|TITLE:||GUEST & TITLE: Shannon Morse - Host Hak 5, TekThing|
Len Peralta - artist
|Stories subject to change up until showtime|
|Daily Tech News Show is powered by its audience. To find out more head to dailytechnewsshow.com/support|
|This is the Daily Tech News for Feburary 24th, 2017 I'm Tom Merritt|
|Shannon Morse and Len Peralta|
|Google apologized for an issue with its Google Accounts engine accidentally triggering a factory reset of Google WiFi and OnHub users Thursday.||http://www.zdnet.com/article/google-were-sorry-but-our-cloud-wiped-out-your-wifi-and-onhub-routers/|
|Now here are some more top stories|
|Alphabet’s Waymo autnomous car company filed suit against Uber’s Otto autonomous truck company over misappropriated trade secrets. Waymo alleges that in December 2015, while Otto founder Anthony Levandowski was a Waymo employee - backed when it was still part of Alphabet’s Google — he downloaded 14,000 “highly confidential and proprietary files” including Waymo’s LiDAR circuit board design. Waymo discovered this when a supplier accidentally copied a Waymo employee on email’s containing designs. The suit alleges other former Waymo employees of taking its data to Otto.||https://techcrunch.com/2017/02/23/waymo-sues-uber-and-otto-for-theft-of-trade-secrets/?ncid=rss|
|Google has renamed the default Android text messaging app from Messenger to Android Messages. The app supports Rich Communications Services, a Google-backed protocol that brings multimedia, read receipts and other chat app features to a standard SMS-like service that is not linked to just one app like WhatsApp or iMessage. Multiple hardware makers and service providers now support RCS, but significantly Apple and Samsung are not among them. Nor are Verizon, AT&T or T-Mobile. RCS messages sent to those devices and carriers will fall back to MMS or SMS.||http://www.theverge.com/2017/2/24/14721602/android-messages-google-rcs-universal-profile|
|Apple says a fix in iOS 10.2.1 has reduced unexpected shutdowns of iPhone 6 and 6s devices by 70-80 percent. This is a different bug than the unexpected shutdowns caused by batteries that were recalled last year. The problem was sudden spikes of activity could cause older batteries to deliver power unevenly, causing an emergency shutdown.||https://techcrunch.com/2017/02/23/apple-says-ios-10-2-1-has-reduced-unexpected-iphone-6s-shutdown-issues-by-80/|
|The US FCC voted 2-1 Thursday to remove transparency requirements for ISPs with fewer than 250,000 subscribers. That means small ISPs won’t be required to disclose network performance, fees, and data caps. The initial rule exempted ISPs with fewer than 100,000 subscribers with the intention of re-evaluating. The exemption is now locked in for five years. On Monday the FCC is expected to put a hold on data security requirements set to go into effect March 2, that would require broadband companies adopt reasonable security measures protecting location, Web browsing history and other information.||http://www.theverge.com/2017/2/23/14714142/fcc-lifts-net-neutrality-transparency-rules-smaller-isps|
|The International Telecommunications Union published its draft report on technical requirements for 5G radio interfaces Thursday. A single 5G cell must have a capacity of at least 20 Gbps, with a maximum latency of 4ms, support 1 million connected devices per square kilometer and have at least 100 MHz of free spectrum scaling up to 1 GHz. Users should see a minimum of 100Mbps down and 50 up. The draft is expected to be finalized and approved in November.||https://arstechnica.com/information-technology/2017/02/5g-imt-2020-specs/|
|Valve released a free toolkit for developers called Steam Audio that adds physics based sound propagation. In other words sounds reverberate off things the way they would in the real world, meaning they act more like sound in the real world. Steam Audio supports Windows, MacOS, SteamOS, Linux and Android, and works with Unity; with Unreal Engine 4, FMOD Studio and WWise in the works.||https://thenextweb.com/dd/2017/02/24/valve-s-cool-new-tech-can-make-games-sound-more-realistic-than-ever-with-minimal-effort/#.tnw_qdGhnhzj|
|To get all the tech headlines each day in less than 10 minutes subscribe to dailytechheadlines.com||http://dailytechheadlines.com/|
|Serious Cloudflare bug exposed a potpourri of secret customer data | Ars Technica||https://arstechnica.com/security/2017/02/serious-cloudflare-bug-exposed-a-potpourri-of-secret-customer-data/|
|Incident report on memory leak caused by Cloudflare parser bug||https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/|
|1139 - cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory - project-zero - Monorail||https://bugs.chromium.org/p/project-zero/issues/detail?id=1139|
|AgileBits Blog | Three layers of encryption keeps you safe when SSL/TLS fails||https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/|
|CloudFlare Bug: Sensitive Data Leaked Across Internet for Months | Fortune.com||http://fortune.com/2017/02/24/cloudflare-leak-bug-sensitive-information/|
|Cloudbleed: How to deal with it – Medium||https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.q6gkkiv66|
|List of Cloudflare sites||https://github.com/pirate/sites-using-cloudflare|
|Cloudflare - provides optimization and security services for websites. Most famous for DDoS mitigation but does much more than just that these days.|
- Cloudflare updated an HTML Parser
The update accidentally caused a coding error in an older piece of software to surface a vulnerability.
September 22. Automatic HTTP Rewrites enabled first using new HTML parser caused SOME requests for Cloudflare backed sites returned past the buffer and including data from memory which could have HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data
Search engine crawlers could find this information and cache it.
Cloudflare customer SSL Keys NOT leaked.
|January 30 - Server-side Excludes migrated to new parser|
February 13 - Email obfuscation feature changed causing spike in memory leaks.
Friday February 17, Google Project Zero researcher Tavis Ormandy discovered a leak in Cloudflare’s service which optimizes security and performance for websites.
In 47 minutes Clopudflare turned off email obfuscation stopping most memory leaks. Turned off Automatic HTTPS rewrites 3 hours 52 minutes in. Server-side Excludes last to be determined to be vulnerable and patch deployed to be killed (~3 hours)
Within seven hours Cloudflare fixed the underlying coding error, then worked with search engines to eliminate any cached information. Google’s Ormandy warns that other caches of data may still exist.
5.5 million sites used Cloudflare. Any of them could be subject
Not ALL sites were subject (At peak 2/13-2/18 1 in every 3,300,000 HTTP requests or 0.00003% of requests)
((Buffer had to finish with malformed script or img tag AND be less than 4K AND come from a site using email obfuscation or https-rewrites/SSE WITH another feature))
Across Google, Yahoo, Bing and others found 770 unique URIs that had been cached and which contained leaked memory. Those 770 unique URIs covered 161 unique domains
Not all cached data is gone
No way of knowing what’s out there.
No evidence of malicious exploits of the bug or other reports of its existence.
Change password if any doubts
Turn on 2FA where possible
Log out and log back in to mobile services to reset auth token
DETAILS ON PROBLEM
Cloudflare often modifies HTML to provide services to clients (like turning pages into HTTPS, or hiding parts of pages from bots etc.)
An HTML Parser (written in Ragel a single .rl file)reads the page to find elements that need changing before passing the page along
A year ago started tranistioning to new named cf-html.
Cloudflare’s use of Ragel caused a memory leak
The way internal NGINX buffers were used meant the leak never ocurred
BUT the cf-html introduction changed the buffering which allowed the leak through.
|Thanks to all those who participate in our subreddit. Submit stories and vote on them at dailytechnewsshow.reddit.com||http://dailytechnewsshow.reddit.com|
|Pick of the day:|
|I feel like I have a good general understanding of blockchains, but would really like to understand the corner cases (e.g. how is a tie solved, etc) and would like to hear about actual / practical use cases outside of banking.|
The two resources I use when explaining the block chain are (apologies if I got these from your show):
Logs With Rules: https://firstname.lastname@example.org/logs-with-rules-371bf2914432#.fc63qrj91
Simple Demo: https://anders.com/blockchain/
|Send your picks to feedbackatdailytechnewsshow.com and you can find more picks at||http://www.dailytechnewsshow.com/picks/|
|Messages of the day (email@example.com)|
|This was not an email to the show but a post I noticed on Hacker News that was made by Peter Guttman tot he Cryptography and Cryptography policy mailing list.|
He points out that the SHA-1 collision discovered by CWI and Google researchers requires a very carefully crafted document. He states this doesn’t affect all implementations of SHA-1 but situations where you need signatures to be valid for a long time, mostly long term document signing and certificates. He believes the risk of being exploited in practice is low for certificates and even long-term document signing.
So to get to his words: “Finally, with other stuff (software updates, ISOs, and others), (a) why were
you still using SHA-1, and (b) you now have about 6-12 months to finally
move to SHA-256, and this time we mean it.
For everything else, you really do need to plan the move to SHA-256. Think
of this as a practical application of Wright's Principle, "Security won't
get better until tools for practical exploration of the attack surface are
it's Erich from my used to be sunny in South Carolina now cold sometimes rainy and on the occasion that bright and sunny Germany. Wanted to comment on your episode about WhatsApp, I use it every day here in Europe. In Europe as a whole they tend to use WhatsApp and prefer it over text messaging I think part of that comes from the cell phone plan structure. I have a new cell phone over here and I do a prepaid plan or I have 3 gigabytes of data and 200 texts or minutes for calling for 25$ so it limits me on how many texts or minute I can use but WhatsApp data usage is so low that I favour using it over any of the built-in phone features you are calling and or text messaging. In fact WhatsApp my daughter's new school here in Germany preferred communications platform. The German radio stations all have WhatsApp account it's very very popular here. but its more along the lines because I think most people are in this position that I am with the minutes and or text message.Not to mention I don't have to worry about how i talk to people in United States. so coming from an expat definitely different over here.
|Thanks to Shannon Morse and Len Peralta|
|Patron Thank You||http://www.dailytechnewsshow.com/support|
|(Thank a boss, buy a mug, tell a friend)||http://patreon.com/dtns|
|Our email address is firstname.lastname@example.org! We're live M-F at 4:30 PM eastern at alphageekradio.com and diamondclub.tv and our website is dailytechnewsshow.com.||http://www.reddit.com/r/dailytechnewsshow/|
|Plug Monday's guest: Veronica Belmont|
|END OF SHOW|
|Thanks Nate. this week we tell you why you shouldn’t be panicked by the Cloudflare leak but you might want to change some passwords, and you should definitely turn on two-factor authentication. We also discuss why Virtual Personal Assistants may move us into the post-app era, get a good look at the Fabric blockchain system and discuss what makes people extra furious at Uber. All that and more at dailytechnewsshow.com. Back to you Nate!|