates including the addition of a Hash-based Message Authentication Code to verify both the data integrity and the authenticity of a message. They also are experimenting with sandboxing the privilege separation child process. OpenSSH is developed by the OpenBSD project and is released under the BSD licence.

Python 3.2.2 Fixes Regression
http://www.h-online.com
The Python developers have released version 3.2.2 of their open source programming language. This maintenance update mainly fixes a regression in the urllib.request module that prevented opening many HTTP resources correctly. In addition there are about 60 minor changes and fixes. Python 3.2.2 is available to download from the Python Website.

Swiss Federal Court Sharing its DMS as Open Source
http://www.osor.eu
The Swiss Parliament is permitting the Federal Court to publish its document management system under the General Public Licence, version 3. The software is called Open Justitia and was developed in-house by the court. Weblaw, a proprietary software firm, tried to block its release claiming that the federal court was essentially becoming a commercial competitor. The court explained that it believes it has sufficient legal grounds to develop its own DMS and that making available the source code does not mean it is entering in competition.

Leaks Show US Swayed Canada on Copyright Bill
http://www.osnews.com
New Wikileaks documents describe Canadian officials as encouraging American lobbying efforts. The cables, from the U.S. Embassy in Ottawa, even have a policy director for then industry minister Tony Clement suggesting it might help U.S. demands for a tough copyright law if Canada were placed among the worst offenders on an international piracy watch list. Days later, the U.S. placed Canada alongside China and Russia on the list.

Governments Use Western Technology to Spy on Citizens
https://www.eff.org
The Electronic Frontier Foundation has long warned about the use of American and European made surveillance technologies by authoritarian governments to spy on their citizens. Last week we saw another example of that when the government of Bahrain used surveillance software from Nokia Siemens to intercept messages and gather information on human rights activists, resulting in their arrest and torture. This is just one of many such cases. The real concern is that Western surveillance tools are likely undermining the “Internet freedom” agenda.

Gluster Founder Details Data Management Strategy
http://www.infostor.com
Gluster is an open source distributed filesystem that is positioning itself for the current evolution of cloud computing and big data requirements. Gluster is aiming to solve storage problems that people have been grappling with for years. Companies are asking for a Google-style storage approach where a scale-out filesystem is needed that can run on commodity hardware. That is why one of the new features in GlusterFS 3.3 is support for Hadoop which is an attempt to expand Gluster usage for Big Data.

SPONSOR
Roku – Instantly Play Movies & TV Episodes from the Internet! Starting at $59.99
Click here!

THEME MUSIC
Theme Music was “Legends of the North” by Mattias Westlund

RESOURCES
Bookstore – Get Linux software and books about Linux.
T-Shirts – Show your support with cool t-shirts, mugs, and more.
About Us – Introduces you to the podcast and the podcaster.
Privacy – Concerned about privacy, read our privacy policy.
Contact – Complaments, Problem, concerns, and suggestions welcomed.

CONNECT
Twitter Updates – Get the latest news updates and sneak peaks.
Facebook Page – Like the podcast and get the latest episodes in your friend stream.

SUBSCRIBE
RSS Feed
Add to iTunes
Add to Zune
Add to Google
Miro Player

Written by linuxpod

September 6th, 2011 at 2:52 pm

Smarter Google DNS | TechSNAP 21

without comments

post thumbnail

Google and openDNS join forces to improve the speed of your downloads, find out what they are doing and how it works!

Plus gmail suffered another man in the middle attack, and Kernel.org gets some egg on their face!

All that and more, on this week’s episode of TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Another SSL Certificate Authority Compromised, MitM Attack on Gmail

  • Sometime before July 10th, the Dutch Certificate Authority DigiNotar was compromised and the attackers we able to issue a number (apparently as many as 200) of fraudulent certificates, including a wildcard certificate for *.google.com. The attack was only detected by DigiNotar on July 19th. DigiNotar revoked the certificates, and an external security audit determined that all invalid certificates had been revoked. However, it seemed that probably the most important certificate, *.google.com was in fact not revoked. This raises serious questions and seems to point to a coverup by DigiNotar. Detailed Article Additional Article
  • Newer versions of Chrome were not effected, because Google specifically listed a small subset of CAs who would ever be allowed to issue a certificate for gmail. This also prevents self-signed certificates, which some users fall for regardless of the giant scary browser warning. Chrome Security Notes for June
  • Mozilla and the other browsers have taken more direct action disabled than they did with the Comodo compromise. All major browsers have entirely removed the the DigiNotar root certificate from their trust list. With the Comodo compromise, the effected certificates were blacklisted, but the rest of the Comodo CA was left untouched. One wonders if this was done as strong signal to all CAs that that must take security more seriously, or if DigiNotar was in fact cooperating with the Iranian government in its efforts to launch MitM attacks on its citizens. Mozilla Security Blog
  • Part of the issue is that some of the certificates issued were for the browser manufacturers them selves, such as Mozilla.org. With a fake certificate from Mozilla, it is possible that the MitM attack could block updates to your browser, or worse, feed you a spyware laden version of the browser.
  • Press Release from Parent Company VASCO
  • Pastebin of the fraudulent Certificate
  • Allan’s blog post about the previous CA compromise, and more detail than can fit even in an episode of TechSNAP
    *

    GoogleDNS and OpenDNS launch ‘A Faster Internet’

  • The site promoted a DNS protocol extension called edns-client-subnet that would have the recursive DNS server pass along the IP Subnet (not the full IP, for privacy) of the requesting client, to allow the authoritative DNS server to make a better Geo Targetting Decision.
  • A number of large content distributors and CDNs rely on GeoIP technology at DNS time to direct users to the nearest (and as such, usually fastest) server. However this approach is often defeated when a large portion of users are using GoogleDNS and OpenDNS and all of those requests come from a specific IP range. As this technology takes hold, it should make it possible for the Authoritative DNS servers to target the user rather than the Recursive DNS Server, resulting in more accurate results.
  • Internet Engineering Task Force Draft Specification
  • This change has already started effecting users, many users of services such as iTunes had complained of much slower download speeds when using Google or Open DNS. This was a result of being sent to a far-away node, and that node getting a disproportionate amount of the total load. Now that this DNS extension has started to come online and is backed by a number of major CDNs, it should alleviate the problem.
  • ScaleEngine is in the process of implementing this, and already has some test edns enabled authoritative name servers online.
    *

    Kernel.org Compromised

  • Attackers were able to compromise a number of Kernel.org machines
  • Attackers appear to have compromised a single user account, and then through unknown means, gained root access.
  • Attackers replaced the running OpenSSH server with a trojaned version, likely leaking the credentials of users who authenticated against it.
  • Kernel.org is working with the 448 people who have accounts there, to replace their passwords and SSH keys.
  • The attack was only discovered due to an extraneous error message about /dev/mem
  • Additional Article

Feedback:

Q: (DreamsVoid) I have a server setup, and I am wondering what it would take to setup a backup server, that would automatically take over if the first server were to go down. What are some of the ways I could accomplish this?

A: This is a rather lengthy answer, so I will actually break it apart, and have given one possible answer each week, for the last few weeks. This weeks solution is Anycast. This is by far the most complicated and resource intensive solution, but it is also the most scalable. Standard connections on the Internet are Unicast, meaning they go from a single point to another single point (typically, from a client to a specific server). The are also Broadcast (send to all nodes in the broadcast domain, such as your local LAN), and Multicast (send to a group of subscribed peers, used extensively by routers to distribute routing table updates, but does not work on the Internet). Anycast is different than a Unicast, instead of sending the packet to a specific host, the packet is sent to the nearest host (in network terms, hops, not necessarily geographic terms). The way Anycast works is your BGP enabled routers broadcast a route to your subnet to the Internet from each of the different locations, and the other routers on the Internet update their routing tables with the route to the location that is the fewest hops away. In this way, your traffic is diverted to the nearest location. If one of your locations goes down, when the other routers do not get an update from the downed router, they automatically change their route to the next nearest location. If you want only fail over, and not to distribute traffic geographically, you can have your routers prefix their routes with their own AS number a sufficient number of times to make the backup location always more hops than the main location, so it is only used if the main is down. There are some caveats with this solution, the first being that TCP packets were never meant to randomly redirect to another location, if a route change happens in the middle of an active session, that session will not exist at the second location, and the connection will be dropped. This makes Anycast unsuitable for long-lived connections, as routes on the Internet change constantly, routing around faults and congestion. Connections also cannot be made outbound from an Anycast IP, as the route back may end up going to a different server, and so a response will never be received, so servers would require a regular Unicast address, plus the Anycast address. A common solution to overcome the limitations of Anycast, is to do DNS (which is primarily UDP) via Anycast, and have each location serve a different version of the authoritative zone, which the local IP address of the web server, this way the users are routed to the nearest DNS server, which then returns the regular IP of the web server at the same location (this solution suffers from the same problems mentioned above in the Google DNS story). Another limitation is that due to the size of the address space on the Internet, most provides will not accept a route for a subnet smaller than a /24, meaning than an entire 256 ip address subnet must be dedicated to Anycast, and your servers will each require a regular address in a normal subnet. Broadcasting routes to the Internet also requires your own Autonomous System number, which are only granted to largish providers, or an ISP willing to announce your subnet on their AS number, but this requires a Letter of Authorization from the owner of the IP block.
*

ROUND-UP:

Bitcoin-Blaster:

Written by chris

September 2nd, 2011 at 12:42 am