Double 0-Java | TechSNAP 73

Double 0-Java | TechSNAP 73

This week we’ll tell you the story about Agent Double 0-Java, the exploit with a license to kill. Plus Google’s creative solution to securing user content.

Then it’s a big batch of your questions, and our answers.

All that and much more, in this week’s TechSNAP.

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains


Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed


Support the Show:


Show Notes:

Java 0-day exploit in the wild

Google publishes important information about hosting user generated content

  • Google loads all user generated content from an isolated domain,
  • Google uses subdomains to separate different bits of UGC
  • One of the reasons for this is attacks such as GIFAR, which an attacker takes a valid .gif file, and concatenates a java exploit .jar (which is just a zip file containing the compiled code)
  • Now an attacker can embed on their site an HTML appet tag with a src pointing to a google domain (such as Picasa)
  • By shifting the content from official google domains, to the, the browser’s ‘same origin’ policy should prevent malicious UGC from accessing the users’ authentication cookie
  • Google goes on to detail their solutions for content that requires authentication (private documents, google apps for enterprise), where not being able to access the google authentication cookie would pose a problem
  • Google uses a number of solutions (temporary cookies on URL passed authorization tokens, URLs bound to a specific user), to trade off usability and the risk of accidental disclosure (if access to a private image is controlled by a URL parameter, what if the user copies the link to the picture and uses it elsewhere?)


  • Tool for provisioning new servers
    FreeBSD’s install can be scripted in a few different ways, the easiest is likely to start with the 225 line shell script that is the current FreeBSD installed
    You can set a few environment variables, and remove the dialogs, and you’ll have a fully automated install tuned just the way you like, then just PXE boot that, or make your own CD
    There are also some nice tutorials out there:
    Scripting a FreeBSD 9.x Install
    HOWTO: Modern FreeBSD Install RELOADED
    I generally do not script the installs of my BSD boxes, it takes only 5–10 minutes to do the install, and since each machine tends to have a different disk layout, it wouldn’t save much time
    Also, many of my servers are in foreign data centers, and they do the FreeBSD install for me, then just provide me with my SSH credentials. (Although a great many now provide IPMI/KVMoIP and allow me to install the OS myself)

  • Thoughts on OpenID
    OpenID moves the trust from a number of separate sites, to a single site, your ‘identity provider’
    This is likely more secure, since OpenID is based on strong practices, but also presents a more tempting target
    The advantage is that you can be your own OpenID provider, and then you only have to trust yourself

  • Tricks to conserve Bandwidth?

  • Daniel writes in with a note that he uses Puppet to manage over 2000 nodes from a pair of redundant Puppetmasters running via Apache/mod_passenger without issue.

  • Shlomi writes in with a question about moving an LVM to ZFS.
    Your best bet is to do something like I did when I moved from a number of separate UFS drives, to a ZFS array (not, there is some performance penalty for doing it this way, more on that later)
    Use these instructions to remove one of the disks from your LVM volume (the biggest one you have enough free space to remove).
    Now create your ZFS pool, and add this now empty disk
    Start filling the ZFS pool until you have free enough space in the LVM to remove another disk, then add that disk to the ZFS pool
    Repeat as necessary
    ZFS will do write-biasing to try to ensure the drives reach ‘full’ at the same rate, so the emptier drives will receive a higher portion of the new writes. If you can create the pool from scratch, you will get better write performance, since all disks will be used to their maximum bandwidth
    ZFS had a planned feature called ‘block pointer rewriting’ that would allow for re-balancing the disk space across devices and for defragmenting files (fragmentation gets excessive due to copy-on-write)
    Personally, I am going to build a fresh array with 4x3TB disks in RAID Z1, and then recycle my 1.5TB disks for other purposes

  • I want to hear more about Scale Engine and what it does and some of the services. How about a segment on just Scale
    We provide a few main services:

    • Origin Web Cluster – Accelerated PHP/MySQL platform (Hosts JB’s site, and forums)
    • Edge Side Cache – an extremely fast memory backed geographically distributed MRU cache. Stores frequently accessed content in memory close to the users for fastest delivery. Great for images, css and javascript, but can also cache entire pages (Hosts JBs images, css and js)
    • Content Distribution Network – Disk backed geographically distributed MFU cache, stores static content close to the user for faster delivery. Works great for static content, especially larger content like audio and video podcasts. (Hosts JB episode downloads)
    • Video Streaming Network – Hosting Live, On-Demand, Pay-Per-View and Fake-Live video streaming. Provides multi-bitrate streaming to ‘any screen’ via RTMP (Flash), HLS (iOS, Safari, Android, Roku, VLC), or RTSP (Android, Blackberry, Quicktime, VLC). ScaleEngine’s SEVU API allows extensive content control for Geo-Blocking and Pay-Per-View/Subscription based viewing (Hosts JB live stream)

Have some fun:

What I wish the new hires “knew”


Question? Comments? Contact us here!