LinuxPlanet Casts

Media from the Linux Moguls

Archive for the ‘centos’ Category

The Techie Geek – Episode 93 – Show Notes

without comments

mp3

ogg

facebookidenticatwitter

Email Russ at russ AT thetechiegeek DOT com
Email Tracy at tracy AT thetechiegeek DOT com
Leave us a voice mail at 1-206-339-1575

FreeLinuxBox.org helps your un-needed Linux box find a needy home

The Techie Geek Podcast Forums! Thank you to LinuxBasix.com
Unix Stickers
Motorola Droid Bionic
Bionic disappearing app bug
App 2 SD Pro app
APK Manager
Motorola DroidX2
XP end of life
VitualBox
XP Compatibility Mode
NeXT Computer
NeXTSTEP OS
Steve Jobs brainstorm with the NeXT team in this fascinating video
Best Woz interview about Steve Jobs on Dan Lyons Blog
Pixar co-founded by Steve Jobs
Tim Berners-Lee used a NeXT computer
CERN
Al Gore created the Internet (Not)
Change Desktop Resolution With a Keyboard Shortcut
YouTube to take on cable with A-list celebs
Excel slow when opened from the network
Stolen Camera Finder
Google Reader Shortcuts
Hardware hacker? Then you need the info at Form Factors .org
2Ux2.com designed by Russ (You can still get them if you need 100 of them)
New HP CEO, new plan: It’s keeping the PC biz after all
Hard Drive Shortage
Kindle Fire expected to sell 5 million in Q4
Webmin Manual
fail2ban to ban IPs that attempt too many logins
Tracy was on Ep 64 of “Linux for the Rest of Us”
ClearOS
CentOS
Doctor Who: Regeneration (All Regenerations 1963 – 2010)
SDF.org Public Access UNIX System
BSDmag online
Kon-Boot
Reset Windows7 Password
Irongeek.com
Derbycon 2011 videos
Samsung smartphones reportedly outship the iPhone
SecTools.Org: Top 125 Network Security Tools
Leatherman Multi-Tools
Russ’s Leatherman Tools
X-Plane 10 flight simulator
How To Make Ghosts In Photoshop or GIMP
How To Make Your Own (Almost) Chromebook
How To Configure A pfSense 2.0 Cluster Using CARP
3G Hotspot Brings Home Internet Access Wherever You Get a 3G Signal

Check out these great podcast sites: Techpodcasts.com and BluBrry.com

Written by Russ Wenner

November 27th, 2011 at 3:27 pm

Battery Malware | TechSNAP 16

without comments

post thumbnail

Attackers take aim at Apple with an exploit that could brick your Macbook, or perhaps worse. Plus you need to patch against a 9 year old SSL flaw.

Plus find out about a Google bug that could wipe a site from their Index, and a excellent batch of your feedback!

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:

Show Notes:

iPhones vulnerable to 9 year old SSL sniffing attack

  • A nine year old bug discovered and disclosed by Moxie Marlinspike in 2002 allows attackers to decrypt intercepted SSL sessions. Moxie Marlinspike released a newer, easier to use version of the tool on monday, to coincide with Apple finally patching the flaw on iPhone and other iOS devices.
  • Any unpatched iOS device can have all of it’s SSL traffic trivially intercepted and decrypted
  • This means anyone with this new easy to use tool sitting near a wifi hotspot, can intercept encrypted login information (gmail, facebook), banking credentials, e-commerce transactions, or anything else people do from their phone.
  • The bug was in the way iOS interpreted the certificate chain. Apple failed to respect the ‘basicConstraint’ parameter, allowing an attacker to sign a certificate for any domain with an existing valid certificate, a condition normally prevented by the constraint.
  • There are no known flaws in SSL it self, in this case, the attacker could perform a man-in-the-middle attack, by feeding the improperly signed certificate to the iPhone which would have accepted it, and used the attackers key to encrypt the data.
  • Patch is out with a support doc and direct download links

Apple Notebook batteries vulnerable to firmware hack

  • After analyzing a battery firmware update that Apple pushed in 2009, researchers found that all patched batteries, and all batteries manufactured since, use the same password
  • With this password, it is possible to control the firmware on the battery
  • This means that an attacker can remotely brick your Macbook, or cause the battery to overheat and possibly even explode
  • The attacker can also falsify the data returned to the OS from the battery, causing odd system behaviour
  • The attacker could also completely replace the Apple firmware, with one designed to silently infect the machine with malware. Even if the malware is removed, the battery would be able to reinfect the machine, even after a complete OS wipe and reinstall.
  • Further research will be presented at this years Black Hat Security Conference
  • In the meantime, researchers have notified Apple of the vulnerability, and have created a utility that generates a completely random password for your Mac’s battery.
    Additional Link

Facebook fixes glitch that let you see private video information

  • A glitch in facebook allowed you to see the thumbnail preview and description of private videos posted by other users, even when they were not shared with you.
  • It was not possible to view the actual videos

Google was quick to shutdown Webmaster Tools after vulnerability found

  • Using the google webmaster tools, users were able to remove websites that did not belong to them from the Google Index
  • By simply modifying the query string of a valid request to remove your own site from the google index, and changing one of the two references to the target url, you were able to remove an arbitrary site from the google index
  • The issue was resolved within 7 hours of being reported to Google
  • Google restored sites that were improperly removed from its index.

Researchers find vulnerablity in Skype

  • Inproper input validation and output sanitation allowed attackers to inject code into their skype profile
  • By entering html and java script in to the ‘mobile phone’ section of your profile, anyone who had you on their friends list would execute the injected code.
  • This vulnerability could have allowed attackers to high your session, steal your account, capture your payment data, and change your password

Feedback


Q: (Sargoreth) I downloaded eclipse, and I didn’t bother to verify the md5 hash they publish on the download page, how big a security risk is this?
A: Downloadable software often has an MD5 hash published along with the downloadable file, as a measure to allow you to ensure that the file you downloaded is valid. Checking the downloaded file against this hash can ensure that the file was not corrupted during transfer. However it is not a strong enough indicator that the file has not been tampered with. If the file was modified, the MD5 hash could just as easily have been updated along with it. In order to be sure that the file has not been tampered with, you need a hash that is provided out of band, from a trusted source (The FreeBSD Ports tree comes with the SHA256 hashs of all files, which are then verified once they are downloaded). SHA256 is much more secure, as MD5 has been defeated a number of times, with attackers able to craft two files with matching hashes. SHA-1 is no longer considered secure enough for cryptographic purposes. It should also be noted that SHA-512 is actually faster to calculate than SHA256 on 64bit hardware, however it is not as widely supported yet. The ultimate solution for ensuring the integrity of downloadable files is a GPG signature, verified against a trusted public key. Many package managers (such as yum) take this approach, and some websites offer a .asc file for verification. A number of projects have stopped publishing the GPG signatures because the proportion of users who checked the signature was too low to justify the additional effort. Some open source projects have had backdoors injected in to their downloadable archives on official mirrors, such as the UnrealIRCd project.


Q: (Christoper) I have a windows 7 laptop, and a Ubuntu desktop, what would be a cheap and easy way to share files between them?
A: The easiest and most secure way, is to enable SSH on the ubuntu machine, and then use an SFTP client like FileZilla (For Windows, Mac and Linux), and then just login to your ubuntu machine using your ubuntu username/password. Alternatively, If you have shared a folder on your windows machine, you should be be able to browse to it from the Nautilus file browser in Ubuntu. Optionally, you can also install Samba, to allow your Ubuntu machine to share files with windows, it will appear as if it were another windows machine in your windows ‘network neighbourhood’.


Q: (Chad) I have a network of CentOS servers, and a central NFS/NIS server, however we are considering adding a FreeNAS box to provide ZFS. I need to be able to provide consistent centralized permissions control on this new file system. I don’t want to have to manually recreate the users on the FreeNAS box. Should I switch to LDAP?
A: FreeNAS is based on FreeBSD, so it has a native NIS client you can use (ypbind) to connect to your existing NIS system. This would allow the same users/groups to exist across your heterogeneous network. You may need to modify the /etc/nsswitch.conf file to configure the order local files and NIS are checked in, and set your NIS domain in /etc/rc.conf. Optionally, you could use LDAP, again, adding some additional parameters to nsswitch.conf and configuring LDAP. If you decide to use LDAP, I would recommend switching your CentOS machines to using LDAP as well, allowing you to again maintain a single system for both Linux and BSD, instead of maintaining separate account databases. If you are worried about performance, you might consider setting the BSD machine up as an NIS slave, so that it maintains a local copy of the NIS database. The FreeBSD NIS server is called ypserv. You can find out more about configuring NIS on FreeBSD here


Bitcoin Blaster

Roundup

Live USB Drive | LAS | s17e08

without comments

post thumbnail

We’ll show you how to save your hard earned monies and how easy it is to stop burning those Linux ISO’s to disc!

Then – Find out why Microsoft is one of the top contributors to the Linux 3.0, and why its really not that big of a deal… Or is it?

Plus so much more!

All this week on, The Linux Action Show!


Thanks to:

GoDaddy.com Use our codes LINUX to save 10% at checkout, or LINUX20 to save 20% on hosting!

Direct Episode Download Links:

HD Video | Large Video | Mobile Video | MP3 | OGG Audio | OGG Video | YouTube


Episode Show Notes:

Android Pick:

News:

LinuxCoin:

UNetbootin:

Find us on Twitter:

Follow the network on Facebook:

Catch the show LIVE at 10am on Sunday:


Download & Comment:

DistroCast Episode 9.0

without comments

In this episode:
- Listener Feedback
- Southeast Linuxfest 2009 wrap up
- Ohio Linuxfest
- We review CentOS

MP3 Feed

Written by Jeremy

July 12th, 2009 at 11:21 pm