Akamai Edge 2014 continues today with the second day of Akamai University and API Boot camp. To coincide with this, I’m running three security lessons that are part of an upcoming video series. This is the final installment, and was written by Meg Grady-Troia.
SSL Certificate Security and Trust
The Internet is built on a foundation of trust, from machine to machine, extended across the entire surface of the globe. Trust is shared across the Internet in many ways, the SSL certificate hierarchy is only one, albeit a pervasive one. The SSL certificate system was designed so that trusted parties can have private communications over the public Internet. SSL certificates are a critical piece of the Internet’s trust architecture, and many protocols exist to support secure certificate handling.
What is a Certificate?
A certificate is the container for four pieces of information your web browser (or operating system) needs to make a secure connection to the server hosting the website you wish to visit.
Those four pieces are:
1. An “Issued To:” field that specifies the full name and address of the entity that owns the domain you’re visiting (including the IP address & domain name you’re visiting, and the brick & mortar contact for the owning entity).
2. A validity period: The time period (start date and end date) for which that certificate should be considered valid.
3. An “Issued From:” field that contains the signature of a Certificate Authority, that acts like a notary public would on a legal document: a third party witness.
4. A public key: The shareable half of the keypair that will be used by the server to initiate the encryption of data that flows between the website and your browser.
Your browser-client uses the “issued to” data to check that it has connected to the domain it expected. It uses the certificate authority and expiry to verify that it trusts the domain. It uses the public key from the certificate to continue the SSL handshake that will allow all further communication between you and the website to be encrypted.
How do Certificates Work?
Think of SSL certificates as the Internet-equivalent of the diploma granted to a student when they graduate from a school: it may hold value with people who know the recipient but not the school, and it may hold value with people who know the reputation of the school, but not the recipient. The value of the diploma is not a trust currency itself, simply an indication of an existing authenticated relationship.
There are a lot of certificate authorities in the world, and they may be operated by governments, companies, or even individuals (and they range in credibility just like colleges, from diploma mills to prestigious institutions) . This is possible because CAs are initially self-signing: they simply appoint themselves as trustworthy third parties. The value of a CA’s imprimatur depends on its reputation — both past behavior with other certificates, and its relationships with certificate holders and web browser developers — which is how their signatures gain value.
A single web domain — say, www.akamai.com — may have any number of certificates associated with it, and there are many kinds of special certificates online to account for specific use cases.
Some of the most common are:
Multi-Domain (including Subject Alternative Names (SAN) & Wildcard) Certificates: These certificates cover multiple hostnames, subdomains, or IP addresses, and allow end-users like you to be redirected to the same application from multiple hostnames.
Validated (including Extended Validation (EV), Organization Validation (OV), and Domain Validation (DV)) Certificates: These certificates require the signing CA to perform some additional identity validation after their standard process, either for an individual, an organization, or a domain. EV Certificates do not offer additional security for your particular session on a website, but they are often considered to be of higher trustworthiness.
When you initiate a private exchange with a web application — for example, your bank’s portal so that you can check your latest statement — your browser-client will request an encrypted session and the server you’re connecting to will respond by presenting its certificate back to your browser to authenticate itself & initialize the negotiations required during the SSL handshake. Your web browser compares that certificate to its certificate store — a list of CAs that the developers of your web browser considered trustworthy — to make sure that the certificate is both signed by a trusted CA and still valid.
Certificates have a longer shelf life than a carton of milk, but because the Internet is a dynamic place, the stated period of validity on a Certificate may end up being a longer period than the certified entity wishes to continue to use it. Certificates can easily become erroneous or compromised for any number of reasons, including when an entity’s contact information changes, or after a successful attack against that entity. You wouldn’t want your front door’s lock to open to both the key from the old lock that was compromised and the key from the new lock, right?
Because of that possibility, the certificate check performed by your browser-client may also include a status call to see if that specific certificate has been revoked — that is, been deemed invalid by the CA or owning entity. While there are several ways to check if a certificate has been revoked, all of them take extra time & effort during the SSL handshake. Not every browser or operating system — particular older or slow ones — will perform any kind of certificate revocation check.
How do Certificates Facilitate Trust Relationships?
Once you and your browser have decided to trust the presented certificate, your browser-client may continue the SSL handshake by providing a public key for the server to use (while your browser will use the public key embedded in the certificate) while they negotiate additional settings for your private session. While a certificate will always contain the same 4 critical pieces of information, newer browser-clients allow for additional controls during the session negotiation process, including ephemeral keys, advanced hash and compression functions, and other security developments. This process of certificate check, key exchange, and session negotiation, in a direct reference to the ways we demonstrate trust in real life, is called an SSL handshake.
How does Akamai Handle SSL Certificates?
Akamai has relationships with several Certificate Authorities, and will use one of its preferred CAs to sign customer certificates if a customer does not request a specific CA when they have Akamai provision a SSL Certificate for them. These preferred CAs are widely-used CAs that are generally recognized by major browsers and operating systems.
Akamai generates the keypairs for all of its customers’ SSL certificates for traffic flowing over Akamai networks, using their designated information and preferred cipher suites and algorithms, so that only the public key ever has to leave the protections of Akamai’s networks. By not sending private keys across the Internet from customer to Akamai, we help to ensure the many needed layers of protections around the SSL Certificate’s private key that may be able to decrypt end-user session data.
Akamai has a relationship with some CAs allowing us to sign certificates for them as an Intermediary CA. In these cases, the chain of trust is extended by additional links, with both the originating — or root — certificate authority granting an intermediary the right to sign certificates on their behalf. This process of tiered certificate authorities signing successive certificates, all of which are presented to the browser-client as a bundle, is often called chaining, just like linking daisies together into a chain.
How are SSL Certificates Vulnerable?
Certificates have a number of protections around them, including file types, cipher suites and algorithms, key usage, procurement and handling procedures, unique identifiers, and other data that are all part of a commonly-accepted standard that help both humans and machines protect, identify, and properly use SSL certificates. That common standard is called X.509, and it is used by common SSL software such as OpenSSL, and in lower-stack operations like TLS.
It’s a common adage in Information Security that complexity in a system increases its risk of accidents, and the certificate hierarchy is byzantine, indeed. There are all sorts of ways that SSL Certificates, the private keys affiliated with SSL Certificates, and your private sessions can still be compromised.
Many organizations on the Internet — including Akamai — are considering a number of possibilities to fortify the SSL certificate structure. Some of the possibilities aim to make the current certificate process more transparent, while others couple the certificate process to other areas of trusted computing, like DNS registries. Each of these potential revisions presents some gains and some losses for end-users and certified entities. Newer browsers and operating systems may support additional controls around the encryption for your session on a website, and updated versions of the X.509 standard and TLS support newer models of authentication and certificate protections.
Every party in the certificate hierarchy is responsible for some aspects of the chain’s security. All of the certificate process I’ve just explained gets conveyed to you, the end user, by the small lock that shows up in your browser’s navigator bar when you’re browsing a website via HTTPS. That lock icon is the simplest symbol of the SSL Certificate trust chain there is, including all the vulnerable infelicities of the system and all of the hope we hold for private communications over the public Internet.0
Each year at Akamai Edge we update customers on some of the more persistent threats we’ve dealt with in the 12 months prior. Slides detailing the 2013 threat picture are available here. For an idea of what we’ll be sharing at Edge 2014 in a couple weeks, I’ve assembled this primer.
Web Vulnerabilities: Low-Hanging Fruit for DDoSers
About a new Akamai PLXsert whitepaper released last week: “Web Vulnerabilities: The foundation of the most sophisticated DDoS campaigns.”
David Fernandez, head of our Prolexic Security Engineering Research Team (PLXsert), offers additional details on the countermeasures regarding the Linus DDoS threat.
Linux Systems Exploited for DDoS Attacks
Linux users have a new threat to worry about. According to Akamai’s Prolexic Security Engineering Research Team (PLXsert), the bad guys have discovered a weakness in Linux systems they can exploit to expand their botnets and launch DDoS attacks.
On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
Hackers “Join” World Cup 2014 Matches on the Web
George Orwell once said, “International football is the continuation of war by other means” – as we will demonstrate in this post – Mr. Orwell was spot-on, according to statistics on web application layer attacks collected by Akamai’s Cloud Security Intelligence platform, the 2014 world cup soccer matches spurred sophisticated cyber attacks between soccer-fan-hackers of competing sides.
Highlights of Prolexic Attack Report for Q2 2014
As attacks go, the second quarter of 2014 was quieter than the first. But when you compare the numbers to this time last year, that’s of little comfort. According to Prolexic’s newly-released attack report for Q2 2014, the rate of DDoS attacks rose 22 percent over the second quarter of 2013.
Blackshades RAT is a Serious Threat
Akamai’s Prolexic Security Engineering & Research Team (PLXsert) is warning companies of stealth surveillance and computer hijacking attacks by the Blackshades Remote Administration Tool (RAT) crimeware kit.
State of the Internet: Fewer Attacks Than Previous Quarter
The latest Akamai State of the Internet Report is out. Here’s a look at what we saw on the security front in the first quarter of 2014.
Anonymous Continues Targeting World Cup
In which we monitored attempts by Anonymous and others to cause Internet disruptions during the World Cup. Here’s how those attacks are playing out in the media.
World Cup 2014 Attack Targets
Attack targets were under the gun as soon as the World Cup started.
Threat Advisory: High-Risk Zeus Crimeware Kit
Akamai’s PLXSert team has discovered new payloads from the Zeus crimeware kit in the wild, deeming it “high risk” in an advisory.
Fresh Wave of Online Extortion Attacks Underway
Akamai CSIRT has identified a trend in online extortion that has the potential to impact customer websites and their users.
OpenSSL vulnerability (CVE-2014-0224)
The OpenSSL Project disclosed new vulnerabilities in the widely-used OpenSSL library. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
PLXsert Eyes Spike in SNMP Reflection DDoS Attacks
Akamai’s Prolexic Security Engineering Response Team (PLXsert) has seen a significant resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks this past month.
The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. (As an historical example, in the wake of CA certificate misissuances, the industry looked at one set of flaws: how any one of the many trusted CAs can issue certificates for any site, even if the owner of that site hasn’t requested them to do so; that link is also a quick primer on the certificate hierarchy.)
Podcast: CSO Andy Ellis on Heartbleed
By now, most of you are aware of the Heartbleed vulnerability that sent shockwaves through the tech industry. Like many of you, Akamai had to work overtime to ensure our customers were protected. We did that, but as is the case with any large security threat, we continue to be vigilant and, while letting everyone know what we did to keep them secure, we’re looking back at the lessons learned and how to turn it into even better security going forward. The details in this episode are not new, as CSO Andy Ellis has blogged at length about it. I’ve included those links below. But with so many of us working overtime to address Heartbleed, this was my first opportunity to sit down with Andy and discuss it.
Many AWS customers begin their journey to the cloud by implementing a
backup and recovery discipline.
Because the cloud can provide any desired amount of durable storage that is
both secured and cost-effective, organizations of all shapes and sizes
are using it to support robust backup and recovery models that eliminate the need
for on-premises infrastructure.
Our friends at Riverbed have launched an
promotion for AWS customers. This promotion is designed to help
qualified enterprise, mid-market, and SMB customers in North America
to kick-start their cloud-storage projects by applying for up to 8
TB of free Amazon Simple Storage Service (S3) usage for six months.
If you qualify for the promotion, you will be invited to download the Riverbed
software appliance (you will also receive enough AWS credits to
allow you to store 8 TB of data per month for six months). With advanced
compression, deduplication, network acceleration and encryption
features, SteelStore will provide you with enterprise-class levels
of performance, availability, data security, and data
durability. All data is encrypted using AES-256 before leaving your
premises; this gives you protection in transit and at
rest. SteelStore intelligently caches up to 2 TB of recent backups
locally for rapid restoration.
The SteelStore appliance is easy to implement! You can be up and running
in a matter of minutes with the implementation guide, getting started guide, and user guide
that you will receive as part of your download. The appliance is compatible with
over 85% of the backup products on the market, including solutions from
CA, CommVault, Dell, EMC, HP, IBM, Symantec, and Veeam.
To learn more or to apply for this exclusive promotion,
Pulp: A Film About Life, Death & Supermarkets is Florian Habicht’s documentary about Pulp‘s 2012 hometown show in Sheffield, England. Today, Oscilloscope Laboratories has announced a series of U.S. screenings.
Tonight, Jarvis Cocker and Habicht are set to appear at the Los Angeles screening, and on Thursday in Brooklyn, Cocker will judge a Pulp karaoke contest at a screening. Find the dates and a new trailer for the film below; that’s a new poster for the movie up there.
Pulp: A Film About Life, Death & Supermarkets:
08-05 Los Angeles, CA – Ace Hotel *#
08-06 New York, NY – Film Society of Lincoln Center #
08-07 Brooklyn, NY – Rooftop Films *^
11-19 Boston, MA – Brattle Theatre
11-19 Washington, DC – Angelika Pop-Up
11-19 Fairfax, VA – Angelika Mosaic
11-19 Detroit, MI – Cinema Detroit
11-19 Columbus, OH – Gateway Film Center
11-19 Seattle, WA – Grand Illusion
11-19 Portland, OR – Hollywood Theatre
11-19 Dallas, TX – Angelika Dallas
11-19 Plano, TX – Angelika Plano
11-19 San Diego, CA – Reading Gaslamp
11-19 San Diego, CA – Reading Town Square
11-19 Sacramento, CA – Reading Tower
11-19 Honolulu, HI – Reading Kahala
11-26 Los Angeles, CA – Cinefamily
* with Jarvis Cocker
# with director Florian Habicht
^ with Pulp karaoke
Photo by Jeremy Farmer
Following 2011’s Demolished Thoughts and the end of Sonic Youth, Thurston Moore will release a new solo album on Matador. It’s titled The Best Day. According to a post on Sonic Youth’s website, it features collaborations with Sonic Youth drummer Steve Shelley, My Bloody Valentine bassist Debbie Googe, and London-based musician James Sedwards. (The release date of September 23 reported on Sonic Youth’s website is incorrect. The Best Day does not currently have an announced release date.)
A few songs on The Best Day feature Samara Lubelski, John Moloney (Sunburned Hand of the Man), and Keith Wood (Hush Arbors) from Moore’s band Chelsea Light Moving.
The post also describes the record as “Sweet, deadly and furthering the wild style TM exhibited all through Sonic Youth and beyond.” In a live clip from Portugal, below, Moore plays some of the new songs with Shelley and Sedwards. He also says the record is dedicated to his mother.
Meanwhile, Moore, Shelley, Googe, and Sedwards will tour Europe this summer and North America this fall under the name Thurston Moore Band.
08-06 London, England – Cafe Oto *
08-07 London, England – Cafe Oto ^
08-15 Kiewit-Hasselt, Belgium – Pukkelpop
08-16 Hamburg, Germany – Dockville Festival
08-17 Berlin, Germany – Lido
08-18 Bielefeld, Germany – Forum
08-19 Amsterdam, Netherlands – Ocii
08-21 Paredes De Coura, Portugal – Paredes De Coura Festival
08-23 Pully-Lausanne, Switzerland – For Noise Festival
08-24 Paris, France – Paris Rock en Seine
08-29 Birmingham, England – Moseley Folk Fest !
09-04-05 Raleigh, NC – Hopscotch Music Festival
09-07 Toronto, Ontario – Riot Fest
09-12 Victoria, British Columbia – Rifflandia
09-14 Chicago, IL – Riot Fest
09-20 Brooklyn, NY – Brooklyn Book Festival ~
10-03 Vancouver, British Columbia – Biltmore Cabaret #
10-04 Seattle, WA – Neumo’s #
10-07 San Francisco, CA – Great American Music Hall #
10-08 Santa Cruz, CA – The Catalyst Atrium #
10-10 Los Angeles, CA – Echoplex #
10-11 Santa Ana, CA – Constellation Room
* with John Edwards & Adam Go??biewski
^ with Caspar Brotzmann
! with 12 String Performance
~ with Reading
# with Sebadoh
Watch Thurston Moore perform “Benediction” at Pitchfork Music Festival 2012:
Little Dragon have expanded their tour with a host of October dates in North America and November dates in Britain. Check out the band’s itinerary below. Additionally, they’ve shared Mikky Ekko‘s remix of Nabuma Rubberband cut “Pretty Girls”; stream it above. It’s a pretty significant rework.
08-07 Helsinki, Finland – Flow Festival
08-08 Oslo, Norway – Oya Festival
08-09 Gothenburg, Sweden – Way Out West
08-16 Tokyo, Japan – Summersonic
08-22 Oakland, CA – Fox Theatre *
08-23 Los Angeles, CA – FYF Fest
08-27 Vancouver, British Columbia – Vogue *
08-28 Seattle, WA – The Showbox *
08-30 Chicago, IL – North Coast Festival
08-31 Austin, TX – Moody Theatre (Austin City Limits Live) ^
10-08 Tempe, AZ – Marquee Theatre
10-11 Mexico City, Mexico – Corona Capital Festival
10-13 Philadelphia, PA – Union Transfer #
10-15 Washington, DC – Echostage #
10-16 Louisville, KY – Mercury Ballroom #
10-17 Columbus, OH – Newport #
10-19 St. Louis, MO – The Ready Room #
10-21 Denver, CO – Ogden Theatre #
10-22 Salt Lake City, UT – The Complex #
10-24 Oakland, CA – Fox #
11-17 Brighton, England – Corn Exchange
11-18 Birmingham, England – The Institute
11-19 Bristol, England – O2 Academy
11-21 Leeds, England – Metropolitan University
11-22 Manchester, England – Albert Hall
11-23 Glasgow, Scotland – O2 ABC
11-27 London, England – O2 Academy Brixton
11-29 Oxford, England – O2 Academy
* with Dâm-Funk
# with Shy Girls
^ with Octopus Project
Watch Little Dragon’s video for “Pretty Girls”:
A San Diego man has been charged with sexual battery and mayhem after allegedly biting off another man’s fingertip during a scuffle at the Pasadena, CA stop of Beyoncé and Jay Z‘s “On the Run” tour Saturday night. Authorities allege that 25-year-old Roberto Alcaraz Garnica sexually assaulted a female attendee at the Rose Bowl concert, and proceeded to bite off the fingertip of the woman’s boyfriend when he stepped in to intervene, according to the Pasadena Star-News (via Billboard). Granica is currently being held on $100,000 bail.
According to Pasadena police Lt. John Luna, the alleged attack occurred after Alcaraz-Garnica groped a woman in her 20s who was attending the show, which drew a crowd of around 55,000 fans.
The suspect sexually assaulted the female victim, Luna told the Star-News. He says that the woman’s boyfriend confronted Granica, resulting in a dispute.
During the altercation, the suspect bit the victim, causing serious injury to his finger, the lieutenant said. He lost the tip of one of his fingers.
Police arrested 11 others during the Rose Bowl show: eight for public drunkeness, and three for ticket scalping. Granica, who was arrested inside the stadium 10 PM and booked later that night, is currently being held on $100,000 bail.
Representatives for both Jay-Z and Beyoncé have yet to comment. Meanwhile, the couple continued their Rose Bowl run with a second performance last night.0
Sufjan Stevens has contributed a new piece to the new album from the chamber ensemble yMusic. The album is called Balance Problems and is out September 30 through the label New Amsterdam. Sufjan contributed the closing piece, “Salvator Mundi”. See the full tracklist and album trailer below.
Nico Muhly also contributed the opening title piece, and the entire album was produced by Son Lux. It follows 2011’s Beautiful Mechanical.
yMusic is six classical musicians: Rob Moose, CJ Camerieri, Clarice Jensen, Alex Sopp, Hideaki Aomori, and Nadia Sirota. They have collaborated with Björk, Bon Iver, David Byrne, Antony and the Johnsons, Dirty Projectors, and many others.
On September 12, yMusic will perform with Arcade Fire’s Richard Reed Parry at BasilicaSoundScape, presented in association with Pitchfork. They’ve also got a dates scheduled with Blake Mills. See their full schedule below.
01 Nico Muhly: “Balance Problems”
02 Marcos Balter: “Bladed Stance”
03 Andrew Norman: “Music in Circles (Part 1)”
04 Andrew Norman: “Music in Circles (Part 2)”
05 Jeremy Turner: “The Bear & The Squirrel”
06 Timo Andres: “Safe Travels”
07 Mark Dancigers: “Everness”
08 Sufjan Stevens: “Salvator Mundi”
09-12 Hudson, NY – Basilica Soundscape Festival $
09-26 Los Angeles, CA – Hollywood Bowl $
09-30 Cambridge, MA – The Sinclair %
10-01 New York, NY – (Le) Poisson Rouge %
10-06 Washington, DC – The Hamilton %
10-08 Brooklyn, NY – Rough Trade %
10-09 Philadelphia, PA – World Cafe Live %
$ with Richard Reed Parry
% with Blake Mills
Wolf Parade/Handsome Furs/Divine Fits member Dan Boeckner‘s new band Operators has announced their debut EP, EP1, which will be released on August 5. Listen to the first song, “True”, above.Operators have also announced that they will tour with Future Islands. Check out the dates below. They’ll also perform live on KEXP on August 4.
Previously, Operators were filmed performing Wolf Parade’s “This Heart’s on Fire” accompanied by Japandroids live in Toronto earlier this year.
02 Book of Love
05 Start Again
08-02 Happy Valley, OR – Pickathon
08-03 Happy Valley, OR – Pickathon
08-04 Seattle, WA – Barboza
08-07 Brooklyn, NY – House of Vans *
08-08 Millvale, PA – Mr. Small’s Theatre *
08-09 Indianapolis, IN – The Vogue *
08-10 Milwaukee, WI – Turner Hall *
08-11 Sioux Falls, SD – Icon Lounge *
08-12 Fort Collins, CO – Aggie Theater *
08-13 Salt Lake City, UT – Kilby Court
08-15 Boise, ID – Egyptian Theatre *
08-18 Sacramento, CA – Harlow’s *
08-19 Fresno, CA – Star Palace at Warnors Theatre *
08-20 Los Angeles, CA – The Fonda Theatre *
08-21 Los Angeles, CA – The Fonda Theatre *
08-22 San Diego, CA – Irenic *
08-24 Phoenix, AZ – The Crescent Ballroom
08-25 Tucson, AZ – 191 Toole *
08-27 Denver, CO – Gothic Theatre *
08-28 Omaha, NE – The Waiting Room *
08-29 Des Moines, IA – Wooly’s *
08-30 Chicago, IL – Schubas !
08-31 Columbus, OH – The Big Bang *
09-02 Montreal, Quebec – La Tulipe *
09-03 South Burlington, VT – Higher Ground Ballroom *
09-04 Portland, ME – Port City Music Hall *
09-07 Toronto, Ontario – Horseshoe Tavern
09-13 Hamilton, Ontario – James Street North Supercrawl
10-23 Halifax, Nova Scotia – The Marquee Club
* with Future Islands
! with Tweens
Following the release of Hyperdub 10.1 and Hyperdub 10.2, the first two of four compilations celebrating Hyperdub’s 10th anniversary, the label has announced Hyperdub 10.3, which will be released on September 23.
Hyperdub 10.3 will feature music from Burial, label founder Kode9, Dean Blunt, Fatima Al Qadiri, Ikonika, The Bug, DJ Earl, Inga Copeland, Lee Gamble, Cooly G, Fhloston Paradigm, Darkstar, Walton, and others. Check out the tracklist below.
As previously announced, there will also be an anniversary tour featuring Kode9, DJ Spinn, Ikonika, and more. Check out dates after the jump.
01 Burial – “In McDonalds”
02 Dean Blunt – “Urban”
03 Kode9 & the Spaceape – “Hole In The Sky”
04 Inga Copeland – “I Am Your Ambient Wife”
05 Kode9 – “Pink Sham Pain Down The Drain”
06 Laurel Halo – “Melt”
07 The Bug – “Siren”
08 Dean Blunt & Inda Copeland – “Untitled 13”
09 Walton – “City of God”
10 King Midas Sound – “Blue”
11 Lee Gamble – “DSM”
12 Cooly G – “Mind”
13 Burial – “Night Bus”
14 Ikonika – “Completion V.3”
15 Darkstar – “Ostkreuz”
16 Fhloston Paradigm – “Liloos Seduction”
17 Ikonika – “Time/Speed”
18 DJ Earl – “Hexogonic Sound”
19 Cooly G – “Trying”
20 Laurel Halo – “Wow”
21 Fatima Al Qadiri – “Shanxi”
22 DVA – “Reach The Devil”
23 Jeremy Greenspan ft. Borys – “Gage”
Hyperdub Anniversary tour:
09-09 East Troy, NY – EMPAC !
09-10 Calgary, Alberta – Hi Fi Club *!
09-12 Montreal, Quebec – Le Belmont *#!
09-13 Hamilton, Ontario – Supercrawl *#^!
09-16 Raleigh, NC – Kings *#$!
09-17 Washington, DC – U Street Music Hall *#$!
09-18 New York, NY – Verboten *#^$+!
09-19 Chicago, IL – Primary *#$!
09-20 Vancouver, British Columbia – New Forms Festival *~
09-20 Oberlin, OH – The Sco #$!
09-21 Austin, TX – Empire Control Room *#!
09-24 San Francisco, CA – Mighty *#$!
09-25 Los Angeles, CA – Los Globos *#$!
09-26 Vancouver, British Columbia – The Fox #$!
09-27 Seattle, WA – Decibel Festival *#$!
09-28 New Orleans, LA – Dragon’s Den !
! with Kode9
* with Scratcha DVA
# with DJ Spinn
^ with Ikonika
$ with Taso
+ with Mala
~ with DJ Earl
Listen to III Blu’s “Clapper”, from Hyperdub 10.1:
The New Pornographers have announced a partnership with Intelligentsia Coffee called “Brill Brew”, a coffee spin-off their forthcoming album Brill Bruisers. According to a press release, the limited edition “Brill Brew” is a Kenya coffee grown by Harrison Kiongo Miti with “flavors of mango, nectarine, and green apple”. “Brill Brew” will be available at Intelligentsia locations as well as online at the band’s merch site beginning August 20.
Each coffee purchased at an Intelligentsia location will come with a digital download card for Brill Bruisers.
Brill Bruisers is out August 25 on Matador.
The New Pornographers:
07-18-20 Pemberton, British Columbia – Pemberton Music Festival
08-08 Minneapolis, MN – Skyline Music Festival
08-29 Edmonton, Alberta – Sonic Boom Festival
08-30 Halifax, Nova Scotia – Sandjam
09-06 Detroit, MI – Majestic Theatre ^
09-07 Toronto, Ontario – Riot Fest
09-11-14 Victoria, British Columbia – Rifflandia Festival
09-20 Columbus, OH – The LC Pavilion %
10-03-04 Vancouver, British Columbia – The Commodore Ballroom
10-5-06 Seattle, WA – The Showbox *
10-08 Portland, OR – Crystal Ballroom *
10-09 Boise, ID – Knitting Factory *
10-10 Salt Lake City, UT – The Depot *
10-11 Denver, CO – Gothic Theatre *
10-13 Phoenix, AZ – The Crescent Ballroom *
10-14 Tucson, AZ – Rialto Theatre *
10-15 Pioneertown, CA – Pappy & Harriet’s Pioneertown Palace *
10-17 Los Angeles, CA – The Wiltern *
10-18 San Diego, CA – North Park Theatre *
10-18-19 San Fransisco, CA – Treasure Island Music Festival
11-04 Nashville, TN – Cannery Ballroom *
11-05 Asheville, NC – Orange Peel *
11-06 Atlanta, GA – Buckhead Theatre *
11-07 New Orleans, LA – Civic Theatre *
11-08 Austin, TX – Fun Fun Fun Fest
11-10 St. Louis, MO – The Pageant *
11-11 Omaha, NE – Slowdown *
11-13 Milwaukee, WI – Pabst Theater *
11-14 Chicago, IL – Riviera Theatre *
11-15 Cleveland, OH – House of Blues *
11-17 New York, NY – Hammerstein Ballroom *
11-19 Boston, MA – House of Blues *
11-20 Philadelphia, PA – Union Transfer *
11-21 Washington, DC – 9:30 Club *
11-23 Carrboro, NC – Cat’s Cradle *
* with the Pains of Being Pure at Heart
^ with Perfect Pussy, Pity Sex
% with Iron & Wine, Glass Animals
Watch the New Pornographers’ video for “War On The East Coast”: