LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘DropBox’ Category

The Techie Geek – Episode 96 – Show Notes

without comments

Written by Russ Wenner

February 12th, 2012 at 8:30 am

Getting Work Done | LAS | s18e02

without comments

post thumbnail

Last week we played games on Linux, this week – It’s time to get some work done!

Find out how some of the busiest guys on the Internet manage it get it all done, using Linux!

Plus – Find out why Motorola might be Android’s next big threat, and Cisco’s plans to help protect Linux!

All this week on, The Linux Action Show!



Thanks to:

GoDaddy.com Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!

Direct Episode Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 | OGG Audio | OGG Video | YouTube


Episode Show Notes:

Runs Linux:

Raspberry Pi, Runs Linux

Android Pick:

Linux Pick:

News:
Getting Work Done:

Additional:

Find us on Google+

Find us on Twitter:

Follow the network on Facebook:

Catch the show LIVE at 10am on Sunday:

Perfect Passwords | TechSNAP 11

without comments

post thumbnail

We’ve got the details of an FBI raid that knocked several popular sites off-line.

The WordPress plugin repository was compromised, and backdoors were added to a few popular plugins, and we’ll share the details.

Plus Dropbox’s shockingly bad security issue this week, and we’ll cover why you always want a little salt with your passwords!

All that and more, on this week’s TechSNAP!


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

TechSNAP has a new Sub-Reddit, submit links and questions for the show, and vote away!


Topic: FBI raids data center and takes 3 entire racks

  • At 1am on Tuesday the FBI raided the Virginia, USA data center of Swiss web hosting company DigitalOne.
  • DigitalOne’s website was still offline late Wednesday
  • DigitalOne does not have any staff on-site, and relies on remote hands from the data center operator, CoreSite. DigitalOne was not aware of what the problem was until hours later when the data center contracted them and passed along the name of the agent in charge and a phone number for DigitalOne to contact the FBI.
  • When requested DigitalOne had given the FBI information on the IP address they inquired about and told them the exact location of the server. However the FBI seized 3 entire racks of servers rather than only the server they were after.
  • There are rumours that this raid was related to an investigation in to LulzSec
  • A number of services like Pinboard and Instapaper were effected.

Topic: WordPress.org gets hacked, plug-ins compromised

  • WordPress.org is not sure exactly what happened
  • Plug-in repository compromised
  • Malacious code was found in commits to popular plugins like W3 Total Cache, AddThis and WPTouch
  • WordPress took the prophylactic step of forcing all users to reset their passwords to prevent any further compromised code from being pushed out.

Topic: Adobe patches two 0-day exploits in 9 days

  • Adobe issued a second ‘out of band’ security update for Flash player in only 9 days due to another exploit
  • Reportedly, one of the 0-day exploits was being used to steal users’ gmail passwords
  • The vulnerability was listed as critical, as it might allow an attack to take complete control of a system
  • Nightmare scenario is a trusted page is compromised and flash malware is inserted
  • Make sure you update to the latest version of Adobe Flash

Topic: Dropbox goes passwordless, for 4 hours

  • A flaw at dropbox allowed users to login with any password, and access the account
  • This means anyone who knew your email address could have accessed your account and files. They could have authorized additional devices so they can continue to access your files even once this flaw was fixed.
  • Dropbox claims less than 1% of users logged in during that time (seems low)
  • Official Notice from Dropbox
  • If dropbox used proper encryption with one key per user, files could not be accessed without the correct password. However this security measure would take away a lot of the ‘easiness’ of dropbox that people are so fond of.

Topic: Bitcoin currency exchange compromised

  • The major bitcoin currency exchange MtGox had it’s database compromised and was taken offline when a large number of fraudulent trades were made, swinging the market.
  • The compromised account sold all of it’s coins, forcing the market price down, then bought them all back, and tried to cash out
  • Accounts that had not been used recently, had not had their passwords upgraded from the original unsalted md5 hash to the standard FreeBSD crypt() md5 salted hash.
  • MtGox managed to get a hold of someone at google and google forced all users with gmail accounts at MtGox were forced to reset their passwords
  • Once MtGox is back up, they plan to switch to SHA-512 salted hashes.
  • MtGox claims that the computer of a 3rd party auditor who had read-only access to the database was compromised, and then insecurely hashed passwords were cracked and those accounts were then used by the attackers.

Q: (Keith) Can you explain salted hashing and two factor authentication in more detail?
A: Some websites, especially older forums and bespoke software, will store your password as a plain md5 or sha1 hash. These can easily be broken by a rainbow table, and can also be brute forced rather quickly using GPUs. To protect passwords against rainbow tables, modern password hashing algorithms use a ‘salt’. A salt is just some random characters added to the password to make it better. In the FreeBSD crypt() MD5, the default is 8 base64 characters. This means that the rainbow table would have to include those extra 8 possible characters to be able to crack the password. Also, the salt is different for each account, so that means a separate rainbow table would be required for each user, and that two users with the same password won’t have the same hash. What many people don’t realize when they try to implement their own password hashing using regular md5, is that the FreeBSD crypt() md5 does 100 rounds of hashing, not just one. This was sufficiently slow when ti was design, but is much less so now. That is why other algorithms, like SHA-512 and Blowfish have become more popular. On top of having larger salts (16 and 22 characters respectively), they use an adjustable number of rounds of the hashing algorithm. This allows the administrator to decide on a performance/security trade off that best fits their needs.
Lecture notes by Allan on how Password Hashing Works

To answer the other part of your question, multi-factor authentication means using more than one way to confirm the user is who they claim to be. Two-factor authentication just means using 2 of the 3 factors to confirm the users identity, rather than just one. The three types are:

  • Something you know (username/password, secret question, pin #)
  • Something you have (ID card, security token, RFID, Cell phone)
  • Something you are (Fingerprint, Retina Scan, Signature, Voice sample)

So, the typical ATM card system, is who factor authentication, something you have (bank card) and something you know (pin number), however, the pin number is not a very strong authenticator. As we’ve seen in recent weeks, even a security token can be compromised, and some forms of attack like the ZeuS trojan, just wait until you authenticate to perform their attack.


Bitcoin Blaster:

AMD Announces new Fusion System Architecture – How will this effect bitcoin mining?
Symantec finds virus that steals your bitcoins

Lulz Roundup:

LulzSec’s Primary tool? Havij v1.14 Advanced SQL Injection
FAKE: LulzSec supposedly claims its biggest coup yet: The entire UK 2011 Census
LulzSec Ring Leader Arrested
LulzSec-Exposed (counter hacking group) claims authorities are closing in
LulzSec teams up with Anonymous for Operation AntiSec

Lightning Round:

Mozilla End-of-Life’s Firefox 4 – No more security updates
Google builds plugin to detect unsafe DOM operations like XSS


Download & Comment:

Let’s Go Phishing | TechSNAP 7

without comments

post thumbnail

Our very own Allan got caught in the wake of a data breach, and he’ll share the details

In the recent weeks there have been 10 separate attacks against Sony, the details are like nothing we’ve ever seen before. Plus we’ve got a new batch of viewer emails and I’ll share my near disaster war story!

All that & much more on this week’s TechSNAP!

Please send in more questions so we can continue doing the Q&A section every week! techsnap@jupiterbroadcasting.com


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:


Topic: DirectAdmin customer database compromised

  • DirectAdmin (by JBMC Software) is a unix web hosting control panel much like cPanel
  • DirectAdmin allows more customization, and scripting than cPanel
  • DirectAdmin provides official support for FreeBSD
  • Customer information was compromised (name, address, email, username, hashed password)
  • Billing information was not compromised (Credit Cards are processed via a gateway and never pass through DirectAdmin’s servers)
  • Unauthorized code was run on the DirectAdmin servers, sending a targeted phishing email to all customers using their real names from the customer database, stating that the version of directadmin they are using was compromised and directing them to a link that would take advantage of a PDF vulnerabilities to install malware on their computer.

http://www.directadmin.com/forum/showthread.php?p=204094#post204094


Topic: Sony suffers a series of compromises around the globe

  1. PSN Compromised and shutdown
  2. SOE compromised and shutdown
  3. So-Net, a Japanese ISP owned by Sony was compromised, and virtual points were stolen from paying customers
  4. Sony Thailand defaced, replacing with credit card phishing site
  5. Sony Online Sweepstakes (2500 Contestants’ personal details leaked)
  6. PSN password reset page exploit (allowed anyone to reset another users’ password)
  7. Sony BMG Music Greece (8500 Usernames, emails, passwords and phone numbers)
    • SQL Injection was used to dump the database and deface the site by hacker b4d_vipera
  8. Sony Music Indonesia (Defaced By k4L0ng666)
  9. Sony Music Japan
    • SQL Injection attack, credit claimed by LulzSec
  1. Sony Ericsson Canada (2000 Usernames, email addresses and hashed passwords)
    • SQL Injection used to expose the database, credit claimed by the Lebanese hacker group Idahca
    • Sony has not notified customers, nor released a comment to the media about the compromise
    • Canadian Privacy Commissioner as of yet not contacted by Sony about the recent breach, and noted that Sony did not proactively notify them about the PSN/SOE breach.
    • OpenSSH 4.4 (Released Sep 2006, Latest: 5.8 Feb 2011)
    • Apache 2.2.10 (Released Oct 2008, Latest: 2.2.19 May 2011, 2.2.17 Oct 2010)
    • Apache 2.2.10 was subject to multiple known vulnerabilities
    • Excessively outdated software such as this indicates that the OS and packages were not being regularly updated or audited.
  2. Timeline Inforgraphic of Sony security woes: http://www.creditcardfinder.com.au/the-sony-playstation-hack-what-it-means-outside-the-gaming-world.html
    Details have come out about specifically what outdated software Sony was running for the PSN/SOE servers:
    As mentioned before on TechSNAP, security researches warned Sony about the problems months ahead of time.


    Q: (Adam) Is there a simple way to handle email encryption in Mozilla Thunderbird
    A: Yes, there is a plugin for Thunderbird called ‘EnigMail’ that allows you to easily implement GPG/OpenPGP in a cross platform way. It requires you to install GPG, you can get it from the official gpg website, or through your favourite package repository for your OS. For windows, there is also GPG4Win which provides an easy installed and some basic GUI utilities. Of course, with email encryption, it is only really useful if the person on the other end is encrypting their email as well. To send an encrypted email, you need the public key of the person you are sending the email to, then they use their private key to decrypt it. While not everyone will have email encryption setup, you can still sign all of your emails, this hash of your email encrypted to your public key means that anyone can use your public key to verify that only you, and no one else, could have sent a particular email, and that the email was not modified in transit.


    Q: (dstoeberl) Since dropbox has proven to be plagued with security design flaws, what about other services like Wuala
    A: Wuala used to be almost as bad as dropbox, but they have improved since then.
    Colin Percival, the FreeBSD Security Officer, makes a competing product, for unix called TarSnap. He talks about some of the problems with wuala and the claims they made:
    http://www.daemonology.net/blog/2007-10-21-wuala-willful-ignorance.html
    http://www.daemonology.net/blog/2007-10-26-wuala-update.html
    http://www.daemonology.net/blog/2008-11-07-wuala-security.html

    They used to make quite a few mistakes, however their system is not fundamentally flawed like dropbox, they encrypt each users’ files before they leave that users machine, so things are far more secure

    I would say they have learned some of the lessons dropbox is now learning. But if you really want secure online backups, you really have to understand the issues, and decide how much you trust the claims the service is making.


    Q: (DreamsVoid) I am building a home file server to go under my bed. It will have 5 hard drives, but I am concerned about cooling vs noise level, and power usage.
    A: There are a few basic principals to consider for cooling any computer. The first is airflow, specifically, you want to make sure you are always drawing cool air in the front of the machine, the exhausting the hot air out the back. Maintaining a consistent directional flow of fresh air will allow the components to displace their heat. Make sure the front intakes of your case have access to plenty of fresh air and keep them clear of dust and debris. Make sure you also gave the machine a decent margin for exhaust, don’t shove the machine tight against a wall, the fans won’t be able to push the hot air as far away from the machine. For noise considerations, where possible, use larger diameter fans, they can move the same amount of air with significantly less noise. Most fans will include 3 importat measurements on the package; Airflow (Cubic Feet per Minute), Air Pressure (millimeters of H2O) and dB(A) (Weighted noise level). You have to compare the numbers and make the tradeoffs that work best for you, a lower noise level fan will move less air, and likely with less pressure. As far as power usage, hard drives only use a few watts, even when active, their largest consumption is during boot up. Hard drives with a lower RPM will use less power, and there are also specific models designed to offer lower power consumption.

    LAS Episode covering Home Server Buils


    Chris War Story:

    http://www.drbd.org/
    Evernote infrastructure


Download & Comment:

Backups & Server Hardware | TechSNAP 6

without comments

post thumbnail

Every six hours the NSA collects as much data that exists in the entire lib of congress and we have a few practical notes on how a system like that could even function.

We follow up on Dropbox, and what looks like the FTC is getting involved with their recent snafus.

Plus we answer a big batch of your emails, and our backup tips for home, small business, and the enterprise!

Please send in more questions so we can continue doing the Q&A section every week! techsnap@jupiterbroadcasting.com


Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

Topic: NSA collects data on a massive scale

NSA Gathers 4x the Amount of Info than the Library of Congress, Daily

  • NSA gathers data at an incredible rate, equivalent to the entire content of the US Library of Congress every 6 hours.
  • The Library of congress contains nearly 150,000,000 catalogued entries.
  • The Library of congress ‘American Memory’ site contains tens of petabytes of public domain images and audio/video recordings.
  • The NSA has the ability to apply for patents under a gag-order, if and only if another entity tries to patent the same process, do the NSA patents become public. NSA patents never expire.
  • http://patft.uspto.gov/netacgi/nph-Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=%2Fnetahtml%2FPTO%2Fsearch-bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN%2F6947978 – the NSA patented the geo-location by pinging a series of routers technique we discussed a few weeks ago during the iPhone GPS story.


Topic: new US Internet censorship bill, the ‘PROTECT IP’ Act

Revised ‘Net censorship bill requires search engines to block sites, too
http://arstechnica.com/tech-policy/news/2011/04/google-private-web-censorship-lawsuits-would-create-trolls.ars

  • Law is in part about attacking foreign sites that US law enforcement currently cannot target
  • Proposes to require search engines to remove results for sites as the request of not only the government, but also of rights holders. Have we not seen enough false positives and trolling via the DMCA?
  • rights holders would not have to seek government assistance to have sites censored, but could seek court orders directly against payment processors and advertising networks (but not ISPs or search engines)
  • actively encourages search engines and other sites to take action without any sort of court order
  • Act will protect ad networks and payment processors from being sued by the customers they spurn if they “voluntarily cease doing business with infringing websites, outside of any court ordered action”. The definition of infringing is left up to the rights holder.

Book recommendation: The Master Switch (Audio Book / Audible Sign up)


Topic: Lieing about security for a competitive edge

http://www.wired.com/threatlevel/2011/05/dropbox-ftc/
http://www.wired.com/images_blogs/threatlevel/2011/05/dropbox-ftc-complaint-final.pdf

  • A complaint has been filed with the Federal Trade Commission claiming that Dropbox engaged in Deceptive Trade Practices by claiming to securely store your data when they in fact do not store it according to industry best practices.
  • It is the belief of the complainant that the security claims made by dropbox gave them a competitive advantage over other services, specifically, users might have chosen a more secure service if they were aware of the problems with dropbox
  • At issue is a specific claim from the dropbox website that has since been retracted when it was discovered that it was false. “All files stored on Dropbox servers are encrypted (AES-256) an are inaccessible without your account password.”
  • Because Dropbox uses only a single AES-256 key, rather than a separate one for each user, employees and others at Dropbox may access your files at any time without your password. The Dropbox page has been updated to reflect the fact that Dropbox will turn over your files if requested by law enforcement or possibly other parties.

Topic: Q&A

Q: (akito) What do data centers use for fire suppression now that Halon is frowned upon?
A: Some data centers still use Halon, however most have switched to using ‘clean agents’ such as FM-200 that are designed to remove the ‘heat’ from a fire. Unlike other agents, FM-200 does not leave an oily residue or otherwise degrade your equipment. Some systems use CO2 to displace the oxygen in the space and suppress the fire that way. Also 3M has developed a non-conductive fluid that can be used in place of Halon without damaging equipment.
http://solutions.3m.com/wps/portal/3M/en_US/Novec/Home/Product_Information/Fire_Protection/
http://www.youtube.com/watch?v=1iz4o3W6IJM

War Story: No means none, not even a little bit

(Allan) Interesting story from when I worked at Ontario Power Generation. There was a problem with one of the CRAC (Computer Room Air Conditioner) units in the on-site data center, and a refrigeration technician was dispatched. Before we let him into the server room we specifically told him that he must come to us before he started any kind of soldering or welding, as it would set off the fire suppression system, which thankfully no longer flooded the room with Halon, but still triggered an emergency shutdown of all electrical systems in the entire IT wing of the North Admin building. Basically, when a fire is detected by the system, the klaxon sounds and you have 30 seconds to silence the alarm before it is escalated, at which time the power is cut and Halon (if it had not been disabled) would be deployed. I was down the hall from the server room in one of the test labs, working on the windows NT4 to Win2000 migration. Out of nowhere, the fire alarm goes off; At first I was startled, then it clicked, the repairman had forgotten to warn us that he was going to begin soldering. I took off at a dead run towards the alarm panel, as I got closer I heard the alarm tone change, I only had 10 seconds left before the power to every server would be cut and the UPS system would be bypassed. We’d spend hours cleaning up the mess, and explaining what went wrong. Thankfully, I reached the panel in time, and jammed the big red silence button, saving the day.

Q: (DreamsVoid) I would like to backup my linux and windows computers to my linux server using rsync. How should I set this up
A: rsync has many advantages, specifically the way it can compute the delta between files and significantly reduce the amount of data that has to be transferred during a backup. However, rsync is not a good backup solution because it only creates a copy of the file, not a true backup. In a true backup system, you retain multiple versions of each file from different dates. Say for example a file is corrupted, if you do not notice this right away, during the next rsync, the ‘backup’ copy of the file will be replaced with the corrupted one, and you will have no recourse. If all of your computers are on a LAN, you don’t have any real worries about the amount of bandwidth you are using transferring the files, and a proper backup solution is best.

rsync for windows: http://itefix.no/cwrsync/
BackupPC – open source backup to disk: http://backuppc.sourceforge.net/
Bacula – high end open source network backup system: http://www.bacula.org

Q: (Nean) What are the differences between a server and a normal desktop computer?
A: Generally they are not all that different, but some servers have additional features and capabilities that are not necessary in a regular desktop. Typically, higher end servers have redundant power supplies, either because they need to draw more power than a single power supply can provide, but also to be able to continue operating in the event that one of the power supplies dies. Servers, and some high end desktops also have redundant disks, taking advantage of various RAID configurations to allow the server to continue operating even if one or more disks stop functioning. Servers typically have dedicated RAID controllers that support more exotic forms of RAID than your typical on-board controller found it high end desktops. Servers also tend to have remote management cards that allow an administrator to access the bios and even manipulate the keyboard/mouse remotely, instead of having to be local to the machine.


Download:

Written by chris

May 23rd, 2011 at 2:20 am

Build Your Cloud PT1 | LAS | s16e10

without comments

post thumbnail

Swooping from the clouds and getting in your face, we’ll give you solid alternatives to Google’s services that put you back in control!

Is it possible to build your own cloud? Is open source technology up to this task? Stay tuned and find out our ACTION recommendations for this mammoth task!

Plus so much more!

All this week on, The Linux Action Show!



Thanks to:

GoDaddy.com Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!

Direct Episode Download Links:

HD Video | Large Video | Mobile Video | MP3 | OGG Audio | OGG Video | YouTube


Episode Show Notes:

Runs Linux:
Your Web Browser, runs Linux
Javascript PC Emulator – Technical Notes

Android Pick:
RedWall
Android Picks so far, thanks to Madjo in the IRC Chat room

TechSNAP:
Checkout TechSNAP
TechSNAP’s coverage of Dropbox’s recent security issues.

Linux Pick:
TrippleA
NEWS:
MeeGo 1.2 Released
Kubuntu Mobile 11.10 – WOW
GNOME Discusses Becoming a Linux-only Project
Open Virtualization Alliance
De Icaza: Announcing Xamarin
Announcing Xamarin – Blog Post
Fedora 15 Goes Gold, and That’s Not All

Ditching Google / Build Your Personal Cloud:

The Search Engine:
HideMyAss Search
Yauba
DuckDuckGo
ixquick

GoogleDocs:
Feng Office Community Edition

GMail:
RoundCube

DropBox:
iFolder
SparkleShare
ownCloud

Say Whuuuuu:
eyeOS

Find us on Twitter:
twitter.com/BryanLunduke
twitter.com/ChrisLAS

Follow the network on Facebook:
facebook.com/jupiterbroadcasting

Catch the show LIVE at 10am on Sunday:
http://jblive.tv


Download

PSN Breach Details | TechSNAP 3

without comments

post thumbnail

We cover the amazing details of the Playstation Network breech, we share some of the most interesting details in this episode. Following the theme of service outages, Allan and Chris share their things to keep in mind when looking at hosted services.

Plus find out why the US Government is shutting down 137 data-centers, and we wrap up with another Dropbox controversy!

iTunes & RSS Feeds:

 

Show Notes:

Topic: PSN Security Breech

  • A new custom firmware allowed users to access the PSN development network
  • The development network accepts fake credit cards and is designed for testing
  • Users with access to this development network managed to pirate paid content
  • Someone then managed to compromised the PSN Developers network some time between April 17th and 19th
  • Developers network had increased privileges, access to content and customer data
  • At first Sony claimed to not know why PSN was down
  • Sony took a number of days to admit that PSN had suffered an intrusion and that it would not be back online anytime soon.
  • Sony waited a week to tell customers their personal data has been exposed, likely hoping to avoid the PR black eye
  • Sony claims the Credit card database was encrypted
    • Encrypting credit cards with a single Symmetric key only provides limited protection. (The key must be accessible by the application that saves the card data, and so is likely to have been compromised along with the database)
    • Using Asymmetric keys can be an option, where the public key is used to encrypt the card, and only the private key can decrypt it, but if used pragmatically, the private key must be accessible by the application and therefore may be exposed as well.
    • Another trick is to AES encrypt each customers credit card with their password. This way the credit card can only be accessed by that customer, and cracking the encryption becomes a much bigger task, especially if the users password is stored using a cryptographic hash. A side effect of this is that the customer must re-enter their password when they wish to use the stored credit card, but this is actually good form anyway. A downside is if the credit card is required for subscription billing and it is encrypted such that the users password is required to read it.
    • Sony says the CVV numbers were not compromised because they do not collect them, and therefore never stored them. It is against the PCI DSS policy to store the CVV, this is explicitly so that when databases of credit cards are compromised, the CVV is not.
    • Sony says it is physically moving the PSN to a more secure facility. Was this a physical attack or an inside job? Was Sony outsourcing its network security to the data center?

http://www.joystiq.com/2011/04/27/sony-new-ps3-firmware-to-accompany-psn-relaunch-network-being/


Topic: When a cloud provider goes under

http://hardware.slashdot.org/story/11/04/26/1425255/What-Happens-To-Data-When-a-Cloud-Provider-Dies

After the scare with amazon last week, a number of companies are reconsidering their choice of cloud provider, or of using the cloud at all. This brings to light a number of issues, especially vendor lock-in (how difficult it is to move from one cloud to another), and how much trust you put in the cloud provider from an information security prospective, as well as availability and the continued viability of their business model. Over the last number of months, 4 providers have closed down their clouds, leaving customers with many questions.

  • if you close your account, will your data be securely deleted?
    • their backups and replication will likely still have copies of your files even if they are “deleted”, this is why your data should be encrypted
    • if your data is encrypted and you hold the private keys, then you can ensure they can’t read it
    • if they hold the keys, and say they deleted them, that is better than nothing, but there are no guarantees
  • if the cloud goes under, how can you get your data back
  • if the cloud goes under, who will get your data in the end, will it be destroyed safely

Cloud is not primary storage, but acts as a convenient online archive.


Topic: US government to consolidate its data center operations

http://www.datacenterknowledge.com/archives/2011/04/28/feds-will-shutter-137-data-centers-in-2011/

US government will close 137 data centers this year as it moves to consolidate and take advantage of the cloud. Will we see a bunch of these data centers bought up, or is the age of the small to medium sized data center over?

Government agencies have identified 100 email systems and 950,000 mailboxes to migrate to a cloud computing model as part of Kundra’s ‘Cloud First’ initiative.”


Topic: Google releases video from it’s data centers to promote the security of Google Docs

http://www.datacenterknowledge.com/archives/2011/04/22/video-googles-data-center-security/

  • Google talks about the security at their data centers
  • Google rotates the hard drives from it’s servers on a regular basis, as well as when sub-optimal performance is detected (indicating failure)
    • This may also have to do with google’s previous hard drive reliability tests, after a specific age the chance of the drive failing increases, so it is rotated out preemptively
  • Google destroys the drives by deforming the spindles and then shredding the drives
  • Google anonymizes the data and fragment/shards it as well as keeping multiple replicas. If an individual server were compromised, data would be reasonably secure

comparison at ScaleEngine:

  • Badge or Escort to enter main gate
  • Badge and Fingerprint Scan to access building
  • Man Trap (Single Occupancy check) and Biometrics to enter datacenter floor
  • Individual Pods require Biometric Authentication (You can only enter PODs that you are authorized for)
  • Physical Locks on each cabinet/rack/cage to ensure security of individual customers
  • Telephone pass codes required for all remote-hands requests
  • Location staffed 24/7/365
  • Chilled water cooling from on-site well with cooling towers, fail-over to city water supply plus regular CRAC cooling
  • N+2 Electrical Generation Redundancy with 1MW locomotive style Generators

Topic: More security problems, Dropbox tries to kill an open source project to protect its security by obscurity

http://razorfast.com/2011/04/25/dropbox-attempts-to-kill-open-source-project/

Dropbox security problems again. Rather than fixing the problem, Dropbox sends DMCA notices.

  • Using the hash of a file and an external app, you can add a specific non-public file to your dropbox via the dropbox de-duplication system (make dropbox think you uploaded it when you never actually had a copy of the file)
  • A simple brute force attack could net you all kinds of interesting files
  • Security by Obscurity – Dropbox security depends on keeping their client-server protocol secret, this is unbelievably bad practise.
  • Using legal rather than technical means to try to maintain security will always be a losing battle


Download:

The Techie Geek – Episode 39 – Show Notes

without comments


MP3 Format
OGG Format
FOLLOW ME on Twitter
FOLLOW ME on Identica
FOLLOW ME on Facebook
Email me at russ AT thetechiegeek DOT com
Leave me a voice mail at 1-206-338-4483

The South East Linux Fest
gpodder is a nice pod catcher that allows you to save your feeds to their web site at my.gpodder.org. There is also a version of gpodder for the Nokia N800 and N810
Rhythmbox is a pod catcher that comes with Ubuntu but does not allow you to export your feeds
The Great Tech Debate” and “Podnutz
iRiver T7 Volcano plays OGG files as does the Sansa Clip
Red Hat Linux, openSUSE, and Ubuntu
Is unmounting and Ejecting a USB device the same thing?
Mr. Gadgets blog and his Utterli site
K7.net get your free voice mail and FAX account
Asus eeePC 701
Acer Aspire One
What’s a Hackint0sh?
NDISwrapper allows the use of Windows drivers in Linux
HP mini 1000 netbook
The Dell Mini
MSI Wind
The new Asus 1008HA Seashell netbook
The Asus 1000HE claims to have 9.5 hours of battery life
The Asus 901 claims to have 8 hours of battery life
Spotlight on Windows” is freeware monitoring software
WinSCP is a freeware GUI app for using scp (Secure Copy)
FileZilla can be used in SSH mode (SFTP)
System76 Starling netbook
Ubuntu Netbook Remix is a Linux distro for netbooks
Total Commander is a pay-for file manager for Windows
Free Commander is an excellent freeware file manager for Windows
Verbal’s Podcast, “The Linux Trivia Podcast” (Verbal’s ToDo List)
The Bible by “The Bible Experience” for your portable player. My two favorite Christian podcast sites OnePlace and CCphilly
Kon-Boot is an app that allows you to login to a Linux box or Windows box with a password
Here’s a link to the thread on my LUG’s email list about Kon-Boot (click view entire thread)
Addonics device turns any USB device into a Network Attached device or NAS
Pogoplug is awesome allowing you to SSH in but it needs some fireware updates to be perfect.
What are Newgroups and Warez?
binsearch.info is a search engine for Newsgroups
Xnews is a free news reader for Windows
pan is a news reader for Linux
Scroogle is a search engine that use Google but anonymizes your searches
still loving CommandLinefu.com for learning the command line.
command using ffmpeg that removes audio from movies and drops them in an audio file
command for forwarding X over SSH
cool command for displaying your WAN IP on the command line
DropBox gives you 2GB of free online storage that syncs between your cross-platform boxes
Kellys-Korner-XP has lots of help for XP users
ActiveISO Burner for Windows makes burning Linux distros easy. (The best use of Windows is for downloading and burning Linux ;-)

Check out these great podcast sites: Techpodcasts.com and BluBrry.com