BSD Now is BACK to talk with Glen Barber from the FreeBSD Release team, show you how to build your own binary package repository and discuss the latest BSD news!

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

64bit time in OpenBSD

• Many operating systems face an upcoming challenge, similar to (but more complicated than) Y2K: Y2038. All of the BSDs and most other operating systems track time by counting the seconds since Jan 1st, 1970. In 2038 this value will reach the maximum value of a signed 32 bit integer.
• Simply changing to a 64 bit counter may not be the best solution, because there may still be 32 bit systems in use for embedded applications
• Theo will be giving the keynote at EuroBSDCon on the subject, explaining how OpenBSD has implemented the solution
• No other BSDs have it yet
• ABI incompatibility. Updating to this kernel requires extra work or you won\’t be able to login: install a snapshot instead. Upgrading by source is for the insane only.

AESNI pipelining gets a speed boost

• AES-NI is a new processor instruction available on modern Intel and AMD chips that provides hardware acceleration for AES encryption and decryption. This feature is especially useful for encrypted disks, because it removes most of the performance penalty traditionally associated with encryption
• The new commit has the instructions pipelined, so there is no latency between the instructions
• Uses SSE2 instructions for calculating XTS tweak factor for further increased performance
• GELI based disk encryption performance increased by 3x on capable CPUs
• Should affect PEFS and other AES backed encryption schemes as well
• Full disk encryption should be more or less transparent now

OpenBSD 5.4 Preorders

• Every 6 months there is a new OpenBSD version
• They include a fun song and nicely-packaged CD set
• The proceeds from sale of these products is the primary funding of the OpenBSD project
• The official ISOs will be uploaded on November 1st

GCC no longer built by default on FreeBSD -CURRENT

• On platforms where clang is the default compiler, don\’t build gcc or libstdc++
• GCC is still enabled on PC98, because the PC98 bootloader requires GCC to build
• While the base FreeBSD system has been built by clang for a long time, this change also covers the ports tree

Patch to update Xorg and Mesa on FreeBSD

• Updates xorg drivers
• Expected to be committed in about 2 weeks
• Adds option to use devd instead of HAL for X configuration
• Updates the MESA stack (9.1.6), libGL, DRI, etc
• Enables KMS for AMD/ATI cards
• Call for Testing
• OpenBSD has recently upgraded to Mesa 9.2 for their stable version of Xorg

Interview – Glen Barber – gjb@freebsd.org @g_j_b_

FreeBSD Release Engineering

• Q: Tell us a little about yourself, your role with the project – K
• Q: When did you join the release engineering team (re@) and how did that come about? -A
• Q: What kind of tasks and decisions are in the hands of re@? – K
• Q: Why it is /pub/FreeBSD/releases/amd64/amd64/ -A
• Q: Any stand-out features of 9.2-RELEASE that you’re personally excited about? -K
• Q: Tell us about net.inet.tcp.experimental.initcwnd10 in r242266 -A
• Q: Why was it reverted for 9.2-RC3? Causing problems? -K
• Q: Why was there an RC4 added? – A
• Q: Talk about the new snapshot releases for -CURRENT/-STABLE (we’ll have a future segment on how to upgrade to these branches) – K
• Q: Is there a possibility of freebsd-update someday offering snapshot-based upgrades to the -STABLE or -CURRENT branches? What technical difficulties need to be overcome? – A
• Q: Are there plans to remove bind from the base system? -K
• Q: Would it be possible in the future to have a “WITHOUT_BLOBS” src.conf option to remove any non-open source wifi firmware modules and such? -A
• Q: Tell us about you joining the FreeBSD Foundation and what this will mean for users – K

Tutorial

Making your own binary repository

• Live demo
• Poudriere builds binary packages from a list of ports (or the whole tree)
• Uses the fantastic BSD jail system for everything
• Supports signing the repository with an RSA key
• Easy way to deploy large number of systems or low-powered systems
• Very flexible, works on different versions of the OS, lots of features

Place to B…SD

iXsystems hosts FreeBSD Anniversary party

• Celebrating FreeBSD’s 20th anniversary
• Saturday, November 2nd at the DNA Lounge in San Francisco
• Notable FreeBSD figures will contribute words of wisdom on the past, present, and future of FreeBSD

News Roundup

NetBSD gets basic support for the cubieboard 1 & 2

• Very preliminary support for cubieboard 1 & 2 based on the Allwinner A10 & A20 SoCs
• Many drivers are stubs with autoconf glue
• Contributed by Matt Thomas

Rayservers ditches Linux for BSD

• Used them all, Windows, Mac, OpenBSD, Linux
• Needed PF, ZFS, disk encryption, lots of networking features, better security
• In Linux, \”The new cgroups based memory management ran out of memory – on a 256 GB RAM system whilst it was not using more than 40.\”
• BSD now protects the privacy of their email users

HPN for OpenSSH 6.2

• High Performance Networking is an SSH patchset to improve transfer speeds by removing the fixed window size and take better advantage of TCP
• Maintained as a patchset separate from OpenSSH
• First integrated into FreeBSD base as of 9.0
• Updated to support 6.2 (available in the ports tree as security/openssh-portable)
• The HPN patch set also includes threaded AES-CTR support to increase performance and take advantage of multiple CPU cores for encryption. In this latest patch, threaded AES-CTR now works in all situations (it failed in some specific situations previously). Expected performance increase is ~50%
• NONE cipher is now separate from the main patch set. The NONE cipher allows tools like scp and sftp to switch off the encryption for file transfers (when specifically told to do so) to keep encryption from bottlenecking performance and wasting CPU time

Call for testing: OpenSSH-6.3

• Mostly a bugfix release
• SFTP now supports resuming partially-downloaded or uploaded transfers
• More logging features
• Six weeks after the initial email, still no release. des@ is not pleased.

pkgsrc gets signing

• pkgsrc is used on NetBSD, DragonflyBSD and other OSes
• Comes from an EdgeBSD developer
• Uses GPG for signing package files
• Currently just a patch on github and in its infancy
• Provides a short howto

FreeBSD vs. Linux: 10 points of superiority

• New FreeBSD user, ex-Linux user writes about his experience
• Mentions consistency, documentation, security, filesystems, updates, jails, community
• Really long post, definitely worth a read

[Feedback/Questions]

• We received TONS of email. We’ll get to a few of the questions, but a lot of them will be answered in future episodes.

• hoopla writes in: “I\’m looking to install PCBSD on my laptop and was wondering if there was support for encryption of the root folder in the installer. For my arch linux install I ended up setting up an encrypted lvm by hand and it was hell but if it\’s built into the installer it\’d make the transition to BSD much simpler.”

• Juergen writes in: \”hi guys, I want to listen to the new BSD podcast but I couldn\’t find the RSS feed. Can you publish the feed?\”

• Due to the way publishing happens at JupiterBroadcasting, there were no RSS feeds until the first episode was published. The feeds for MP3, OGG, SD and HD Video and Torrent are now in the top right corner of the BSDNow.tv page. The episodes will also be published on iTunes once the show is approved by Apple.

• Sam write in with two questions: “I want a few simple python web apps. What is the best \”FreeBSD way\” to deploy this? Nginx + uWSGI? It is surprisingly hard to find a usable nginx.conf that I can throw in a jail and run a python app. Is uWSGI even the right tool?”

• “The PCBSD tools are great, but the tool versions that are in the ports tree are always out of date compared to what ships with PC-BSD. Why is this? Same with FreeNAS, why is the Warden more up to date in FreeNAS than PC-BSD.. then there\’s yet a 3rd version in ports?”

• Frank writes in with a long question: “My company is a major CA. We run virtualized RHEL 6 virtualized on KVM, about 3000 nodes serving different purposes on about 350 pizza boxes also running RHEL/KVM. We have kind of a sale issue. To have both TLS 1.2 support and ECC ciphers available we have to recompile both OpenSSL and NGINX and a few other system packages. I\’ve built RPM\’s, but there still are issues on a default install, relating to other not to be disclosed core business software choughJava based cachough. However, compiling it all on each machine does work.

Now I\’ve got this working on FreeBSD kvm virtual machines, which both provide better performance (almost 30% less resource usage than the RHEL nodes) and also work with our configuration management stack (puppet + homegrown). It also would allow us to drop a lot of virtual nodes because less BSD boxes can handle the same amount as the CentOS ones. And of course the lack of security issues, less software by default on a fresh install and such.

My team also likes it, has knowledge, supports a migration, and the metrics support it, however management is not happy and does not want to do such a big \”migration\”. (Not knowing that about 100 VM\’s are already FreeBSD and working). Also, they don\’t like that they\’ve got a 10 year contract with Red Hat and have paid for that… But, in the end the cost would go down because of the migration.

Any tips to get support from them?”
+ The first thing that comes to mind is to see what other people have done in the past. There was a presentation at BSDCan 2013 in May of this year on this specific topic: Case study: Switching from Linux to FreeBSD

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter: @BSDNow (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Engineering and Powder Kegs | BSD Now 2 first appeared on Jupiter Broadcasting.

We load Ubuntu 12.10 onto a Nexus 7 and tell what works, what doesn’t, and where this is all heading. Is this a laptop killer? Or just a toy for us nerds? Tune in to find out!

Plus we’ve got Netflix running on Ubuntu, and we’ll show it to you, the big news of the week, your feedback…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

GoDaddy.com


Limited time offers:

$4.99 SSL certificates, just use our code 499ssl3. Expires 12-31-12!

SPECIAL OFFER! SPECIAL OFFER! .COMs just $4.95* per year up to 3 domains! Additional .COMs just $7.99* per year! – code: linux495

GoDaddy.com’s Matching your donations to help injured US Armed Forces members.

BONOUS ROUND PROMO:

Save 20% off your order!
Code: go20off6

Download:

HD Video | Mobile Video | Ogg Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Feed | Ogg Feed | iTunes Feeds | Torrent Feed

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

Ubuntu on the Nexus 7

Brought to you by: System76

Proxmox or Ubuntu on the Nexus 7 next week?

Mark Shuttleworth on why Ubuntu on the Nexus 7:

https://youtu.be/769U8n3srkg?t=4m44s – 6:22

*Impressions: *

• How sharp and crisp Everything looks. Very vibrant.

• The uniform icon size in the Unity launch bar is very nice.

• Good battery life, despite the estimate being wrong.

• Wifi and 3D worked no problem. 3D is being generous, but basics work.

• Ubuntu Core Desktop on the Nexus 7: Getting Involved

• Nexus7/UsingTheDevice – Ubuntu Wiki

• Nexus7/KnownIssues – Ubuntu Wiki

[asa]B005GGBYJ4[/asa]

Runs Linux:

• The #1 Super Computer Runs Linux

• 94 Percent of the World’s Top 500 Supercomputers Run Linux

Android Pick:

• Juice for Roku

• Ubuntu/Android mtp pro-tip

• Android Picks so far thanks to Madjo in the IRC Chat room!

Desktop App Pick:

• Phatch – Photo Batch Processor

• Picks so far

• Madjo

Search our past picks:

• Linux Action Show Lookup
• Thanks to sakuramboo!

Git yours hands all over our STUFF:

• Jupiter Broadcasting Affiliate Extensions
• Callisto-app – Google Project Hosting
• Quick Update to the Jupiter Broadcasting Android App

News:

• PPA for Netflix Desktop App | iheartubuntu

• Netflix on Ubuntu?

• HP Becomes a Platinum Member of the Linux Foundation

• XBMC Media Center 12.0 Beta 1 Released With Raspberry PI And Android Support

• The Great Winter Migration

• Steam Community :: Group Announcements :: Linux Beta Access

• Valve’s Steam License Causes Linux Packaging Concerns

• Unity 4.0 adds Linux Publishing Support

• Blizzard Admits Linux User Was Wrongly Banned, Offers Refund

• The next chapter

• New Catalyst For Linux Driver Improves Performance

• Mozilla launches Popcorn Maker 1.0

[asa]B009NSERF4[/asa]

Feedback:

• Misses Tux

• boot – Archlinux bootlogo – Super User

• Secure Wifi without a mutiny?

• Ubuntu TV out yet?

• How do I install Ubuntu TV on my computer?

• Ubuntu TV – Google+

• Ubuntu TV | Offical Page | Ubuntu

• Mobile Torrent Download for LAS?

• LAS Mobile Video on Bitlove

• LAS Mobile RSS Feed

Chris’ Stash:

• No Unfilter or SciByte next week, and TechSNAP is live on Wednesday.
• Happy Thanksgiving to everyone who celebrates, join us next week for

What’s Matt Doin?

• Will 2013 Be the Year of the Ubuntu Desktop?
• Writing about Linux, sometimes, even asking tough questions
• Offering newbie centric advice, in my articles

Find us on Google+

• Chris
• Matt Hartley
• Jupiter Broadcasting’s Page

Find us on Twitter:

• Chris – ChrisLAS
• Matt – matthartley

Follow the network on Facebook:

• Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

• https://jblive.tv
• Network Calendar

The post Ubuntu on Nexus 7 | LAS | s24e06 first appeared on Jupiter Broadcasting.

]]> https://original.jupiterbroadcasting.net/20592/bypassing-authentication-techsnap-62/ Thu, 14 Jun 2012 17:04:57 +0000 https://original.jupiterbroadcasting.net/?p=20592 A MySQL flaw so awful, I simply had to laugh. And how a simple SSH config mistake, lead to a really bad day.

The post Bypassing Authentication | TechSNAP 62 first appeared on Jupiter Broadcasting.

]]>

A MySQL flaw so awful, I simply had to laugh. And how a simple SSH config mistake, lead to a really bad day.

Plus we answer some great audience questions, all that and much more on this week’s TechSNAP.

Thanks to:

GoDaddy.com

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

Limited time offers:

$1.99/mo economy hosting for 3 months – special offer!
Code:  199tech
Expires:  June 30, 2012

$3.99 .US domain!
Code:  399us4

Direct Download: HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | Torrent File RSS Feeds: HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

 

Support the Show:

Purchase anything at Amazon.com Purchase anything at Think Geek using this link Purchase anything at Newegg using this link Contribute directly on our donation page or check out our advertising options and reach millions of amazing people! Grab our Chrome Extension and auto-tag your shopping session for us!

Show Notes:

MySQL authentication Bypass

• The Developers of MariaDB (a fork of MySQL) recently found a major flaw in MySQL (and MariaDB) that gives an attacker a 1 in 256 chance to login to your MySQL server with an incorrect password
• All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
• This exploit is even worse than it sounds, because once an attacker gains access to the MySQL server, they can dump the MySQL users table, which contains the hashed passwords of all other users
• This would allow the attacker to then do an offline attack against those hashes (with a brute force password cracking program such as John the Ripper)
• In this way, even if the administrator patches their MySQL server, preventing further access by the attacker via the exploit, the attacker can then use the actual passwords for real user accounts once they are cracked
• The error is an incorrect assumption about the return value of memcmp(), a C function that compares to memory addresses
• Due to the fact that memcmp() is implemented differently by different OSs and compilers, only some systems are known to be vulnerable
• Vulnerable:
  • Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 )
• OpenSuSE 12.1 64-bit
• Debian Unstable 64-bit (maybe others)
• Fedora (unspecified versions)
• Arch Linux (unspecified versions)
• Not Vulnerable:
  • Official builds from MySQL.com (including Windows)
• Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
• CentOS using official RHEL rpms
• Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
  • FreeBSD (all versions)
• Vulnerable/Not Vulnerable list source, more details, mitigation steps
• Part of the reason for the vulnerability of 64bit based OSs seems to be the different behavior of memcmp() with SSE4 optimizations (which results in a 3–5x performance increase)
• The following shell one-liner will grant you root access to a vulnerable MySQL server: for i in seq 1 1000; do mysql -u root –password=techsnap -h 127.0.0.1 2>/dev/null; done
• memcmp() man pages
  • Ubuntu 11.10 memcmp()
  • Ubuntu 12.04 memcmp()
  • FreeBSD memcmp()

---

F5 SSH Root login keys leaked

• F5 makes high end IP load balancers, designed to distribute traffic among web servers, handle SSL offloading, and more
• Fixed in a recently released patch, it seems that all F5s came out of the box authorized for root login over SSH with an RSA public key
• The issue being that the corresponding RSA private key, was also included on every F5 device
• This means that anyone that owns an F5, or has access to that key file (everyone now, we have to assume it was posted online) can now login as root on your F5
• Why is login as root over SSH even permitted?
• Vulnerability Announcement
• Official Advisory

---

AMD/ATI Windows Video drivers insecure, cause BSOD when security features in windows enabled

• Microsoft has a toolkit, called EMET (Enhanced Mitigation Experience Toolkit) that works to reduce the chance that unknown vulnerabilities in windows can be successfully exploited
• EMET relies on DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization), which are designed to prevent buffer overflow and remote code execution attacks
• EMET includes an option to force DEP and ASLR system wide, rather than on a per-application basis, where only applications that opt-in to DEP/ASLR are protected
• Enabling ASLR causes AMD/ATI video drivers to blue screen the system
• This means that any system with an AMD/ATI graphics adapter cannot be secured as strongly as a system with an Intel or nVidia graphics adapter
• CERT Vulnerability Notice VU#458153
• Download Microsoft Enhanced Mitigation Experience Toolkit

---

Feedback:

Q: Jason asks about using CNAMEs for customer domains

A:
The problem with what you are proposing is that any resource record that is a CNAME cannot have any other record types defined. This means that if you set the root of the domain example.com to CNAME to server1.scaleengine.com, you then cannot define an MX record, and therefore you cannot host email addresses @example.com

Q: Mario asks about blocking possibly malicious ad networks on his network

Eivind writes in about a game company handling a security breech correctly

Note: from their findings that 10,000 users shared the same password, it is obvious that they are doing regular hashing (ala LinkedIn), rather than salted cryptographic hashes. When will people learn.

Round-Up:

• FOLLOWUP: Some funny LinkedIn passwords found to be in the database: ihatemyjob, iwantanewjob, linkedinblows, password, strongpassword, and 123456
• FOLLOWUP: Lessons learned from cracking 2 million LinkedIn passwords
• Researchers Connect Flame to US-Israel Stuxnet Attack
• Discover Card storing passwords in plaintext
• Skype calls to feature ads big enough to interrupt any conversation
• Microsoft patches another RDP flaw that count allow remote code execution
• eHarmony hacked , passwords leaked
• VB6 platform still supported up to 24 years after released

The post Bypassing Authentication | TechSNAP 62 first appeared on Jupiter Broadcasting.

]]>