S1E2: "hunter2"

Posted
Comments 0

Navigation
Previous EpisodeNext Episode
Log
Recorded (UTC) Aired (UTC) Editor
2016-03-03 03:37:15 2016-03-14 04:08:56 aaron k.
Verification
Format SHA256 GPG Audio File
MP3 eae151057ac0f6a9223489503c35cd7c79fd8000a7cf58280f0cff8037032282 click click
OGG 03fbaa9f9d37ff2a981ab0e40ffe27b9657b37ba970bddfef35547524f69f21c click click

Journalctl, lftp, passwords, WINE (yes, again), and acoustic/sidechannel crypto attacks.

News

Starts at 3m23s.

  • The FTC is hitting Asus for making shitty router firmware, software, etc.
    • (Though it’s more like just a slap on the wrist.)
  • Linux Mint got fuckedhard and without lube.
  • We talk more about this in the show notes.
    • This is why you don’t use wordpress. lolz
  • And ANOTHER ssl vuln, DROWN.
    • Affects/targets SSLv2, and yet again exists because of government-mandated weaker export encryption laws.
    • You can check for vulnerability here.
  • Not really “news”, but still hilarious: MSFT released .NET for GNU/Linux- as F/LOSS.

Notes

Starts at 8m49s.

  • DROWN is stupid and overhyped. But we sort of recap over various SSL-related vulnerabilities anyways.
    • DROWN is an acronym for Decrypting RSA with Obsolete and Weakened eNcryption
      • I told you it was stupid.
    • Their broken-ass piece of shit python scanner is here.
  • We talk about some neat little features of journalctl and mention lftp. (11m18s)
    • The wget option I was thinking of is --no-parent. (e.g. For mirroring a specific directory, I would use wget -e robots=off -r -N --no-parent -nH domain.tld/dir1/dir2/.) Note that it does, however, traverse symlinks (this can be disabled by the --retr-symlinks=no flag, but ONLY if fetching via FTP. But it still won’t get parent dirs (../).
  • I didn’t get a chance to talk about passwords because the co-hosts pull me down a tangent. (15m56s)
    • I really wanted to mention this and this. I’ll keep bringing passwords up in the show until we get to talk about them, gorram it.
    • The “XKCD Algorithm” I mention is here, but I consider it bad advice. And Schenier agrees with me.
    • And Jthan actually defeated a (mild) on-air social engineering attack from me!
    • I also mention oclHashCat and JohntheRipper’s MPI functionality (if you’re using john, you’ll probably also want to use the jumbo patchset).
    • And for password managers (I shared this link and their response), I like pass.
    • For generating passwords, I’m particularly fond of pwgen, and invoked usually via something like pwgen -sy 64 1. You might want to leave the -y off if you’re generating MySQL passwords.
    • I talk about the cracking rig in S0E12.
    • Browsers are in general just terrible.
    • The title comes from this. Thanks, Kyle!
  • WINE is (still) Not an Emulator! (32m30s)
  • “Acoustic Keyloggers” (46m03s)
    • The article Paden sent me is on Vice
    • But this is nothing new.
    • Seriously, we’ve known about this stuff for a while already.
    • There’s even a PoC!
    • I also mention Van Eck phreaking.
    • You can make your own laser microphone!
    • I suggest possible circumvention/prevention/negation against the various attacks would be a Faraday cage, “jamming” with junk RF signal on the same frequency, lead-lined… everything.
      • We’re interested in hearing your creative ideas of circumventing these attacks! Let us know on Twitter or our Contact page!
      • By the way, I mention projection keyboards. Which are super cool! Unfortunately they’re not very accurate.

Errata

  • Our editor Aaron picked the music out for this episode!
  • Aaron also makes a special appearance at 36m36s to confirm an unexpected result- in a twist of the-butler-did-it proportions, the culprit of typing was both Jthan and Paden! (insert dramatic music sting here)
  • Rainbow yelled at me because I neglected to mention that WINE works on FreeBSD (and presumably other BSDs) too! FreeBSD also has a Linux compatibility layer.

Music

Music Credits
Track Title Artist Link Copyright/License
Intro Glass Android Lee Rosevere click CC-BY-SA 4.0
Outro Glass Android Lee Rosevere click CC-BY-SA 4.0
(All music is royalty-free, properly licensed for use, used under fair use, or public domain.)

Author
Categories Season One

Comments

There are currently no comments on this article.

Comment...

Enter your comment below. Fields marked * are required. You must preview your comment before submitting it.