Episode Links:

linuxactionnews.com/92

The post Linux Action News 92 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Massive cyberattack hits Europe with widespread ransom demands

• New Ransomware Variant Compromises Systems Worldwide

• some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc

• MDDoc posts about a virus

• notes at SANS ISC InfoSec Forums

Google Says It Will No Longer Read Users’ Emails To Sell Targeted Ads

• Google will no longer scan emails in Gmail accounts in order sell targeted advertising, the company said Friday.

• Google’s blog post

• more than 3 million paying companies that use G Suite

• Bloomberg post on same topic

Does US have right to data on overseas servers? We’re about to find out

Feedback

• AES-256 encryption keys cracked by hands-off hack from Shawn via Twitter

• workflow and backup strategy advice

• Regarding DNS, I think Dan mentioned that he didn’t have any of the books he used to learn about it. Any suggestions about some good reading material on that topic? Thanks for the awesome show. – DNS and BIND is the name of the book

Round Up:

• How LZ4 works

• Know your Times Tables, but… do you know your “Hash Tables”?

• AWS Security Primer

The post Google Reads Your Email | TechSNAP 325 first appeared on Jupiter Broadcasting.

Rooting your Android device might be more dangerous than you realize, why the insurance industry will take over InfoSec & the NSA prepares for Quantum encryption.

Plus some great questions, a fantastic roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Taking Root – Malware on Mobile Devices

• Since June 2015, we have seen a steady growth in the number of mobile malware attacks that use superuser privileges (root access) on the device to achieve their goals.
• Root access is incompatible with the operating system’s security model because it violates the principle that applications should be isolated from each other and from the system. It gives an application using root access a virtually unlimited control of the device, which is completely unacceptable in the case of a malicious application.
• Malicious use of superuser privileges is not new in itself: in regions where smartphones are sold with privilege escalation tools preinstalled on them, malware writers have long been using this technique. There are also known cases of Trojans gaining such privileges after the user ‘rooted’ the device, i.e. used vulnerabilities to install applications that give superuser privileges on the phone.
• They analyzed the statistics collected from May to August 2015 and identified “Trojan families” that use root privileges without the user’s knowledge: Trojan.AndroidOS.Ztorg, Trojan-Dropper.AndroidOS.Gorpo (which operates in conjunction with Trojan.AndroidOS.Fadeb) and Trojan-Downloader.AndroidOS.Leech. All these mobile malware families can install programs; their functionality is in effect limited to providing the capability to download and install any applications on the phone without the user’s knowledge.
• A distinctive feature of these mobile Trojans is that they are packages built into legitimate applications but not in any way connected with these applications’ original purpose. Cybercriminals simply take popular legit apps and add malicious code without affecting the main functionality.

• After launching, the Trojan attempts to exploit Android OS vulnerabilities known to it one after another in order to gain superuser privileges. In case of success, a standalone version of the malware is installed in the system application folder (/system/app). It regularly connects to the cybercriminals’ server, waiting for commands to download and install other applications.

• There are popular “families” of Android malware.

• Leech Family

• This malware family is the most advanced of those described.
• Some of its versions can bypass dynamic checks performed by Google before applications can appear in the official Google Play Store. Malware from this family can obtain (based on device IP address, using a resource called ipinfo.io) a range of data, including country of registration, address, and domain names matching the IP address. Next, the Trojan checks whether the IP address is in the IP ranges used by Google.

• The malware also uses a dynamic code loading technique, which involves downloading all critically important modules and loading them into its context at run time. This makes static analysis of the application difficult. As a result of using all the techniques described above, the Trojan made it to the official Google Play app store as part of an application named “How Old Camera” – a service that attempts to guess people’s ages from their photos.

• Ztorg family

• On the whole, Trojans belonging to this family have the same functionality as the previous described.
• The distribution techniques used also match those employed to spread Trojans from the Gorpo (plus Fadeb) and Leech families – malicious code packages are embedded in legitimate applications. The only significant difference is that the latest versions of this malware use a protection technique that enables them to completely hide code from static analysis.
• The attackers use a protector that replaces the application’s executable file with a dummy, decrypting the original executable file and loading it into the process’s address space when the application is launched.

• Additionally, string obfuscation is used to make the task of analyzing these files, which is quite complicated as it is, even more difficult.

• It is not very common for malicious applications to be able to gain superuser privileges on their own. Such techniques have mainly been used in sophisticated malware designed for targeted attacks.

Will the insurance industry take over InfoSec?

• “Insurance is a maturity indicator“
• When insurance comes, full scale, to the InfoSec industry, maybe that means we have finally gotten to the point where we understand the risks enough to start putting money on it
• While I can definitely see the argument that insurance companies are in a position to force their clients into certain minimum security practises, either to qualify for insurance, or for a reduced rate
• At the same time, I foresee a bunch of useless certifications, extra bureaucracy, and more things like PCI-DSS audits that miss the point entirely
• “People see insurance entering into security as a bad thing, and maybe it is, but it should not be unexpected. If something involves both risk and significant quantities of money, there are likely people trying to buy or sell insurance around it. The car industry is informative here. As is healthcare, and countless other industries.”
• The article points points out the three basic requirements for insurance companies to be interested:
• Significant risk associated with the space, e.g., dying in surgery, getting into a car wreck, etc.
• Adequate money in the form of a population able to pay premiums.
• Sufficient actuarial data on which to base the pricing and payout models.
• I don’t know that that last measure can be met yet. Unlike with car insurance, it is much harder to predict what a company’s chances of getting breached are.
• Considering factors like how high profile they are (fancier cars get stolen more), what infrastructure they use (newer cars are safer), how often they patch (this can be hard to measure, like how often you service your car, it might not work), doesn’t really give you enough information in order to price the insurance
• In the end, pretty much every company has a 100% change to be breached, it can come down to how quickly it will be detected, and how much damage will be done
• At this point, I don’t think the insurance industry is qualified, and we’ll either see them making so many payouts that they are losing money, or writing loopholes into insurance with vague sentiments like “industry standard security practises”, to weasel out of paying up
• Predictions from the article:
• Insurance companies will have strict InfoSec standards that will be used to determine how much insurance, of what type, they will extend to a customer, as well as how much they will charge for it
  • As you would expect, companies who are deemed to be in poor security health will either pay exorbitant premiums or will be ineligible for coverage altogether
  • In this world, auditors become the center of the InfoSec universe. Either working for the insurance companies themselves, or being private contractors that are hired by the insurance companies, these auditors will be paid to thoroughly assess companies’ security posture in order to determine what coverage they’ll be eligible for, and how much it will cost
  • Insurance companies become, in other words, a dedicated entity that uses evidence-based decision making to incentivize improved security
  • For both internal and audit companies, those certifications will have to be maintained the same way medical professionals have to maintain their knowledge. Not like a CISSP where you lose a credential if you don’t renew it, but where you’re just instantly fired if it lapses
• “When you think about it, it’s not really insurance that’s making this happen, it’s industry maturity as a whole. It’s InfoSec becoming just like every other serious profession.”
• “Think about a hospital, or an architecture firm. You can’t hire nurses who have an aptitude for caring, and who helped this guy this one time. Nope—have a credential or you can’t work there. Same with accountants, and architects, and electricians, and civil engineers.”
• Insurance won’t fix everything (or anything?)
• “We also need to accept that the standardization and insurance agencies won’t fix everything. Auditors make mistakes, companies can and will successfully lie about their controls, certifications only get you so far, and the insurance companies have their own interests that are often in conflict with the goal of increased security.”

The NSA books crypto recommendations

• The NSA, in its role as the organization that sets cryptography standards used by the entire government, has updated its recommendations on what algorithms and key sizes to use
• Currently, Suite B cryptographic algorithms are specified by the National Institute of Standards and Technology (NIST) and are used by NSA’s Information Assurance Directorate in solutions approved for protecting classified and unclassified National Security Systems (NSS).
• A look at the site from a few months ago highlights some of the differences
  • AES 128 was dropped. Former used for ‘SECRET’ with AES 256 for ‘TOP Secret’, AES 256 is recommended for both now
  • ECDH and ECDSA P-256 were also dropped for ‘less’ secret information in favour of P-384
  • SHA256 was also dropped. Surprisingly, SHA-384 remained the recommendation over SHA-512
  • Additionally, new requirements that were not specified before were added
  • Diffie-Hellman Key Exchange requires at least 3072-bit keys
  • RSA for Key Establishment and Digital Signatures also now requires 3072 bit keys
• IAD will initiate a transition to quantum resistant algorithms in the not too distant future. Based on experience in deploying Suite B, we have determined to start planning and communicating early about the upcoming transition to quantum resistant algorithms.
• We are working with partners across the USG, vendors, and standards bodies to ensure there is a clear plan for getting a new suite of algorithms that are developed in an open and transparent manner that will form the foundation of our next Suite of cryptographic algorithms.
• Until this new suite is developed and products are available implementing the quantum resistant suite, we will rely on current algorithms.
• With respect to IAD customers using large, unclassified PKI systems, remaining at 112 bits of security (i.e. 2048-bit RSA) may be preferable (or sometimes necessary due to budget constraints) for the near-term in anticipation of deploying quantum resistant asymmetric algorithms upon their first availability.

Feedback

• Flexible NAS storage

• sound problems

• Something I’ve always wondered….

• VPN and Tails

• LG made a foldable keyboard

Round Up:

• The Way GCHQ Obliterated The Guardian’s Laptops May Have Revealed More Than It Intended
• Two years later, researchers finally allowed to publish paper on fauly immobilizer chip in volkswagen products
• Reflective satellites may be the future of high-end encryption
• Cisco to develop new royalty free video codec, “Thor”
• ‘We Should Put A Metal Detector On The Other Side’: The Laughable Waste Of TSA Body Scanners
• Frontier’s password reset system is a guy named Shawn
• Survey Shows 81% of Healthcare Organizations Suffered Cyberattacks
• Single unprivileged instruction can hang a Raspberry Pi, requiring a power cycle

The post Trojan Family Ties | TechSNAP 230 first appeared on Jupiter Broadcasting.

Coming up this week on the show, we’ll be talking with Damien Miller of the OpenSSH team. We will be discussing some of the changes in their latest 7.0 release, including phasing out older crypto and changing one of the defaults that might surprise you.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EdgeRouter Lite, meet OpenBSD

• The ERL, much like the Raspberry Pi and a bunch of other cheap boards, is getting more and more popular as more things get ported to run on it
• We’ve covered installing NetBSD and FreeBSD on them before, but OpenBSD has gotten a lot better support for them as well now (including the onboard storage in 5.8)
• Ted Unangst got a hold of one recently and kindly wrote up some notes about installing and using OpenBSD on it
• He covers doing a network install, getting the (slightly strange) bootloader working with u-boot and some final notes about the hardware
• More discussion can be found on Hacker News and various other places
• One thing to note about these devices: because of their MIPS64 processor, they’ll have weaker ASLR than X86 CPUs (and no W^X at all)

Design and Implementation of the FreeBSD Operating System interview

• For those who don’t know, the “Design and Implementation of the FreeBSD Operating System” is a semi-recently-revived technical reference book for FreeBSD development
• InfoQ has a review of the book up for anyone who might be interested, but they also have an interview the authors
• “The book takes an approach to FreeBSD from inside out, starting with kernel services, then moving to process and memory management, I/O and devices, filesystems, IPC and network protocols, and finally system startup and shutdown. The book provides dense, technical information in a clear way, with lots of pseudo-code, diagrams, and tables to illustrate the main points.”
• Aside from detailing a few of the chapters, the interview covers who the book’s target audience is, some history of the project, long-term support, some of the newer features and some general OS development topics

Path list parameter in OpenBSD tame

• We’ve mentioned OpenBSD’s relatively new “tame” subsystem a couple times before: it’s an easy-to-implement “self-containment” framework, allowing programs to have a “reduced feature set” mode with even less privileges
• One of the early concerns from users of other process containment tools was that tame was too broad in the way it separated disk access – you could either read/write files or not, nothing in between
• Now there’s the option to create a whitelist of specific files and directories that your binary is allowed to access, giving a much finer-grained set of controls to developers
• The next step is to add tame restraints to the OpenBSD userland utilities, which should probably be done by 5.9
• More discussion can be found on Reddit and Hacker News

FreeBSD & PC-BSD 10.2-RELEASE

• The FreeBSD team has released the second minor version bump to the 10.x branch, including all the fixes from 10-STABLE since 10.1 came out
• The Linux compatibility layer has been updated to support CentOS 6, rather than the much older Fedora Core base used previously, and the DRM graphics code has been updated to match Linux 3.8.13
• New installations (and newly-upgraded systems) will use the quarterly binary package set, rather than the rolling release model that most people are used to
• A VXLAN driver was added, allowing you to create virtual LANs by encapsulating the ethernet frame in a UDP packet
• The bhyve codebase is much newer, enabling support for AMD CPUs with SVM and AMD-V extensions
• ARM and ARM64 code saw some fixes and improvements, including SMP support on a few specific boards and support for a few new boards
• The bootloader now supports entering your GELI passphrase before loading the kernel in full disk encryption setups
• In addition to assorted userland fixes and driver improvements, various third party tools in the base system were updated: resolvconf, ISC NTPd, netcat, file, unbound, OpenSSL, sendmail
• Check the full release notes for the rest of the details and changes
• PC-BSD also followed with their 10.2-RELEASE, sporting a few more additional features

Interview – Damien Miller – djm@openbsd.org / @damienmiller

OpenSSH: phasing out broken crypto, default cipher changes

News Roundup

NetBSD at Open Source Conference Shimane

• We weren’t the only ones away at conferences last week – the Japanese NetBSD guys are always raiding one event or another
• This time they had NetBSD running on some Sony NWS devices (MIPS-based)
• JavaStations were also on display – something we haven’t ever seen before (made between 1996-2000)

BAFUG videos

• The Bay Area FreeBSD users group has been uploading some videos of their recent meetings
• Devin Teske hosts the first one, discussing adding GELI support to the bootloader, including some video demonstrations of how it works
• Shortly after beginning, Adrian Chadd takes over the conversation and they discuss various problems (and solutions) related to the bootloader – for example, how can we type encryption passwords with non-US keyboard layouts
• In a second video, Jordan Hubbard and Kip Macy introduce “NeXTBSD aka FreeBSD X”
• In it, they discuss their ideas of merging more Mac OS X features into FreeBSD (launchd to replace the init system, some APIs, etc)
• People should record presentations at their BSD users groups and send them to us

L2TP over IPSEC on OpenBSD

• If you’ve got an OpenBSD box and some Mac OS X clients that need secure communications, surprise: they can work together pretty well
• Using only the base tools in both operating systems, you can build a nice IPSEC setup for tunneling all your traffic
• This guide specifically covers L2TP, using npppd and pre-shared keys
• Server setup, client setup, firewall configuration and routing-related settings are all covered in detail

Reliable bare metal with TrueOS

• Imagine a server version of PC-BSD with some useful utilities preinstalled – that’s basically TrueOS
• This article walks you through setting up a FreeBSD -CURRENT server (using TrueOS) to create a pretty solid backup solution
• Most importantly, he also covers how to keep everything redundant and deal with hard drives failing
• The author chose to go with the -CURRENT branch because of the delay between regular releases, and newer features not making their way to users as fast as he’d like
• Another factor is that there are no binary snapshots of FreeBSD -CURRENT that can be easily used for in-place upgrades, but with TrueOS (and some other BSDs) there are

Kernel W^X on i386

• We mentioned some big W^X kernel changes in OpenBSD a while back, but the work was mainly for x86_64 CPU architecture (which makes sense; that’s what most people run now)
• Mike Larkin is back again, and isn’t leaving the people with older hardware out, committing similar kernel work into the i386 platform now as well
• Check out our interview with Mike for some more background info on memory protections like W^X

Feedback/Questions

• Markus writes in
• Sean writes in
• Theo writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now tshirts are now available, and will be shipping in September (you’ve only got about four days left to place an order, then they’re gone)
• Preorders for OpenBSD 5.8 CDs are now open, and the artwork is especially great for this special 20th anniversary release – you won’t wanna miss it

The post Beverly Hills 25519 | BSD Now 104 first appeared on Jupiter Broadcasting.

This week on the show, we sat down with John-Mark Gurney to talk about modernizing FreeBSD’s IPSEC stack. We’ll learn what he’s adding, what needed to be fixed and how we’ll benefit from the changes. As always, answers to your emails and all of this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSD panel at Phoenix LUG

• The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
• It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
• They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
• It was a good “real world” example of things potential switchers are curious to know about
• They closed by concluding that more diversity is always better, and even if you’ve got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea

Book of PF signed copy auction

• Peter Hansteen (who we’ve had on the show) is auctioning off the first signed copy of the new Book of PF
• All the profits from the sale will go to the OpenBSD Foundation
• The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD’s versions (which still use ALTQ, among other differences)
• If you’re interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf – and the money will also go to a good cause
• Michael Lucas has challenged Peter to raise more for the foundation than his last book selling – let’s see who wins
• Pause the episode, go bid on it and then come back!

FreeBSD Foundation goes to EuroBSDCon

• Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
• They also sponsored four other developers to go
• The foundation was there “to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD”
• They also have a second report from Kamil Czekirda
• A total of $2000 was raised at the conference

OpenBSD 5.6 released

• Note: we’re doing this story a couple days early – it’s actually being released on November 1st (this Saturday), but we have next week off and didn’t want to let this one slip through the cracks – it may be out by the time you’re watching this
• Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
• It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
• 5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
• You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
• ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
• This will serve as a “transitional” release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
• Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
• As always, 5.6 comes with its own song and artwork – the theme this time was obviously LibreSSL
• Be sure to check the full changelog (it’s huge) and pick up a CD or tshirt to support their efforts
• If you don’t already have the public key releases are signed with, getting a physical CD is a good “out of bounds” way to obtain it safely
• Here are some cool images of the set
• After you do your installation or upgrade, don’t forget to head over to the errata page and apply any patches listed there

Interview – John-Mark Gurney – jmg@freebsd.org / @encthenet

Updating FreeBSD’s IPSEC stack

News Roundup

Clang in DragonFly BSD

• As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang on i386/amd64 almost exclusively
• Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
• We’d love to see more BSDs switch to Clang/LLVM eventually, it’s a lot more modern than the old GCC most are using

reallocarray(): integer overflow detection for free

• One of the less obvious features in OpenBSD 5.6 is a new libc function: “reallocarray()”
• It’s a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
• Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
• OpenBSD’s explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too

Switching from Linux blog

• A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
• After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
• So far, he’s put up a few posts about his initial thoughts, some documentation he’s going through and his experiments so far
• It’ll be an ongoing series, so we may check back in with him again later on

Owncloud in a FreeNAS jail

• One of the most common emails we get is about running Owncloud in FreeNAS
• Now, finally, someone made a video on how to do just that, and it’s even jailed
• A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
• If you’re looking for an easy way to back up and sync your files, this might be worth a watch

Feedback/Questions

• Ernõ writes in
• David writes in
• Kamil writes in
• Torsten writes in
• Dominik writes in

Mailing List Gold

• That’s not our IP
• Is this thing on?

• All the tutorials are posted in their entirety at bsdnow.tv
• The OpenBSD router, dpb, PXE autoinstall and patched ISO building tutorials have all been updated for 5.6
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – tell us how we’re doing or what you’d like to see in future episodes
• You can usually watch live Wednesdays at 2:00PM Eastern (18:00 UTC), but…
• We’ll be in California at MeetBSD next week, so there will be a prerecorded episode
• Speaking of conferences, the operatingsystems.io event has gotten a few more BSD speakers – check it out if you’re in London on November 25th

The post IPSECond Wind | BSD Now 61 first appeared on Jupiter Broadcasting.

Coming up this week on the show!

We’ve got an interview with Dag-Erling Smørgrav, the current security officer of FreeBSD, to discuss what exactly being in such an important position is like.

The latest news, answers to your emails and even some LibreSSL drama, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

g2k14 hackathon reports

• Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
• Lots of work got done – in just the first two weeks of July, there were over 1000 commits to their CVS tree
• Some of the developers wrote in to document what they were up to at the event
• Bob Beck planned to work on kernel stuff, but then “LibreSSL happened” and he spent most of his time working on that
• Miod Vallat also tells about his LibreSSL experiences
• Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we’ll be interviewing him next week!)
• Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
• Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
• Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
• Martin Pelikan integrated read-only ext4 support
• Vadim Zhukov did lots of ports work, including working on KDE4
• Theo de Raadt created a new, more secure system call, “sendsyslog” and did a lot of work with /etc, sysmerge and the rc scripts
• Paul Irofti worked on the USB stack, specifically for the Octeon platform
• Sebastian Benoit worked on relayd filters and IPv6 code
• Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
• Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
• Stefan Sperling fixed a lot of issues with wireless drivers
• Florian Obser did many things related to IPv6
• Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
• Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
• Matthieu Herrb worked on updating and modernizing parts of xenocara

FreeBSD pf discussion takes off

• A thread started on the freebsd-questions and freebsd-current mailing lists this week concerning FreeBSD’s version of pf being old and seemingly unmaintained (unfortunately people didn’t always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
• Straight from the SMP FreeBSD pf maintainer: “no one right now [is actively developing pf on FreeBSD]” and “Following OpenBSD on features would be cool, but no bulk imports would be made again. Bulk imports produce bad quality of port,
  and also pf in OpenBSD has no multi thread support”
• Baptiste Daroussin was quick to point out that multi-thread support is not the only difference between FreeBSD and OpenBSD versions of pf, including work that was done to support VIMAGE (network virtualization, to support have entire network stacks in jails)
• Baptiste Daroussin also reports on his efforts to update FreeBSD pf. He ran into problems and after breaking pf on head, his changes were reverted. He reports that he is still interested in porting individual OpenBSD pf features that are relevant to him, but not in a ‘full sync’ or being the overall maintainer of FreeBSD pf
• The project is looking for volunteers to continue the work. Mentorship is available for a number of people familiar with the FreeBSD networking stack, and Henning Brauer (one of the authors of OpenBSD pf) has stated his willingness to help on a number of occasions, and candidates can apply to the FreeBSD Foundation for funding
• Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
• FreeBSD’s pf man pages are lacking, and some of FreeBSD’s documentation still links to OpenBSD’s pages, which are not compatible anymore
• The discussion also touched on importing pf patches from pfSense, although the license that these patches are under is not clear at this time
• Things quickly got off topic as further disagreement among individual developers vs. users derailed the conversation somewhat
• Many users are very vocal about wanting it updated, saying they are willing to deal with the syntax change and it is worth the benefits
• Some developers wonder which features of OpenBSD pf users actually want, other than just ‘the latest shiny’
• Currently the only known problem with FreeBSD pf is with ipv6 fragments, and the VIMAGE subsystem
• Gleb Smirnoff, author of the FreeBSD-specific SMP patches, says Henning’s claims about OpenBSD’s improved speed are “uncorroborated claims” (but neither side has provided any public benchmarks)
• Olivier Cochard-Labbé (of the BSD Router Project) provided his benchmarks from Nov 2013 of packet forwarding rates with various configurations of FreeBSD 9.2 and 10, vs OpenBSD 5.4. Here is the raw data and scripts to reproduce and a graph of the results
• There seem to be many opinions about what to do about pf, but so far no one willing to do the work

LibreSSL progress update

• LibreSSL’s first few portable releases have come out and they’re making great progress, releasing 2.0.3 two days ago
• Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
• However, there has already been some drama… with Linux users
• There was a problem with Linux’s PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
• This “problem” doesn’t affect OpenBSD’s native implementation, only the portable version
• The developers decide to weigh in to calm the misinformation and rage
• A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now – remember to say thanks, guys
• Ted Unangst has a really good post about the whole situation, definitely check it out
• As a follow-up from last week, bapt says they’re working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly – if you’re a port maintainer, please test your ports against it

Preparation for NetBSD 7

• The release process for NetBSD 7.0 is finally underway
• The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
• If you run NetBSD, that’ll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
• They’re also looking for some help updating documentation and fixing any bugs that get reported
• Another formal announcement will be made when the beta binaries are up

Interview – Dag-Erling Smørgrav – des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

• Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
• Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
• There’s also some detail about the signing infrastructure and different mirrors
• Ports people and source people need to talk more often about ABI breakage
• The post also includes information about pkg 1.3, the old pkg tools’ EOL, the quarterly stable package sets and a lot more (it’s a huge post!)

Cross-compiling ports with QEMU and poudriere

• With recent QEMU features, you can basically chroot into a completely different architecture
• This article goes through the process of building ARMv6 packages on a normal X86 box
• Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
• The poudriere-devel port now has a “qemu user” option that will pull in all the requirements
• Hopefully this will pave the way for official pkgng packages on those lesser-used architectures

Cloning FreeBSD with ZFS send

• For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
• This post shows his entire process in creating a mirror machine, using ZFS for everything
• The “zfs send” and “zfs snapshot” commands really come in handy for this
• He does the whole thing from a live CD, pretty impressive

FreeBSD Overview series

• A new blog series we stumbled upon about a Linux user switching to BSD
• In part one, he gives a little background on being “done with Linux distros” and documents his initial experience getting and installing FreeBSD 10
• He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
• Most of what he was used to on Linux was already in the default FreeBSD (except bash…)
• Part two documents his experiences with pkgng and ports

Feedback/Questions

• Bostjan writes in
• Rick writes in
• Clint writes in
• Esteban writes in
• Ben writes in
• Matt sends in pictures of his FreeBSD CD collection

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Last week we talked a bit about hardware compatibility, check out the NYC BSD Users’ Group’s dmesgd , a database of user submitted dmesg output from various hardware on various BSD’s. Help the community, submit your dmesg today!
• If you want to come on for an interview or have a tutorial you’d like to see, let us know – we want to do what the viewers want to see
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post DES Challenge IV | BSD Now 47 first appeared on Jupiter Broadcasting.

We\’ll be talking with Ted Unangst of the OpenBSD team about their new signing infrastructure. After that, we\’ve got a tutorial on how to run your own NTP server. News, your feedback and even… the winner of our tutorial contest! It\’s a big show, so stay tuned to BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation\’s 2013 fundraising results

• The FreeBSD foundation finally counted all the money they made in 2013
• $768,562 from 1659 donors
• Nice little blog post from the team with a giant beastie picture
• \”We have already started our 2014 fundraising efforts. As of the end of January we are just under $40,000. Our goal is to raise $1,000,000. We are currently finalizing our 2014 budget. We plan to publish both our 2013 financial report and our 2014 budget soon.\”
• A special thanks to all the BSD Now listeners that contributed, the foundation was really glad that we sent some people their way (and they mentioned us on Facebook)

OpenSSH 6.5 released

• We mentioned the CFT last week, and it\’s finally here!
• New key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein\’s Curve25519 (now the default when both clients support it)
• Ed25519 public keys are now available for host keys and user keys, considered more secure than DSA and ECDSA
• Funny side effect: if you ONLY enable ed25519 host keys, all the compromised Linux boxes can\’t even attempt to login
• New bcrypt private key type, 500,000,000 times harder to brute force
• Chacha20-poly1305 transport cipher that builds an encrypted and authenticated stream in one
• Portable version already in FreeBSD -CURRENT, and ports
• Lots more bugfixes and features, see the full release note or our interview with Damien
• Work has already started on 6.6, which can be used without OpenSSL!

Crazed Ferrets in a Berkeley Shower

• In 2000, MWL wrote an essay for linux.com about why he uses the BSD license: \”It’s actually stood up fairly well to the test of time, but it’s fourteen years old now.\”
• This is basically an updated version about why he uses the BSD license, in response to recent idiocy from Richard Stallman
• Very nice post that gives some history about Berkeley, the basics of the BSD-style licenses and their contrast to the GNU GPL
• Check out the full post if you\’re one of those people that gets into license arguments
• The takeaway is \”BSD is about making the world a better place. For everyone.\”

OpenBSD on BeagleBone Black

• Beaglebone Blacks are cheap little ARM devices similar to a Raspberry Pi
• A blog post about installing OpenBSD on a BBB from.. our guest for today!
• He describes it as \”everything I wish I knew before installing the newly renamed armv7 port on a BeagleBone Black\”
• It goes through the whole process, details different storage options and some workarounds
• Could be a really fun weekend project if you\’re interested in small or embedded devices

This episode was brought to you by

Interview – Ted Unangst – tedu@openbsd.org / @tedunangst

OpenBSD\’s signify infrastructure

Tutorial

Running an NTP server

News Roundup

Getting started with FreeBSD

• A new video and blog series about starting out with FreeBSD
• The author has been a fan since the 90s and has installed it on every server he\’s worked with
• He mentioned some of the advantages of BSD over Linux and how to approach explaining them to new users
• The first video is the installation, then he goes on to packages and other topics – 4 videos so far

More OpenBSD hackathon reports

• As a followup to last week, this time Kenneth Westerback writes about his NZ hackathon experience
• He arrived with two goals: disklabel fixes for drives with 4k sectors and some dhclient work
• This summary goes into detail about all the stuff he got done there

X11 in a jail

• We\’ve gotten at least one feedback email about running X in a jail Well.. with this commit, looks like now you can!
• A new tunable option will let jails access /dev/kmem and similar device nodes
• Along with a change to DRM, this allows full X11 in a jail
• Be sure to check out our jail tutorial and jailed VNC tutorial for ideas
• Ongoing Discussion

PCBSD weekly digest

• 10.0 \”Joule Edition\” finally released!
• AMD graphics are now officially supported
• GNOME3, MATE and Cinnamon desktops are available
• PCBSD also got a mention in eweek

Feedback/Questions

• Justin writes in: https://slexy.org/view/s21VnbKZsH
• Daniel writes in: https://slexy.org/view/s2nD7RF6bo
• Martin writes in: https://slexy.org/view/s2jwRrj7UV
• Alex writes in: https://slexy.org/view/s201koMD2c
  + unofficial FreeBSD RPI Images
• James writes in: https://slexy.org/view/s2AntZmtRU
• John writes in: https://slexy.org/view/s20bGjMsIQ

• All the tutorials are posted in their entirety at bsdnow.tv
• The ssh tutorial has been updated with some new 6.5 stuff
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: if you\’re on FreeBSD 8.3 for some reason, upgrade soon – it\’s reaching EOL
• Reminder: if you\’re using pkgng, be sure to update to 1.2.6 for a security issue
• The winner of the tutorial contest is… Dusko! We didn\’t get as many submissions as we wanted, but his Nagios monitoring tutorial was extremely well-done. It\’ll be featured in a future episode. Congrats! Send us a picture when it arrives.
• Allan got his pillow in the mail as well, it\’s super awesome

The post Time Signatures | BSD Now 23 first appeared on Jupiter Broadcasting.

We\’ll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller – one of the lead developers of OpenSSH – about some recent crypto changes in the project. If you\’re into data security, today\’s the show for you. The latest news and all your burning questions answered, right here on BSD Now – the place to B.. SD.

Thanks to:

• iXsystems: This is what 80 cores and 1TB of RAM looks like!

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Secure communications with OpenBSD and OpenVPN

• Starting off today\’s theme of encryption…
• A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
• Part 1 covers installing OpenBSD with full disk encryption (which we\’ll be doing later on in the show)
• Part 2 covers the initial setup of OpenVPN certificates and keys
• Parts 3 and 4 are the OpenVPN server and client configuration
• Part 5 is some updates and closing remarks

FreeBSD Foundation Newsletter

• The December 2013 semi-annual newsletter was sent out from the foundation
• In the newsletter you will find the president\’s letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
• The president\’s letter alone is worth the read, really amazing
• Really long, with lots of details and stories from the conferences and projects

Use of NetBSD with Marvell Kirkwood Processors

• Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
• The IP-Plug is a \”multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger).\”
• Really cool little NetBSD ARM project with lots of graphs, pictures and details

Experimenting with zero-copy network IO

• Long blog post from Adrian Chad about zero-copy network IO on FreeBSD
• Discusses the different OS\’ implementations and options
• He\’s able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn\’t stopping there
• Tons of details, check the full post

Interview – Damien Miller – djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Full disk encryption in FreeBSD & OpenBSD

• Shows how to install both FreeBSD and OpenBSD with full disk encryption
• We\’ll be using geli and bioctl and doing it step by step

News Roundup

OpenZFS office hours

• Our buddy George Wilson sat down to take some ZFS questions from the community
• You can see more info about it here

License summaries in pkgng

• A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
• Similar to pkgsrc\’s \”ACCEPTABLE_LICENSES\” setting, pkgng could let the user decide which software licenses he wants to allow
• Maybe we could get a \”pkg licenses\” command to display the license of all installed packages
• Ok bapt, do it

The post Cryptocrystalline | BSD Now 16 first appeared on Jupiter Broadcasting.

The business of selling 0day exploits is booming, we’ll explain how this shady market works, and how a couple guys turned a Verizon Network Extender into a spy listening post.

A huge batch of your questions…

And much much more, on This week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Yahoo to start recycling disused email addresses, introduces new security feature to prevent abuse

• Yahoo’s email server has been running for a very very long time
• As such, many of the best usernames are taken, even though many of them have not been used in a decade
• So, Yahoo plans to start recycling those addresses that are no longer used
• The obvious problem with a move like this is that if there are any accounts still tied to this old email address, the new owner can request a password reset to the email address that they now control, and take over that account
• Yahoo’s Developers have come up with a rather ingenious way to prevent this, although the implementation is dependant on the 3rd party services to implement it (Facebook already has)
• Yahoo’s mail servers will now respect the non-standard header ‘Require­-Recipient­-Valid­-Since’
• The idea is that when Facebook sends a password reset email, they include this header with the date that the facebook account was created, if the yahoo email address is NEWER than that date, it may not belong to the same person any more, and yahoo will send a bounce message back to Facebook, rather than delivering the email
• This prevents someone from acquiring the disused email address and performing the password reset
• Yahoo has created an IETF Draft specification for this header, if ratified, it will become an internet standard and be added to the IANA Permanent Message Header Field registry
• It is not yet clear if other services such as Twitter will implement this
• It seems unlikely that Online Banking and other services will implement this system, so make sure all of your online services have a valid current email address, preferably one you plan to keep for the long term
• Yahoo Developers Blog

The business of selling 0day exploits is booming

• There are a number of businesses selling zero day exploits including: Vupen in Montpellier, France; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln in Malta
• There is as a Virginia startup called Endgame, apparently involving a former director of the NSA which is doing a lot of undisclosed business with the US Government
• The USA, Israel, Britain, Russia, India and Brazil spend staggering amounts of money buying these exploits
• Many other countries including North Korea, a number of Middle Eastern intelligence agencies, Malaysia and Singapore are also in the market
• These exploits have value both offensively and defensively, if you know the details of a zero day exploit, you can better protect yourself from others who may know about it as well
• However if you report it to the vendor so it gets patched, you protect everyone, but lose the offensive value
• The average zero-day exploits goes undetected for 312 days, before it gets used enough that AV vendors notice it and it gets reported and patched
• Services like Vupen charge $100,000/year for access to their catalogue, with varying prices of the actual exploits
• Netragard only sells to US clients, and reports that the average flaw now sells from $35,000 to $160,000
• In years past, rather than selling these flaws to companies like Vupen and ReVuln, who then sell them to governments, security researchers would report them to vendors like Microsoft and Google, just for the recognition and sometimes a t-shirt
• Many vendors now have bug bounty programs to reward researchers for reporting vulnerabilities, rather than keeping them, using them or selling them
• To counter this, Microsoft recently raised its bug bounty reward program, now up to $150,000

Feedback:

TechSNAP Bitmessage: BM-GuGEaEtsqQjqgHRAfag5FW33Dy2KHUmZ

• A few weeks ago someone asked about creating a system to automatically route all of their traffic over TOR. A FreeBSD developer has created a simple system to do just that

• Runs FreeBSD? Mcafee Sidewinder enterprise firewall

• Submit the best security finds and the biggest fails to the pwnies – Awards Ceremony to be held at Blackhat USA 2013

• laptop/live-sd for cautious traveler

• Google\’s solution if you get hit by a bus.

• Roll Your Own CrashPlan

• pfSense Freezing

• Needs to start at square one to remotely login into his FreeNAS

• Seafile the OSS Dropbox Killer?

• Basically another Question

• Just wondering if either of you has used \’verified execution\’ or \’veriexec\’?

  • I have never used it, but there has been a lot of interesting discussion of it at BSD Conferences, and if I was trying to make an exceptionally secure system, it would definitely be something I would consider implementing
  • Introduction to Verified Exec – Brett Lymn – BSDCan 2012
  • Extension to veriexec to use digital signatures – Alistair Crooks – EuroBSDCon 2012
  • And for some other considerations to building a secure appliance: FreeBSD, Capsicum, GELI and ZFS as key components of a security applaince – Pawel Jakub Dawidek – BSDCan 2013

Round Up:

• Russia cites Snowden type leaks as basis for government control of the Internet
• Blackberry 10 devices send your email passwords in the clear back to BlackBerry HQ
• The EFF awards Yahoo a gold star for fighting to preserve users’ privacy against government spying
• 9 traits of a veteran network admin
• DuckDuckGo provides privacy, but only from advertisers, not governments
• Turning a Verizon Network Extender into a spy listening post
• Amazon 1 button sniffing your HTTPS traffic?
• Why collecting all data does not work – Lessons from Medical Tests
• Network Solutions posted on facebook that they were experiencing a large DDOS at 10:57 – Followup post said issue was resolved at 13:22
• Who has the most Web Servers – Updated July 2013
• Google backs up your wifi passwords in plain text?

The post Exploit Brokers | TechSNAP 119 first appeared on Jupiter Broadcasting.

Apache and PHP have hooked up at the fail party, and we’ll share all the details to motivate you to patch your box!

Then Microsoft takes a stab at AES and we wrap it all up with a complete run down of Nagios, and how this amazing tool can alert you to a potential disaster!

All that and more, on this week’s TechSNAP!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: