LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘Amazon’ Category

Sound Card Troubleshooting | LAS | s19e09

without comments

post thumbnail

Tired of fighting sound issues under Linux? We’ve got solutions for you! Linux audio can be tricky, when it works it’s great… But when it sucks, it sucks real bad. Tune in to get our tips to make your audio trouble free!

PLUS: HP Announces their plans to Open Source WebOS, we share our thoughts, and Linux Mint stepped in a pile this week when it was revealed they changed Affiliate revenue links in Banshee. Has they failed to learn from past mistakes, or is there another side to this story? We give you the details!

And so much more!

All this week on, The Linux Action Show!


Thanks to:

GoDaddy.com Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!

$1.99 per month Economy Hosting for 3 months

GoDaddy Offer Code: LINUX11

Free Private Registration

GoDaddy Offer Code: linux17
Link: http://www.godaddy.com/domainaddon/private-registration.aspx?isc=linux17


Direct Episode Download Links:

HD Video | Large Video | Mobile Video | MP3 | OGG Audio | OGG Video | WebM Video | YouTube

-SHOW NOTES-

Runs Linux:

Android Pick:

Universal Pick:

Linux Action Show Subreddit

NEWS:

Sound Card Troubleshooting:

  • Check out pavucontrol

  • Great Gear:

    Syba SD-CM-UAUD USB Stereo Audio Adapter, C-Media Chipset, RoHS

    Price: $8.52

    4.3 out of 5 stars (295 customer reviews)

    14 used & new available from $6.85

    StarTech USB to Stereo Audio Adapter Converter Sound Cards ICUSBAUDIO

    Price: $16.00

    3.6 out of 5 stars (27 customer reviews)

    38 used & new available from $12.99

    Olympus Microphone ME-52W Noise Cancellation Mic OLY-145055 – ME52 – ME52W

    Price: $15.89

    ( customer reviews)

    4 used & new available from $15.75

    Support Jupiter Broadcasting

    Find us on Google+

    Find us on Twitter:

    Follow the network on Facebook:

    Jupiter Broadcasting Forum:

    Catch the show LIVE Sunday 10am PDT:

       

    openSUSE 12.1 Review

    without comments

    post thumbnail

    We review openSUSE 12.1, find out how hard this release spanks every distribution out there, and the ways openSUSE 12.1 sets the bar for every future release!

    Plus: Barnes & Noble reveals Microsoft dirty tricks, our quick review of Desura, and booms of the week for embed Linux devices.

    And so much more!

    All this week on, The Linux Action Show!


    Thanks to:

    GoDaddy.com Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!

    Special GoDaddy Offer: LINUX11

    $1.99 per month Economy Hosting for 3 months!


    Direct Episode Download Links:

    HD Video | Large Video | Mobile Video | MP3 | OGG Audio | OGG Video | YouTube

       

    -SHOW NOTES-

    Runs Linux:

    Android Pick:

    Universal Pick:

    Picks so far. Thanks to Madjo!

    Linux Action Show Subreddit

    Jupiter Broadcasting Swag!

    NEWS:

    openSUSE 12.1 Review:

    • Noteworthy is the fact that openSUSE is the first major Linux distribution to ship color management tools for both the GNOME and KDE desktops!
    • On the client side, openSUSE 12.1 introduces Chromium 16 (Such a refreshing contrast from Fedora!)
    • WebYaST remote system management tool offers a much improved web interface to administer openSUSE systems remotely with new modules and better performance.
    • Snapper rolls back changes Screenshot
    • openSUSE 12.1 is the first Linux distribution taking advantage of the snapshot functionality in the upcoming Linux file system btrfs. These snapshots of the file system are using copy-on-write, making them very space efficient. openSUSE 12.1 debuts Snapper which allows the user to interface with this technology.

    Video: http://youtu.be/9H7e6BcI5Fo?t=6m49s

    • XFCE 4.8 Desktop

    • KDE 3 is avaiable. WOW.

    • Tumbleweed, the unique rolling release repository for openSUSE, can be considered “complete” at the time of this release. Covering almost all of the openSUSE 12.1 packages,

    • Tumbleweed offers newer versions as soon as they are deemed stable.

    • How to install ATI Driver

    Download the LAS openSUSE review box!
    User: linuxactionshow
    Pass: jblive

    Find us on Google+

    Find us on Twitter:

    Follow the network on Facebook:

    Jupiter Broadcasting Forum:

    Jupiter Colony

    Catch the show LIVE Sunday 10am PDT:

    How Malware Makes Money | TechSNAP 31

    without comments

    post thumbnail

    The FBI shuts down a cyber crime syndicate, and we’ll tell you just how much profit they were bring in.

    Plus we’ll cover how to securely erase your hard drive, Xbox Live’s minor password leak, how researches remotely opened prison cell doors, in my own state!

    All that and more, on this week’s episode of TechSNAP!

    Thanks to:
    GoDaddy.com Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

     


    Direct Download Links:

    HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

    Subscribe via RSS and iTunes:

       

    Show Notes:

    FBI takes out malware operation that illicitly made 14 million dollars

    • The malware was said to have infected as many as 4 million computers in 100 countries
    • Atleast 500,000 infected machines in the USA alone
    • Operation Ghost Click resulted in indictments against six Estonian and one Russian national. The Estonians were taken in to custody by local authorities and the US is seeking to extradite them.
    • The malware, called DNSChanger, changed the users DNS servers, to use rogue servers run by the botnet operators, and allowed the attackers to basically perform man-in-the-middle attacks against any site they wished.
    • The attackers redirected all traffic related to Apple and iTunes to a site that sold fake apple software and pirated music.
    • The attackers also stole traffic from legitimate advertising networks and replaced it with their own network, charging advertisers for their ill gotten traffic.
    • The malware also blocked windows update and most known virus scanners and help sites.

    Pastebin of XBox Live IDs and passwords published

    • The pastebin contained 90 game tags, passwords and possibly email addresses
    • Microsoft says that they do not believe their network was compromised, and that this list is the result of a small scale phishing attack
    • The size of the credential dump seems to support that conclusion
    • Regardless, it is recommended that you change your XBox Live password, and the password on any other service that shared the same password, especially the email address used for your XBox Live.

    Researchers Uncover ‘Massive Security Flaws’ In Amazon Cloud

    • The vulnerability (since fixed) allowed an attacker to completely take over administrative rights on another AWS account, including starting new EC2 and S3 instances, and deleting instances and storage
    • An attacker could have run up a huge bill very quickly, and it would appear legitimate.
    • Using EC2 to crack passwords becomes even more effective when someone else is paying for your instances
    • The vulnerability was exploited using an XML signature wrapping attack, allowing them to modify the signed message while still having it verify as unmodified.
    • Amazon said “customers fully implementing the AWS security best practices were not susceptible to these vulnerabilities”
    • Previous Article about Amazon AWS Security
    • The previous article mostly covers vulnerabilities created by users of AWS, including people publicly publishing AMIs with their SSH keys still in them.

    Prison SCADA systems vulnerable to compromise

    • Researchers have been able to compromised the SCADA systems and open/close cell doors, overload door mechanisms so they cannot be open/closed, and disable the internal communications systems.
    • The researches worked in one of their basements, spent less than $2,500 and had no previous experience in dealing with these technologies.
    • Washington Times Article confirms that the research was delivered to state and prison authorities, and that Homeland Security has verified the research
    • Researchers were called in after an incident where all of the cell doors on death row at once prison opened spontaneously
    • While the SCADA systems are not supposed to be connected to the Internet, it was found that many of them were.
    • Some were used by prison staff to browse the Internet, leaving them open to malware and other such attacks.
    • While others had been connected to the Internet so they could be remotely managed by consultants and software vendors
    • Even without the Internet, researchers found that the system could be compromised by an infected USB drive, connected to the
      SCADA system either via social engineering or bribery of prison employees.

    Feedback:

    Simon asks about destroying your data before recycling/selling your used hard drives

    • There are a number of tools that will overwrite the contents of your hard drive a number of times in various patterns. The goal here is to ensure that any data that was on the drive can not be recovered. There is never a guarantee that the data will not be recoverable.
    • Allan Recommends: DBAN – Darik’s Boot And Nuke
    • It is still a very good idea to overwrite the data on your disks before you recycle/sell them. The methods are slightly different now, specifically, some methods such as the ‘Gutmann Wipe’ which was designed for a specific type of disk encoding that is no longer users in modern hard drives are no longer effective.
    • DBAN supports a number of methods:
    • PRNG Stream (recommend) – literally overwrites the entire drive with a stream of data from the Pseudo Random Number Generator. It is recommended that you use 4 passes for medium security, and 8 or more passes for high security.
    • DoD 5220.22-M – The US Department of Defence 7 pass standard. The default is DBAN is the DoD Short, which consists of passes 1, 2 and 7 from the full DoD wipe.
    • RCMP TSSIT OPS-II – The Canadian governments “Technical Security Standard for Information Technology”: Media Sanitization procedure. (8 passes)
    • Quick Erase (Not recommended) – Overwrite the entire drive from 0s, only 1 pass. This is designed for when you are going to reuse the drive internally, and is not considered secure at all
    • DBAN also verifies that the data was overwritten properly, by reading back the data from the drive and verifying that the correct pattern is found.
    • I am not certain about the answer to your question concerning SD cards and other flash storage not in the form of a hard disk. A file erasure utility may be the only option if the device does not actually accept ATA/SCSI commands (careful, some USB devices pretend to accept the commands but just ignore ones they do not understand)
    • Simon’s method of using the shred utility (designed to overwrite an individual file) on the block device, is not recommended. a proper utility like DBAN uses ATA/SCSI commands to tell the disk to securely erase it self, which involves disabling write caching, and erasing unaddressable storage such as those that have been relocated due to bad sectors.
    • Special consideration should be given to SSDs, as they usually contain more storage than advertised, and as the flash media wears out, it is replaced from this additional storage. You want to be sure your overwrite utility overwrites the no-longer-used sectors as they will still contain your data. This is why a utility that uses the proper ATA/SCSI commands is so important.
    • A utility like DBAN is also required if the disk contained business or customer data. Under legislation such as PIPEDA (Personal Information Protection and Electronic Documents Act, Canada), HIPAA and Sorbanes-Oxley (USA), the information must be properly destroyed.

    Round UP:

    ZFS Server Build Progress:

    • Finalized Parts List
    • Parts Summary:
    • Supermicro CSE–829TQ-R920UB Chassis
      • 8 hot swapable SAS bays
      • dual redundant 920 watt high-efficiency PSUs
    • Supermicro X8DTU–6F+ motherboard
      • Dual Socket LGA 1366
      • 18x 240pin DDR3 1333 slots (max 288GB ram)
      • Intel 5520 Tylersburg Chipset, ICH10R
      • LSI 6Gb/s SAS Hardware RAID controller
      • Intel ICH10R SATA 3Gb/s SATA Controller
      • IPMI 2.0 with Virtual Media and KVM over LAN
      • Dual Intel 82576 Gigabit Ethernet Controller
    • Dual Intel Xeon E5620 Processors (4×2.4Ghz, HT, 12MB Cache, 80W)
    • 48GB DDR3 1333mhz ECC Registered RAM
    • 2x Seagate Barracuda XT 2TB SATA 6Gb/s 7200rpm Drives (for OS)
    • 9x Seagate Consellsation ES 2TB SAS 6Gb/s 7200rpm Drives (8x for RAID Z2, 1x cold spare)
    • Adaptec RAID 6805 Controller (8 Internal drives, supports up to 256 drives, 512mb DDR2 667 cache)
    • Adaptec AFM 600 Flash Module (Alternative to BBU, provides 4GB NAND flash power by super capacitor to provide zero maintenance battery backup)

    Written by chris

    November 10th, 2011 at 8:18 pm

    The Cloud Fails | TechSNAP 2

    without comments

    post thumbnail

    Reality rained on Amazon’s Cloud recently as aspects of their EC2 hosting service suffered major outages. We look at the many issues facing cloud computing.

    Plus we dig into the iPhone location tracking story, and brainstorm a few possible solutions to a potentially necessary evil.

    Then we’ll look at How HBGary wrote backdoors for the government, and exactly how the recent RSA security hack actually happened, and why it’s still a major issue!

    iTunes & RSS Feeds:

     

    Show Notes:

    Topic: iPhone GPS History and new IP geolocation techniques

    Involuntary Geolocation To Within One Kilometer
    How Apple tracks your location without consent, and why it matters
    Major Issues with the Latest iPhone Tracking “Discovery”

    • Why does this data need to be stored for more than an hour?
    • Who else can read this data?
    • Why does this data follow you between devices?
    • Can this data be used against you in court?

    Topic: Hashed Passwords and why they are important

    A new data retention law in France proposed to force all websites to keep the name, address, telephone number and plain text password for it’s users. This would include e-commerce sites, webmail providers, and online video hosts. This would effectively outlaw the practice of hashing passwords. Using cryptographic hashes is standard practise for a reason, it is secure.

    Allan on hashing and passwords:
    http://geekrt.com/read/91/What-is-a-Hash/
    http://geekrt.com/read/88/Myths-of-Password-Security/
    http://appfail.com/read/184/Password-Security-Misconceptions/
    http://appfail.com/read/55/WebCT-fails-at-password-hashing/

    Background:
    All modern secure websites use ‘hashing’ to store passwords, an irreversible one-way ‘encryption’ (not actually encryption, but you get the idea). This means that the website does not actually know what your password is, it just uses the same algorithm on the password you attempt to login with, if the hash matches the one in the database, you have entered the correct password. Hashing algorithms are deterministic, meaning the same input always generates the same output. This is both a critical part of the system, as well as a potential vulnerability. If two users have the same password, they will have the same hash. To combat this, and to make techniques such as rainbow tables more difficult, secure hashing algorithms use a salt, some amount of randomness added to the password to make it more unique, and harder to brute force, this bit of randomness is stored as part of the hash, because the plain text of the randomness is needed to compare the attempted password.

    • Data retention is evil. The government does not have the right to force other people to collect data on you.
    • the onus is on ISPs and in this case Individual websites to pay for warehousing all of this data in case the french government or law enforcement ask for it.
    • Secure password hashing is imperative to security. The main reason some of the major security compromises of the past few years, such as gawker, thepiratebay, and more were not far worse, was due to the hashing of the passwords in the stolen databases.
    • If, for example, the database for a web forum is hacked, if it does not use any security, then all of the passwords are in plain text and ripe for the picking. If regular hashes are used (MD5, SHA1, SHA256/512) then brute force or a rainbow table can be used to retrieve the plain text passwords, this can require a lot of time and resources depending on the strength of the passwords that were used. If secure salted hashing algorithms are used, (MD5, SHA256/512, Blowfish) then only brute force is an option, and the algorithms beyond MD5 are adjustable, allowing for a trade off between performance and security, as well as allowing the algorithms to scale as computers get faster and brute force becomes less improbable.
    • The law is being opposed by Google, Facebook, eBay, Dailymotion and many other major online brands.

    http://www.bbc.co.uk/news/technology-12983734


    Topic: Today Reality rained on Amazon’s Cloud

    You need to consider using more than 1 provider if you want to achieve high availability in the cloud. This is where portability is important, being able to easily move in and out of different cloud providers. Many cloud systems attempt to lock you in, using non-standard systems that are highly specialized to their own service.

    • Brought down a huge list of sites, including reddit, fourshare, quora, hootsuite, and about.me
    • Latency on EBS volumes, which are the data store backing EC2 instances
    • Internet connectivity issues on EC2 instances (unreachable at times)
    • Effected multiple ‘availability zones’ across the US-EAST-1 region (degraded high availiabilty)
    • Increased error rates on API calls
    • Extreme delays launching and stopping EC2 instances (billing implications, you are billed for each hour or partial hour that an instance is running)
    • Cause: “A networking event early this morning triggered a large amount of re-mirroring of EBS volumes in US-EAST-1. This re-mirroring created a shortage of capacity in one of the US-EAST-1 Availability Zones”
    • Issues have been ongoing for more than 12 hours
    • Amazon has no direct support for users, outside some extremely large consumers who pay extra for professional services
    • Does amazon have an SLA?
    • Effecting other services such a Relational Database Service
    • Last issue was March 17th when a router suffered a partial failure and nearby routes did not detect the issue and kick in to failover

    http://status.aws.amazon.com/rss/EC2.rss
    Amazon servers take down Reddit, Foursquare, and more
    Amazon’s Cloud Crashed Overnight, And Brought Several Other Companies Down Too
    Amazon Outage Shows Limits of Failover ‘Zones’


    Topic: How HBGary wrote backdoors for the government

    HBGary’s engineering team working with defence contractor General Dynamics (5th largest defense contractor in the world, used to make the F-16) was tasked with creating malware and/or root kits that could surreptitiously infect a computer via USB, Firewire, PCMCIA, or Wifi. The end goal being that an operative could infect a computer from near by, or with only brief physical access to the machine. Like is a spy movie, just walk up to the laptop, plug in the usb, wait a few seconds, remove it, walk away, instantly owned. This was ‘Task B’. Later, ‘Task C’ involved exploiting the preview pain in MS Outlook with a specially crafted email.

    HBGary claimed to have unreported 0-day exploits for:

    • VMWare ESX/ESXi
    • Java
    • Flash
    • Windows 2k3
    • Solaris 10

     

    Topic: RSA Servers hacked, SecurID suffers reduced security

    RSA confirmed on Friday that the attack that compromised the company’s high-value SecurID product was essentially a small, targeted phishing campaign that included a payload of a malicious Flash object embedded in an Excel file.

    • Malware payload sent to groups of employees at RSA
    • At least one employee retrieved the email from their spam folder and opened it
    • The spreadsheet contained a zero-day exploit that installs a backdoor through an Adobe Flash vulnerability (CVE-2011-0609)
    • Used the Poison Ivy remote administration tool
    • Collected the data on an RSA staging server using stolen credentials and privilege escalation
    • Attacker then transfered the data (password protected rar files) via FTP to an external compromised dedicated server at a hosting provider. Then the files were removed from the staging server and the compromised external server

    Open Letter to RSA Customers
    RSA Breached: SecurID Affected
    RSA: SecurID Attack Was Phishing Via an Excel Spreadsheet


    Followup:

    facebook followup: http://hardware.slashdot.org/story/11/04/19/2322248/Facebooks-Server-Room-Penthouse-Cooling-Caught-On-Video

    dropbox followup:
    http://tirania.org/blog/archive/2011/Apr-19.html
    It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files (making it sound as if files are encrypted separately to each users key), but in another says that they’re only ‘prohibited’ from doing so. (because dropbox uses a single key that they control for all encryption, making it mostly worthless)

     

    Download:

    Written by chris

    April 25th, 2011 at 6:00 am

    Amazon EC2 Service, IN DEPTH

    without comments

    This episode is all about Amazon’s Elastic Cloud Computer Service, is the dream of a on-demand powerful cloud computing system under our own control a reality? I set out to answer that question!

    Links for this week’s episode:

    Recommended Books to help learn EC2:

    http://tinyurl.com/8q7p5y

    http://tinyurl.com/939lux
    (NOTE: We do get a very small commission of the sales of those books via our Amazon Affiliate account)
    Amazon EC2 Site:
    http://aws.amazon.com/ec2/

    You can watch this video’s embed, or download one of the many formats below:

  • Subscribe to the IN DEPTH RSS Feed
  • Catch videos as they are released over at our YouTube channel
  • Written by chris

    January 15th, 2009 at 12:15 am