Show Notes: linuxunplugged.com/342

The post Shrimps have SSHells | LINUX Unplugged 342 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/330

The post Happy Holidays, All(an) | BSD Now 330 first appeared on Jupiter Broadcasting.

It’s a collection of Allan’s favorite moments from TechSNAP past.

Plus the week’s new stories in the roundup & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Episode 24: Ultimate RAID

• Before be became a ZFS addict, Allan explains all of the various RAID levels and what you would use them for
• If you are not using ZFS, you probably want to watch this
• This episode also contains the details of the BEAST attack on SSL, back in the beginning of what would turn out to be an unending onslaught on SSL and its implementations (OpenSSL and friends)

Episode 34: Allan’s ZFS Server Build

• Allan shows off his first ZFS server build
• 16 TB SAS array (12 TB usable), separate 2×2 TB SATA mirrored UFS for the OS, because he didn’t trust root-on-ZFS yet
• Paid for a RAID controller, which didn’t work well (was replaced with the onboard LSI HBA built into the motherboard)
• Had a bunch of problems, with both Newegg, Adaptec, shipping, and configuration
• If only I had known about iXsystems back then

Epsiode 78: Wire-Shark

• With Chip-and-Pin finally arriving in the US, let us remember back to TechSNAP from September of 2012, when researchers at the University of Cambridge Computer Lab found a way to defraud the system
• While the system is self is fairly secure, it relies on correct implementation, and many ATMs and PoS devices do not do it correctly
• In this case a nounce (supposed to be a unique, unpredictable value), was just a counter or timestamp

Episode 128: Gentlemen, Start Your NGINX

• Krebs covers crooks registering for your Social Security account, so they could redirect the direct deposits to their own account

Episode 100: 100% Uptime

• Special in its own right, as our 100th episode
• bit9 story
• It was also the first time we mentioned Krebs (who I kept called Kerbs for the first few weeks until I was corrected enough times). At first I wasn’t even sure I liked Krebs, now I am quite the fan.

Episode 236: National Security Breaking Agency

• Keylogging before computers
• Great story from the Cold War

Round Up:

• Anonymous leaks data from European Space Agency, claims it did it “for the Lulz”
• Secure Comparator: Zero Knowledge Authentication
• Censys, a new search engine that lets researchers find specific hosts and create aggregate reports on how devices, websites, and certificates are configured and deployed
• The Moral Character of Cryptographic Work
• Government, Can You Hear Me Now? Cell-site Simulators Aren’t Secret Anymore
• Attackers inject Angler malware kit into Guardian article, about cybercrime
• LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Misled Consumers With Deceptive Advertising
• Cybersecurity Researchers Are Hunted from All Sides
• Why giftcards are so cheap online. You guessed it, Fraud

The post Allan's Favorite Things | TechSNAP 246 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
• It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• “It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
• If you’re using an older configuration file, the “without-password” option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

• As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn’t actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

• We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
• SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

• James writes in
• Stuart writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
• Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

A 0-day exploit is attacking Microsoft Windows boxes all over the web, thanks to a weaponized power power presentation. No, I’m not kidding. The details are fascinating.

Old ATMs become more and more of a target & it’s not because of Windows XP, and great big batch of your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Older ATMs being targeted more and more often by Malware attacks

• Krebs describes the growing trend in ATM “Jackpotting”
• Formerly, the most common attack against ATMs was skimming, installing small physical devices to read the card data and capture the PIN of victims who use the ATM, and then creating fake cards to empty the victims’ accounts
• The new trend, installing Malware on the computer that operates ATM, allows the attackers to drain all of the cash out of the ATM, without requiring compromised accounts with large balances
• The fraud is harder to detect because money does not go missing from bank accounts in real time, the theft may not be discovered until the ATM is emptied and stops dispensing cash
• Some of the malware is even smart enough to interfere with the ATM’s reports back to the bank about the level of cash available, that might tip the bank off to the fact that the ATM is infected
• “Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR.”
• In an Interview with Owen Wild, NCR’s “global marketing director, security compliance solutions”, Krebs learned:
• More than half of the ATM install base is using a model that was discontinued 7 years ago (Windows XP Based?)
• Most of the attacks involve physically assaulting the ATM, removing the top of front casing to access the standard PC inside, and then infecting the machine via CD or USB stick
• “What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.”
• When asked about Windows XP: “Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play.”
• It would seem that installing malware on the machine would affect newer versions of Windows almost as easily, so Windows XP might not actually be that big of a factor in these cases
• “Most of these attacks come down to two different ways of jackpotting the ATM. The first is what we call “black box” attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”

Sandworm Team – not a worm, but still a big deal

• “Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.”
• This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”
• The vulnerability exploits a flaw in the Microsoft OLE functionality
• It allows a PowerPoint or other office document to have an embedded file, or to embed and external untrusted resource
• This can cause remote code execution, allowing the attacker to run any code they wish as the user who is opening the document
• In the case of at least on attack, the embedded file was a .inf that then installed malware on the system
• Many users still run with administrative rights, giving the malware full control of the target system
• iSight Partners says: “We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams”, “As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia”
• “For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya”
• Trend Micro also found this same flaw being used against SCADA systems: “These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email.”, which downloads the Black Energy malware
• Researcher Post
• Technical Analysis by HP Security Research
• Additional Coverage – ZDNet
• Microsoft Security Bulletin

Delivering malicious Android apps hidden in image files

• Researchers have discovered a way to deliver Android malware by embedding the encrypted form in an image file
• The attack was demonstrated at Black Hat Europe last week in Amsterdam
• The tool encrypts a malicious .APK in such a way that it appears to be a .JPG or .PNG image file
• Then, they developed a simple wrapper .APK that includes that image file, and the ability to decrypt it
• Thus, the malicious app remains hidden from reverse engineering, anti-virus, and the Google Bouncer, so can be listed in the Google Play Store
• “In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader”
• Work was inspired by a previous exploit, Android/Gamex.A!tr that hid its payload in a .zip file named logos.png, with the added twist that the .zip was valid and innocuous, but if XOR’s with a key (18), it was also a valid .zip file containing a malware payload
• It turns out that .zip files do not require the header to be at the beginning of the file, so by simply concatenating a .png and a .zip file, the file will look like a valid .png, but can also be extracted as a valid .zip file
• PDF: Slides
• Example Code, Create a .PNG, .JPG, .FLV, or .PDF
• PDF: Paper

Feedback:

• Embed Browser For Steam

• Cheap NAS/Media Server

• Patch & System Management .:. Especially with all these recent bugs!

• Central Firewall Management

• But is it really your job to point out other peoples security issues?

• ZFS lag

• Windows Explorer and SMB Traffic – Ask the Performance Team – Site Home – TechNet Blogs

Round Up:

• Disney rendered its new animated film on a 55,000-core supercomputer
• Cisco finally fixed telnet bug from 2011 in Web Security Appliance, Email Security Appliance and Content Security Management Appliance
• Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard
• Ironic: Publisher of Brian Krebs’ book discloses credit card breach in online shopping cart
• Hungary plans new tax on Internet traffic, public calls for rally
• MongoDB Advisory: Using MongoDB on Linux on top of VMWare may cause namespace files to be improperly zeroed, resulting in left over data that when read later is interpreted as a corrupt namespace, rather than the expected empty space. Patch resolves issue by manually zeroing the file rather than using the kernel facility to zero the entire file
• T-Mobile to upgrade US Cellular network 2G encryption from A5/1 to A5/3 to make surveillance harder. Made similar changes in Germany last year after NSA revelations
• Week old Flash vulnerability already included in 2 major Exploit kits, being deployed on legitimate infected sites throughout the Internet
• Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
• Samsung acknowledges flaw in EVO 840 SSDs, issues Firmware update and “Data Migration Software” that re-writes data on the SSD to ‘refresh’ it, making reads faster again
• South Korea to rebuilt national ID system after a series of data breaches since 2004 have left 80% of the country exposed to identity theft. Many similar mistakes to US ID system, overuse across different sectors made the single ID number a ‘master key’ to a persons Identity, Inability to get a new ID number left victims with no recourse, and the ID numbers are based on date of birth and sex. Also, the government required the use of Microsoft ActiveX to provide digital signatures when interacting with banks and the government online

The post Weaponized PowerPoint | TechSNAP 185 first appeared on Jupiter Broadcasting.

We\’re back from AsiaBSDCon! This week we\’ll be chatting with Gleb Kurtsou about some a filesystem-level encryption utility called PEFS. After that, we\’ll give you a step by step guide on how to actually use it. There\’s also the usual round of your questions and we\’ve got a lot of news to catch up on, so stay tuned to BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

AsiaBSDCon wrap-up chat

• bhyvecon Tokyo videos and slides

Headlines

Using OpenSSH Certificate Authentication

• SSH has a not-so-often-talked-about authentication option in addition to passwords and keys: certificates – you can add certificates to any current authentication method you\’re using
• They\’re not really that complex, there just isn\’t a lot of documentation on how to use them – this post tries to solve that
• There\’s the benefit of not needing a known_hosts file or authorized_users file anymore
• The post goes into a fair amount of detail about the differences, advantages and implications of using certificates for authentication

Back to FreeBSD, a new series

• Similar to the \”FreeBSD Challenge\” blog series, one of our listeners will be writing about his switching BACK to FreeBSD journey
• \”So, a long time ago, I had a box which was running FreeBSD 4, running on a Pentium. 14 years later, I have decided to get back into FreeBSD, now at FreeBSD 10\”
• He\’s starting off with PCBSD since it\’s easy to get working with dual graphics
• Should be a fun series to follow!

OpenBSD\’s recent experiments in package building

• If you\’ll remember back to our poudriere tutorial, it lets you build FreeBSD binary packages in bulk – OpenBSD\’s version is called dpb
• Marc Espie recently got some monster machines in russia to play with to help improve scaling of dpb on high end hardware
• This article goes through some of his findings and plans for future versions that increase performance
• We\’ll be showing a tutorial of dpb on the show in a few weeks

Securing FreeBSD with 2FA

• So maybe you\’ve set up two-factor authentication with gmail or twitter, but have you done it with your BSD box?
• This post walks us through the process of locking down an ssh server with 2FA
• With just a mobile phone and a few extra tools, you can enable two-factor auth on your BSD box and have just that little extra bit of protections

Interview – Gleb Kurtsou – gleb.kurtsou@gmail.com

PEFS

Tutorial

Filesystem-based encryption with PEFS

News Roundup

BSDCan 2014 registration

• Registration is finally open!
• The prices are available along with a full list of presentations
• Tutorial sessions for various topics as well
• You have to go

Big changes for OpenBSD 5.6

• Although 5.5 was just frozen and the release process has started, 5.6 is already looking promising
• OpenBSD has, for a long time, included a heavily-patched version of Apache based on 1.3
• They\’ve also imported nginx into base a few years ago, but now have finally removed Apache
• Sendmail is also no longer the default MTA, OpenSMTPD is the new default
• Will BIND be removed next? Maybe so
• They\’ve also discontinued the hp300, mvme68k and mvme88k ports

Getting to know your portmgr lurkers

• The \”getting to know your portmgr\” series makes its return
• This time we get to talk with danfe@ (probably most known for being the nVidia driver maintainer, but he does a lot with ports)
• How he got into FreeBSD? He \”wanted a unix system that I could understand and that would not get bloated as time goes by\”
• Mentions why he\’s still heavily involved with the project and lots more

PCBSD weekly digest

• Work has started to port Pulseaudio to PCBSD 10.01 (why?)
• There\’s a new \”pc-mixer\” utility being worked on for sound management as well
• New PBIs, GNOME/Mate updates, Life Preserver fixes and a lot more
• PCBSD 10.0.1 was released too

Feedback/Questions

• Alex writes in
• Ben writes in
• Nick writes in
• Sami writes in
• Christopher writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• The pkgng, ZFS, OpenBSD router and FreeBSD desktop tutorials have gotten some updates and fixes
• If you were using the automatic errata checking script in the router tutorial, you need to redownload the new, fixed version (they rearranged some stuff on the website and broke it)
• A few weeks\’ worth of new tutorials were uploaded ahead of time for the benefit of everyone, no point in holding them hostage – go check \’em all out
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Dusko, the winner of our tutorial contest, sent us a picture with his awesome FreeBSD pillow!

The post P.E.F.S. | BSD 29 first appeared on Jupiter Broadcasting.

We chat with Dan at the Mozilla about his work on the Persona project, and how Mozilla offers developers a neutral platform for effective authentication.

Plus our thoughts on what’s troubling the Ubuntu Edge project, a batch of your questions, and much more!

Thanks to:

GoDaddy.com Use our code coder249 to get a .COM for $2.49.
UnitySync Visit dirwiz.com/unitysync use code coder for an extended trial and a year of maintenance.
Ting.com Visit coderradio.ting.com to save $25 off your device or service credits.

Direct Download:

MP3 Audio | OGG Audio | Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | Video Feed | Torrent Feed | iTunes Audio | iTunes Video

Feedback

• Dani\’s email: How can I follow my passion when my \’professional\’ experience is elsewhere
• Lennon\’s Email: Over worked
• Thanks for Fizzing my Buzz!
• Chris and his in-app purchase habbit

Persona

• Mozilla Persona — simple sign-in with email

At Mozilla, we believe that your online life is your business. With that in mind, we created Persona to make it easier to sign in to websites.

Persona allows you to sign in to sites using any of your existing email addresses; and if you use Yahoo! or Gmail for email, you will be able to sign in without having to create a new password.

• Mozilla Persona: A Better Way to Sign In

Connect with Mozilla Persona, the safest & easiest way to sign in.

• Home – Mozilla Webmaker
  > We\’re a global community that creates the web by making, teaching and remixing. Check out this week\’s most inspiring Makes and sign up to create your own.

Follow the show

• Email the show
• Join the Coder Radio Subreddit
• Live Monday 9am PST
• Music by: Ronald Jenkees
• Mike on Twitter
• Mike on Google+
• Mike’s website
• Chris on twitter
• Chris on Google+

The post Mozilla Persona | CR 63 first appeared on Jupiter Broadcasting.

We’ll explain the MiniDuke malware and the extremely clever way to slipped it’s way into victims systems.

Researchers discovered a way to bypass google two-factor authentication, we’ll explain the details, and we look back at 25 years of software vulnerabilities.

Plug a big batch of your questions, our answers, and so much more on this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code hostdeal4 to score economy hosting for $1 a month, for one year. 35% off your ENTIRE order just use our code go35off4 until the end of the month!
Ting.com Visit techsnap.ting.com to save $25 off your device or service credits.

Support the Show: