Show Notes: techsnap.systems/422

The post Multipath Musings | TechSNAP 422 first appeared on Jupiter Broadcasting.

The theoretical Android flaw becomes reality, a simple phishing scam hits some major companies & why your PIN has already been leaked.

Plus great questions, our answers, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

W2 Phishing scams hit a number of companies

• “Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists”
• “Seattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”
• “Moneytree was apparently targeted by a scam in which the scammer impersonated me (the company co-founder) and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.”
• Why that would even be a reasonable request, I don’t know
• “Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”
• Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February. Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees.
• “On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam. The information was sent by an employee who believed the phishing email was a legitimate internal company request.”
• “W2 information is highly prized by fraudsters involved in tax refund fraud, a multi-billion dollar problem in which thieves claim a large refund in the victim’s name, and ask for the funds to be electronically deposited into an account the crooks control.”
• “For better or worse, most companies that have notified employees about a W2 phish this year are offering employees the predictable free credit monitoring, which is of course useless to prevent tax fraud and many other types of identity theft. But in a refreshing departure from that tired playbook, Moneytree says it will be giving employees an extra $50 in their next paycheck to cover the initial cost of placing a credit freeze (for more information on the different between credit monitoring and a freeze and why a freeze might be a better idea, check out Credit Monitoring vs. Freeze and How I Learned to Stop Worrying and Embrace the Security Freeze).”
• ““When something like this happens, the right thing to do is to disclose what you know as soon as possible, take care of the people affected, and learn from what went wrong. To make good on that last point, we will be ramping up our information security efforts company-wide, because we never want to have to write an email like this to you again”.”

New exploit developed for Android Stagefright

• “Security researchers have successfully exploited the Android-based Stagefright bug and remotely hacked a phone, which may leave millions devices vulnerable to attack.”
• “Israeli software research company NorthBit claimed it had “properly” exploited the Android bug that was originally described as the “worst ever discovered”.”
• “The exploitation, called Metaphor, is detailed in a research paper (PDF) from NorthBit and also a video showing the exploit being run on a Nexus 5. NorthBit said it had also successfully tested the exploit on a LG G3, HTC One and Samsung Galaxy S5.”
• “The Stagefright vulnerability was first highlighted by security firm Zimperium in July 2015. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices.”
• “A second critical vulnerability exploited issues in .mp3 and .mp4 files, which when opened were claimed to be able to remotely execute malicious code, was dubbed Stagefright 2.0 in October.”
• The flaws were originally thought to not be easily exploitable, but this new research provides a simple remote exploit case
• “The researchers from NorthBit say they have been able to create an exploit that can be used against Stagefright on Android 2.2, 4.0, 5.0 and 5.1. Other versions are not affected.”
• Android 5.0 and above are protected by ASLR, however “Dabah claims the exploit “depicts a way to bypass” address space layout randomisation (ASLR)”
• “”We managed to exploit it to make it work in the wild,” Dabah said. The research paper reads: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations.”
• “”I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem”.”
• Researcher PDF
• I am glad my phone runs Android 6.0.1 with the March 2016 Security Updates applied

PIN analysis

• “There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?”
• “People are notoriously bad at generating random passwords. I hope this article will scare you into being a little more careful in how you select your next PIN number. Are you curious about what the least commonly used PIN number might be?”
• “I was able to find almost 3.4 million four digit passwords. Every single one of the of the 10,000 combinations of digits from 0000 through to 9999 were represented in the dataset”
• “A staggering 26.83% of all passwords could be guessed by attempting the top 20 combinations”
• “The first “puzzling” password I encountered was 2580 in position #22. What is the significance of these digits? Why should so many people select this code to make it appear so high up the list?”
• This turns out to be straight down the middle of a telephone style number pad. Not the same as on on a computer, but most ABMs use the telephone style
• “Another fascinating piece of trivia is that people seem to prefer even numbers over odd, and codes like 2468 occur higher than a odd number equivalent, such as 1357”
• “Statistically, one third of all codes can be guessed by trying just 61 distinct combinations! The 50% cumulative chance threshold is passed at just 426 codes (far less than the 5,000 that a random uniformly distribution would predict)”
• The most unpopular pin is: 8068
• “Warning Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.”
• “Many of the high frequency PIN numbers can be interpreted as years, e.g. 1967 1956 1937 … It appears that many people use a year of birth (or possibly an anniversary) as their PIN. This will certainly help them remember their code, but it greatly increases its predictability”
• Pins that start with 19 dominate the top 10%, and all appear within the top 20%
• The heatmap also shows that people tend to use Birthdays a lot as well (MMDD)

Feedback:

• Techsnap feedback
• Network printing
• Linux printing using CUPS (Raspberry Pi)
• OPNsense?

Round Up:

• Hands-on with Intel’s Skull Canyon NUC, the most powerful game-ready mini-PC
• Microsoft has lost their audit data on all Certificate Authorities
• tcpdump is amazing – Julia Evans
• A study by Rutgers University and Microsoft has found that hard drives are more prone to failure due to high levels of humidity [PDF] than high temperature
• U.S. army developing encrypted radar waveform
• AMEX warns customers about breach at third party service provider, in 2013
• Big-name sites hit by rash of malicious ads spreading crypto ransomware
• Inside NIST, how time servers work
• I stayed in a hotel with Android lightswitches and it was just as bad as you’d imagine
• How quickly and easily a card skimmer can be installed
• Hurricane Electric Hosted DNS

The post Metaphorically Exploited | TechSNAP 258 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be chatting with Marc Espie. He’s recently added some additional security measures to dpb, OpenBSD’s package building tool, and we’ll find out why they’re so important. We’ve also got all this week’s news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2015 videos

• BSDCan just ended last week, but some of the BSD-related presentation videos are already online
• Allan Jude, UCL for FreeBSD
• Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
• Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
• Brooks Davis, CheriBSD: A research fork of FreeBSD
• Giuseppe Lettieri, Even faster VM networking with virtual passthrough
• Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
• Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
• Peter Hessler, Using routing domains / routing tables in a production network
• Ryan Lortie, a stitch in time: jhbuild
• Ted Unangst, signify: Securing OpenBSD From Us To You
• Many more still to come…

Documenting my BSD experience

• Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it’s finally time to give BSD a try
• “That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in.”
• In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
• The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you’re into that)
• You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
• He’s also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
• His second post explores replacing the firewall on his self-described “over complicated home network” with an OpenBSD box
• After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
• All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
• Getting to hear experiences like this are very important – they show areas where all the BSD developers’ hard work has paid off, but can also let us know where we need to improve

PC-BSD starts experimental HardenedBSD builds

• The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
• They’re not the first major FreeBSD-based project to offer an alternate build – OPNsense did that a few weeks ago – but this might open the door for more projects to give it a try as well
• With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won’t have
• Time will tell if more projects and products like FreeNAS might be interested too

C-states in OpenBSD

• People who run BSD on their notebooks, you’ll want to pay attention to this one
• OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
• According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
• If you’re running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings

NetBSD at Open Source Conference 2015 Hokkaido

• The Japanese NetBSD users group never sleeps, and they’ve hit yet another open source conference
• As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
• We’ll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD’s dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

• We’ve talked about FreeBSD’s “bhyve” hypervisor a lot on the show, and now it’s been ported to another OS
• As the name “xhyve” might imply, it’s a port of bhyve to Mac OS X
• Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
• It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
• There are also a few examples on how to use it

4K displays on DragonFlyBSD

• If you’ve been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you’ll be pleased to know that 4K displays work just fine
• Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
• Some GUI applications might look weird on such a huge resolution,
• HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience

Sandboxing port daemons on OpenBSD

• We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD’s base as chrooted by default – things from ports or packages don’t always get the same treatment
• This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn’t chroot by default
• It goes through the process of manually building a sandbox with all the libraries you’ll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
• With a few small changes, similar tricks could be done on the other BSDs as well – everybody has chroots

SmallWall 1.8.2 released

• SmallWall is a relatively new BSD-based project that we’ve never covered before
• It’s an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
• They’ve just released the first official version, so you can give it a try now
• If you’re interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks…

Feedback/Questions

• David writes in
• Brian writes in
• Dan writes in
• Joel writes in
• Steve writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Builder's Insurance | BSD Now 94 first appeared on Jupiter Broadcasting.

Coming up this time on the show, we’ll be speaking with Christos Zoulas, a NetBSD security officer. He’s got a new project called blacklistd, with some interesting possibilities for stopping bruteforce attacks. We’ve also got answers to your emails and all this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

New PAE support in OpenBSD

• OpenBSD has just added Physical Address Extention support to the i386 architecture, but it’s probably not what you’d think of when you hear the term
• In most operating systems, PAE’s main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms – this version isn’t for that
• Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections
• Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don’t get the potential security benefit
• As we discussed in a previous episode, the AMD64 platform already saw some major W^X kernel and userland improvements – the i386 kernel reworking will begin shortly
• Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there
• The AMD64 improvements will be in 5.7, due out in just a couple days as of when we’re recording this, but the i386 improvements will likely be in 5.8

Booting Windows in bhyve

• Work on FreeBSD’s bhyve continues, and a big addition is on the way
• Thus far, bhyve has only been able to boot operating systems with a serial console – no VGA, no graphics, no Windows
• This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter
• Graphics emulation is still in the works; this image was taken by booting headless and using RDP
• A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan)
• Not a lot of details on the matter currently, but we’ll be sure to bring you more info as it comes out
• Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts

MidnightBSD 0.6 released

• MidnightBSD is a smaller project we’ve not covered a lot on the show before
• It’s an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use
• They also have their own, smaller version of FreeBSD ports, called “mports”
• If you’re already using it, this new version is mainly a security and bugfix release
• It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions
• You can check their site for more information about the project
• We’re trying to get the lead developer to come on for an interview, but haven’t heard anything back yet

OpenBSD rewrites the file utility

• We’re all probably familiar with the traditional file command – it’s been around since the 1970s
• For anyone who doesn’t know, it’s used to determine what type of file something actually is
• This tool doesn’t see a lot of development these days, and it’s had its share of security issues as well
• Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while
• It’s not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it
• When you think about it, file was technically designed to be used on untrusted files
• OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite – this time with modern coding practices and the usual OpenBSD scrutiny
• This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made
• With these two things combined, it should drastically reduce the damage a malicious file could potentially do
• Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember
• It’ll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future – someone’s already thrown together an unofficial portable version
• Coincidentally, the lead developer and current maintainer of file just happens to be our guest today…

Interview – Christos Zoulas – christos@netbsd.org

blacklistd and NetBSD advocacy

News Roundup

GSoC-accepted BSD projects

• The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list
• FreeBSD’s list includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication
• OpenBSD’s list includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it… porting HAMMER FS to OpenBSD
• We’ll be sure to keep you up to date on developments from both projects
• Hopefully the other BSDs will make the cut too next year

FreeBSD on the Gumstix Duovero

• If you’re not familiar with the Gumstix Duovero, it’s an dual core ARM-based computer-on-module
• They actually look more like a stick of RAM than a mini-computer
• This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd
• If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us

EU study recommends OpenBSD

• A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools
• This is especially important, in all countries, after the mass surveillance documents came out
• “[…] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts.”
• The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on
• Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: “Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways”
• Reddit, Undeadly and Hacker News also had some discussion, particularly about corporations giving back to the BSDs that they make use of in their infrastructure – something we’ve discussed with Voxer and M:Tier before

FreeBSD workflow with Git

• If you’re interested in contributing to FreeBSD, but aren’t a big fan of SVN, they have a Github mirror too
• This mailing list post talks about interacting between the official source repository and the Git mirror
• This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved

Feedback/Questions

• Sean writes in
• Bryan writes in
• Sean writes in
• Charles writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – don’t be shy, we’re here to help with any questions you have
• We’re always looking for interviews, so feel free to suggest someone you’d like for us to talk to (or volunteer yourself if you’re doing something cool)

The post On the List | BSD Now 87 first appeared on Jupiter Broadcasting.

This time on the show, we’ll be talking with Pascal Stumpf about static PIE in the upcoming OpenBSD release. He’ll tell us what types of attacks it prevents, and why it’s such a big deal. We’ve also got answers to questions from you in the audience and all this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Solaris’ networking future is with OpenBSD

• A curious patch from someone with an Oracle email address was recently sent in to one of the OpenBSD mailing lists
• It was revealed that future releases of Solaris are going to drop their IPFilter firewall entirely, in favor of a port of the current version of PF
• For anyone unfamiliar with the history of PF, it was actually made as a replacement for IPFilter in OpenBSD, due to some licensing issues
• What’s more, Solaris was the original development platform for IPFilter, so the fact that it would be replaced in its own home is pretty interesting
• This blog post goes through some of the backstory of the two firewalls
• PF is in a lot of places – other BSDs, Mac OS X and iOS – but there are plenty of other OpenBSD-developed technologies end up ported to other projects too
• “Many of the world’s largest corporations and government agencies are heavy Solaris users, meaning that even if you’re neither an OpenBSD user or a Solaris user, your kit is likely interacting intensely with both kinds, and with Solaris moving to OpenBSD’s PF for their filtering needs, we will all be benefiting even more from the OpenBSD project’s emphasis on correctness, quality and security”
• You’re welcome, Oracle

BAFUG discussion videos

• The Bay Area FreeBSD users group has been uploading some videos from their recent meetings
• Sean Bruno gave a recap of his experiences at EuroBSDCon last year, including the devsummit and some proposed ideas from it (as well as their current status)
• Craig Rodrigues also gave a talk about Kyua and the FreeBSD testing framework
• Lastly, Kip Macy gave a talk titled “network stack changes, user-level FreeBSD”
• The main two subjects there are some network stack changes, and how to get more people contributing, but there’s also open discussion about a variety of FreeBSD topics
• If you’re close to the Bay Area in California, be sure to check out their group and attend a meeting sometime

More than just a makefile

• If you’re not a BSD user just yet, you might be wondering how the various ports and pkgsrc systems compare to the binary way of doing things on Linux
• This blog entry talks about the ports system in OpenBSD, but a lot of the concepts apply to all the ports systems across the BSDs
• As it turns out, the ports system really isn’t that different from a binary package manager – they are what’s used to create binary packages, after all
• The author goes through what makefiles do, customizing which options software is compiled with, patching source code to build and getting those patches back upstream
• After that, he shows you how to get your new port tested, if you’re interesting in doing some porting yourself, and getting involved with the rest of the community
• This post is very long and there’s a lot more to it, so check it out (and more discussion on Hacker News)

Securing your home fences

• Hopefully all our listeners have realized that trusting your network(s) to a consumer router is a bad idea by now
• We hear from a lot of users who want to set up some kind of BSD-based firewall, but don’t hear back from them after they’ve done it.. until now
• In this post, someone goes through the process of setting up a home firewall using OPNsense on a PCEngines APU board
• He notes that you have a lot of options software-wise, including vanilla FreeBSD, OpenBSD or even Linux, but decided to go with OPNsense because of the easy interface and configuration
• The post covers all the hardware you’ll need, getting the OS installed to a flash drive or SD card and going through the whole process
• Finally, he goes through setting up the firewall with the graphical interface, applying updates and finishing everything up
• If you don’t have any experience using a serial console, this guide also has some good info for beginners about those (which also applies to regular FreeBSD)
• We love super-detailed guides like this, so everyone should write more and send them to us immediately

Interview – Pascal Stumpf – pascal@openbsd.org

Static PIE in OpenBSD

News Roundup

LLVM’s new libFuzzer

• We’ve discussed fuzzing on the show a number of times, albeit mostly with the American Fuzzy Lop utility
• It looks like LLVM is going to have their own fuzzing tool too now
• The Clang and LLVM guys are no strangers to this type of code testing, but decided to “close the loop” and start fuzzing parts of LLVM (including Clang) using LLVM itself
• With Clang being the default in both FreeBSD and Bitrig, and with the other BSDs considering the switch, this could make for some good bug hunting across all the projects in the future

HardenedBSD upgrades secadm

• The HardenedBSD guys have released a new version of their secadm tool, with the showcase feature being integriforce support
• We covered both the secadm tool and integriforce in previous episodes, but the short version is that it’s a way to prevent files from being altered (even as root)
• Their integriforce feature itself has also gotten a couple improvements: shared objects are now checked too, instead of just binaries, and it uses more caching to speed up the whole process now

RAID5 returns to OpenBSD

• OpenBSD’s softraid subsystem, somewhat similar to FreeBSD’s GEOM, has had experimental RAID5 support for a while
• However, it was exactly that – experimental – and required a recompile to enable
• With some work from recent hackathons, the final piece was added to enable resuming partial array rebuilds
• Now it’s on by default, and there’s a call for testing being put out, so grab a snapshot and put the code through its paces
• The bioctl softraid command also now supports DUIDs during pseudo-device detachment, possibly paving the way for the installer to drop the “do you want to enable DUIDs?” question entirely

pkgng 1.5.0 released

• Going back to what we talked about last week, the final version of pkgng 1.5.0 is out
• The “provides” and “requires” support is finally in a regular release
• A new “-r” switch will allow for direct installation to a chroot or alternate root directory
• Memory usage should be much better now, and some general code speed-ups were added
• This version also introduces support for Mac OS X, NetBSD and EdgeBSD – it’ll be interesting to see if anything comes of that
• Many more bugs were fixed, so check the mailing list announcement for the rest (and plenty new bugs were added, according to bapt)

p2k15 hackathon reports

• There was another OpenBSD hackathon that just finished up in the UK – this time it was mainly for ports work
• As usual, the developers sent in reports of some of the things they got done at the event
• Landry Breuil, both an upstream Mozilla developer and an OpenBSD developer, wrote in about the work he did on the Firefox port (specifically WebRTC) and some others, as well as reviewing lots of patches that were ready to commit
• Stefan Sperling wrote in, detailing his work with wireless chipsets, specifically when the vendor doesn’t provide any hardware documentation, as well as updating some of the games in ports
• Ken Westerback also sent in a report, but decided to be a rebel and not work on ports at all – he got a lot of GPT-related work done, and also reviewed the RAID5 support we talked about earlier

Feedback/Questions

• Shaun writes in
• Hrishi writes in
• Randy writes in
• Zach writes in
• Ben writes in

Mailing List Gold

• Gstreamer hates us
• I find myself in a situation

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview, or know someone else who might be interesting to hear from, let us know

The post PIE in the Sky | BSD Now 85 first appeared on Jupiter Broadcasting.

Coming up this week, we’ll be chatting with Shawn Webb about his recent work with ASLR and PIE in FreeBSD.

After that, we’ll be showing you how you can create a reverse SSH tunnel to a system behind a firewall… how sneaky. Answers to your emails plus the latest news, on BSD Now, the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation August update

• The foundation has published a new PDF detailing some of their recent activities
• It includes project development updates, the 10.1-RELEASE schedule and some of its new features
• There is also a short interview with Dru Lavigne in the “voices from the community” section
• If you’re into hardware, there’s another section about some new FreeBSD server equipment
• In closing, there’s an update on funding too

NSD for an authoritative nameserver

• With BIND having been removed from FreeBSD 10.0, you might be looking to replace your old DNS setup
• This article shows how to use NSD for an authoritative DNS nameserver
• It’s also got a link to a similar article on Unbound, the new favorite recursive and caching resolver (they work great together)
• All the instructions are presented very neatly, with all the little details included
• Less BIND means less vulnerabilities, everybody’s happy

BIND and Nginx removed from OpenBSD

• While we’re on the topic of DNS servers, BIND was finally removed from OpenBSD as well
• The base system contains both NSD and Unbound, so users can transition over between 5.6 (November of this year) and 5.7 (May of next year)
• They’ve also removed nginx from the base system, in favor of the new custom HTTP daemon
• BIND and Nginx are still available in ports if you don’t want to switch
• We’re hoping to have Reyk Floeter on the show next week to talk about it, but scheduling might not work out, so it may be a little later on
• With Apache gone in the upcoming 5.6, It’s also likely that sendmail will be removed before 5.7 – hooray for modern alternatives

NetBSD demo videos

• A Japanese NetBSD developer has been uploading lots of interesting videos
• Unsurprisingly, they’re all featuring NetBSD running on exotic and weird hardware
• Most of them are demoing sound or running a modern Twitter client on an ancient computer
• They’re from the same guy that did the conference wrap-up we mentioned recently

Interview – Shawn Webb – shawn.webb@hardenedbsd.org / @lattera

Address space layout randomization in FreeBSD

Tutorial

Reverse SSH tunneling

News Roundup

Puppet master-agent installation on FreeBSD

• If you’ve got a lot of BSD boxes under your control, or if you’re just lazy, you’ve probably looked into Puppet before
• The author claims a lack of BSD-specific Puppet documentation, so he decided to write up some notes of his own
• He goes through some advantages of using this type of tool for deployments, even when you don’t have a huge number of systems
• The rest of the post explains how to set up both the master and the agent configurations

Misc. pfSense items

• We found a few miscellaneous pfSense articles this past week
• The first one is about the hunt for the “ultimate” free open source firewall, where pfSense is obviously a strong contender
• The second one shows how to log NAT firewall states
• In the third, you can see how to automatically back up your configuration files
• The fourth item shows how to set up PXE booting with pfSense, similar to one of our tutorials

Time Machine backups on ZFS

• If you’ve got a Mac you need to keep backed up, a FreeBSD server with ZFS can take the place of an expensive “time capsule”
• This post walks you through setting up netatalk and mDNS for a very versatile Time Machine backup system
• With a single command on the OS X side, you can write to and read from the BSD box just like a regular external drive
• Surprisingly simple to do, recommended for anyone with Macs on their network

Lumina desktop preview

• Lumina, the BSD-exclusive desktop environment, seems to be coming along nicely
• The main developer has posted an update on the PCBSD blog with some screenshots
• Lots of new features have been added, many of which are documented in the post
• There just might be a BSD Now episode about Lumina coming up.. (cough cough)

Feedback/Questions

• Gary writes in
• Cedric writes in
• Caldwell writes in
• Cary writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• The stunnel tutorial – that’s right, our very first one – got some updates and fixes
• Send all your BSD-related questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We’d really love to feature more articles from the viewers – be it about one of the main BSDs or something like pfSense/FreeNAS – send us anything cool you write (or find)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Next week is something special… we’ll just leave it at that

The post Reverse Takeover | BSD Now 52 first appeared on Jupiter Broadcasting.

It’s a big show this week! We’ll be interviewing Marc Espie about OpenBSD’s package system and build cluster. Also, we’ve been asked many times “how do I keep my BSD box up to date?” Well, today’s tutorial should finally answer that. Answers to all your emails and this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called “FreeBSD, looking forward to another 10 years” by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn’t on the page… how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven’t given us an interview yet… well you know what’s going to happen
• Why aren’t the videos up from last year yet? Will this year also not have any?

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• “One is pleasantly functional; the other continues devolving during a journey of pain” – uh oh, who’s the loser?

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects’ funding efforts
• A lot of people don’t realize just how widespread open source software is – TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish’s funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, “Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software”
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users’ computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that…)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It’s got all the details you need to set up a VPN-like system and bypass those pesky geographic filters

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

OpenBSD’s package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they’re going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless – we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time!

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is “a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution.”
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with “bsd-cloudinit”
• The author of the article is a regular listener and emailer of the show, hey!

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The “call for papers” was issued, so if you’re around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Just a reminder for those who don’t check the website, you’ll also find contact information for every guest we’ve ever had in the show notes – so if you have follow up questions for them, it’s easy to get in touch
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Congrats to Matt Ahrens for getting FreeBSD commit access – hopefully lots of great ZFS stuff to come
• A special 21st happy birthday to FreeBSD

The post Package Design | BSD Now 43 first appeared on Jupiter Broadcasting.

Coming up this week, we’ll be showing you how to chain SSH connections, as well as some cool tricks you can do with it. Going along with that theme, we also have an interview with Bryce Chidester about running a BSD-based shell provider. News, emails and cowsay turkeys, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb’s ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• “FreeBSD has supported loading PIEs for a while now, but the applications in base weren’t compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support”
• If you’re running -CURRENT, just add “WITH_PIE=1” to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone’s gotta test the pfSense hardware devices before they’re sold, which involves powering them all on at least once
• To make that process faster, they’re building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only…) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• “The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice”
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels’ overhead factor

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we’re slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what’s in -CURRENT (but still isn’t using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There’s a list of changes between 9.2 and 9.3 as well, but we’ll be sure to cover it when the -RELEASE hits

Interview – Bryce Chidester – brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the “linux questions” forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to “politics” (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He’s part of the “Jenkins CI for FreeBSD” group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about… the food

FreeBSD disk partitioning

• For his latest book series on FreeBSD’s GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don’t have to read the tons of mailing list posts, he’s summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It’s now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• The minimum disk size requirement has increased to 512MB

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• A special thanks to our viewer Lars for writing most of today’s tutorial and sending it in
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Devious Methods | BSD Now 42 first appeared on Jupiter Broadcasting.

This week on the show we\’ll be showing you how to set up RAID arrays in FreeBSD. There\’s also an interview with David Chisnall – of the FreeBSD core team – about the switch to Clang and a lot more.

Sit back and enjoy some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you\’ve probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes… and a lot more
• The full list of changes is HUGE, be sure to read through it all if you\’re interested in the details
• If you\’re doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations… especially those OpenSSL ones (some of which still aren\’t fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release – 5.6 is going to be even more awesome with \”Libre\”SSL and lots of other stuff that\’s currently in development

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they\’re spending the money that everyone donates
• \”As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we\’ve done to help FreeBSD become the most innovative, reliable, and high-performance operation system\”
• During this spring, they want to highlight the new UEFI boot support and newcons
• There\’s a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we\’ll get to see what other work is being sponsored

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won\’t have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES (in counter mode) and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys – only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we\’ll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc… would be really cool

BSDMag\’s April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around

Interview – David Chisnall – theraven@freebsd.org

The LLVM/Clang switch, FreeBSD\’s core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• The original BSD podcaster Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest – mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and… much more
• GNN also talks a little about the Precision Time Protocol and how it\’s different than NTP
• Two people we\’ve interviewed talking to each other, awesome
• If you\’re interested in NTP, be sure to see our tutorial too

m2k14 trip reports

• We\’ve got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter, and gave us the screenshots for the OpenBSD desktop tutorial)
• \”Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do\”
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports\’ compatibility with LibreSSL
• Speaking of LibreSSL, there\’s an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• (Spoiler) the 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• The Tor and mailing list tutorials have gotten some fixes and updates
• The OpenBSD router tutorial has also gotten a bit of a makeover, and now includes new scripts for 5.5 and signify
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• If any listeners have a collection of old FreeBSD or OpenBSD CDs, we\’d love for you to send in a picture of the whole set together so we can show it off
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We will be at BSDCan next week – be sure to say hi if you run into us!

The post Let's Get RAID | BSD Now 36 first appeared on Jupiter Broadcasting.

OpenBSD launches LibreSSL, but what challenges do they face? And how much progress have they made? We’ll report!

Apple is struck with its own woes, Heartbleed is used to bypass two-factor authentication, and then its a great batch of your questions and our answers!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

OpenBSD launches LibreSSL

• The team behind OpenBSD has formalized their fork of OpenSSL and called it LibreSSL
• The goal is to update the coding standards, to use more modern and safer C programming practises
• The impetus for this was infact not Heartbleed, but the mitigation countermeasures discovered by OpenBSD developers before Heartbleed was found
• The way much of OpenSSL is constructed makes it harder to audit with tools like Coverient and Valgrind, and the lack of consistent style, naming etc, makes it exceptionally hard to audit by hand
• There were many bugs in the OpenSSL bug tracker that had been open for as much as 4 years and never addressed
• Bob Beck of the OpenBSD project says that most of the actual crypto code in OpenSSL is very good, as it was written by cryptographers, but a lot of the plumbing is very old and needs serious updating
• Part of the 90,000 lines of code removed in LibreSSL was the FIPS compliance module, which has not been maintained for nearly 20 years
• So far, all of the changes have been API compatible, so any application that can use OpenSSL can still use LibreSSL
• The OpenBSD Foundation is soliciting donations to continue the work on LibreSSL and develop a portable version for other operating systems
• LibreSSL site, complete with working tag

Apple fixes major SSL flaw that could have allowed an attacker to intercept data over an encrypted connection, or inject their own data into the connection

• Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday
• In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple
• The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
• OSX also contains two separate vulnerabilities that could enable an attacker to bypass ASLR, one of the key exploit mitigations built into the operating system. One of the flaws is in the IOKit kernel while the other is in the OSX kernel. The IOKit kernel ASLR bypass also affects iOS 7.1 users.
• Among the other flaws Apple patched in its new releases are a number other severe vulnerabilities. For OSX Mavericks users, the two most concerning issues are a pair of buffer overflows that could lead to remote code execution. One of the bugs is in the font parser and the second is in the imageIO component. The upshot of the vulnerabilities is that opening a malicious PDF or JPEG could lead to arbitrary code execution.

Heartbleed used to defeat 2 factor authentication

• Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye
• An attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
• The attack bypassed both the organization\’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
• \”Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,\” Mandiant\’s Christopher Glyer explained.
• With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
• After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
• Additional Coverage

Feedback:

• 2 Questions for Allan and Chris

• SSL Certificate rating questions

• How does Tarsnap\’s dedupe work?

• How to protect apache httpd against ddos?

• How to protect apache httpd from (D)DoS attacks?

• Using Varnish to block DDoS or DoS

Round Up:

• North America is down to its last IPv4 address block
• Heartbleed used to steal SSL private key from Swedish VPN provider mullvad
• ICS-CERT issues advisory about heartbleed vulnerabilities in siemens SCADA/ICS gear
• Healthcare.gov preventatively resets all passwords
• F.B.I. Informant Is Tied to Cyberattacks Abroad
• Heartbleed highlights contradicition of the web
• Intel\’s next-gen Thunderbolt rumored to hit 40Gbps transfer speeds with new connector
• The value of, and problems with, CRLs and OCSP
• Google is working on end-to-end encryption for Gmail
• Java fixes critical SSL flaws

The post Heartbleed Fallout | TechSNAP 160 first appeared on Jupiter Broadcasting.

We show off OpenBSD\’s new \”autoinstall\” feature to do completely automatic, unattended installations. We also have an interview with Dru Lavigne about all the writing work she does for FreeBSD, PCBSD and FreeNAS. The latest headlines and answers to your emails, on BSD Now – it\’s the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD ASLR status update

• Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
• He\’s implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
• Work has also started on testing ASLR on ARM, using a Raspberry Pi
• He\’s giving a presentation at BSDCan this year about his ASLR work
• While we\’re on the topic of BSDCan…

BSDCan tutorials, improving the experience

• Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
• The tutorials are called \”Building the network you need with PF, the OpenBSD packet filter\” and \”Transitioning to OpenBSD 5.5\” – both scheduled to last three hours each
• He\’s requesting anyone that\’ll be there to go ahead and contact him, telling him exactly what you\’d like to learn
• There\’s also a bit of background information about the tutorials and how he\’s looking to improve them
• If you\’re interested in OpenBSD and going to BSDCan this year, hit him up

pkgsrc-2014Q1 released

• The new stable branch of pkgsrc packages has been built and is ready
• Python 3.3 is now a \”first class citizen\” in pkgsrc
• 14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
• There\’s a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD – you could even use pkgsrc instead of pkgng or ports if you were so inclined
• They\’re also looking into signing packages

Only two holes in a heck of a long time, who cares?

• A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
• He questions \”what\’s the big deal\” about OpenBSD\’s slogan being \”Only two remote holes in the default install, in a heck of a long time!\”
• Luckily, the community and Theo set the record straight about why you should care about this
• Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
• It spawned a discussion about ease of management and Linux\’s poor security record, definitely worth reading

Interview – Dru Lavigne – dru@freebsd.org / @bsdevents

FreeBSD\’s documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

• A new version of pfSense is released, mainly to fix some security issues
• Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
• There are also some NIC driver updates and other things
• Of course if you want to learn more about pfSense, watch episode 25
• 2.1.2 is already up for testing too

FreeBSD gets UEFI support

• It looks like FreeBSD\’s battle with UEFI may be coming to a close?
• Ed Maste committed a giant list of patches to enable UEFI support on x86_64
• Look through the list to see all the details and information
• Thanks FreeBSD foundation!

Ideas for the next DragonflyBSD release

• Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
• They\’re aiming for late May for the next version
• Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
• Gasp, they\’re even considering dropping i386

PCBSD weekly digest

• Lots of new PBI updates for 10.0, new runtime implementation
• New support for running 32 bit applications in PBI runtime
• Autodetection for DVD / Audio CD insertion / plus playback
• Latest GNOME 3 and Cinnamon merged, new edge package builds

Feedback/Questions

• Remy writes in
• Jan writes in
• Eddie writes in
• Zen writes in
• Sean writes in

• BSD Now has an official IRC channel now. #bsdnow on irc.freenode.net
• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Just a quick reminder: If you\’re running OpenSSL 1.0.1 through 1.0.1f please update it and regenerate, rotate and revoke your keys if you run a server with HTTPS, IMAPS, etc – huge security hole! (Also DES offers some insight on the FreeBSD security process)
• We\’re lucky it wasn\’t OpenSSH

The post PXE Dust | BSD Now 32 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

Internet Explorer, Ruby on Rails, and the Windows Nvidia drivers all have new exploits. We’ll tell you the good, the bad, and the ugly.

Plus picking the right VPS, a big batch of your questions, and Allan’s videos from EuroBSD Con.

On this week’s episode of TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go20off5 to save 20% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show:

   

Support the Show:

   

Limited time offers:
$3.99 .US domain!
Code:  399us4

Support the Show:

   

Show Notes: