Show Notes: techsnap.systems/398

The post Proper Password Procedures | TechSNAP 398 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Responsible Disclosure Is Hard

• When a responsible person discovers a security issue, disclosing it properly is difficult

• Uses Tesla’s policy as a good example of how companies should do this

• “This is not hard stuff and it basically amounts to text on a page. Consider whether your own organisation has something to this effect and is actually ready to handle disclosure by those who attempt to do so ethically. Listen to these people and be thankful they exist; there’s a whole bunch of others out there who are far less charitable and by the time you hear from those guys, it’s already too late.”

RedHat deprecates Btrfs

• The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

• The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

320 Million Freely Downloadable Pwned Password hashes

• NOTE: these are SHA-1 hashes, not the raw passwords: 320,335,236 to be precise

• Password checking page – that same URL has links for downloading the hashes

• To unzip the files, you need p7zip. Command to extract is: 7z x pwned-passwords-update-1.txt.7z

• to generate a sha1 hash, Dan used: ‘sha1 -s TechSNAP’ – SHA1 (“TechSNAP”) = c6586a62febc8706d814fe28fe397e9dca146992. Use “tr ‘[a-z]’ ‘[A-Z]'” to upper case.

• takes about 0.176ms to locate a hash on a PostgreSQL 9.6 database

• Example query construction

• Passwords Evolved: Authentication Guidance for the Modern Era

• API for using Troy’s service

• Troy’s donation page

Feedback

• PXE Boot Imaging

• +1 for FOG! Versatile and reliable

• slobeck retweets x0rz 1960’s vs. now

Round Up:

• How Dropbox securely stores your passwords

• gedit is unmaintained, some thoughts

• DigiCert to Acquire Symantec’s Website Security Business and Related PKI Solutions

• Microsoft didn’t sandbox Windows Defender, so I did

• Should I revoke no longer used Let’s Encrypt certificates before destroying them?

The post BTRFS is Toast | TechSNAP 331 first appeared on Jupiter Broadcasting.

The long-awaited meetup is finally happening on today\’s show. We\’re going to be interviewing the original BSD podcaster, Will Backman, to discuss what he\’s been up to and what the future of BSD advocacy looks like. After that, we\’ll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We\’ve got answers to user-submitted questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD and OpenBSD in GSOC2014

• The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
• Both FreeBSD and OpenBSD were accepted, and we\’d love for anyone listening to check out their GSOC pages
• The FreeBSD wiki has a list of things that they\’d be interested in someone helping out with
• OpenBSD\’s want list was also posted
• DragonflyBSD and NetBSD were sadly not accepted this year

Yes, you too can be an evil network overlord

• A new blog post about monitoring your network using only free tools
• OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
• It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
• There\’s also details about flowd and nfsen, more great tools to make network monitoring easy
• If you\’re listening, Peter… stop ignoring our emails and come on the show! We know you\’re watching!

BSDMag\’s February issue is out

• The theme is \”configuring basic services on OpenBSD 5.4\”
• There\’s also an interview with Peter Hansteen
• Topics also include locking down SSH, a GIMP lesson, user/group management, and…
• Linux and Solaris articles? Why??

Changes in bcrypt

• Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
• There is a bug in bcrypt when hashing long passwords – other OSes need to update theirs too! (FreeBSD already has)
• \”The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor \’b\’.\”
• As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
• Lots of specifics in the email, check the full post

This episode was brought to you by

Interview – Will Backman – bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

• Xorg has long since required root privileges to run the main server
• With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
• Now you can set the \”machdep.allowaperture\” sysctl to 0 and still use a GUI

OpenSSH 6.6 CFT

• Shortly after the huge 6.5 release, we get a routine bugfix update
• Test it out on as many systems as you can
• Check the mailing list for the full bug list

Creating an OpenBSD USB drive

• Since OpenBSD doesn\’t distribute any official USB images, here are some instructions on how to do it
• Step by step guide on how you can make your very own
• However, there\’s some recent emails that suggest official USB images may be coming soon… oh wait

PCBSD weekly digest

• New PBI updates that allow separate ports from /usr/local
• You need to rebuild pbi-manager if you want to try it out
• Updates and changes to Life Preserver, App Cafe, PCDM

Feedback/Questions

• espressowar writes in: https://slexy.org/view/s2JpJ5EaZp
• Antonio writes in: https://slexy.org/view/s2QpPevJ3J
• Christian writes in: https://slexy.org/view/s2EZLxDfWh
• Adam writes in: https://slexy.org/view/s21gEBZbmG
• Alex writes in: https://slexy.org/view/s2RnCO1p9c

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We especially want to hear some tutorial ideas that you guys would like to see, so let us know
• Also, if you\’re a NetBSD or DragonflyBSD guy listening, we want to talk to you! We\’d love more interviews related to those, whether you\’re a developer or not
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post BSD Now vs. BSDTalk | BSD Now 27 first appeared on Jupiter Broadcasting.

We’ll break down Apple’s major SSL flaw, and what it says about Apple’s general security posture, then the Zeus trojan evolves…

Plus an awesome batch of your questions, our answers.

On this week’s episode of, TechSNAP.

Thanks to:

— Show Notes: —

Apple fixes certificate validation flaw in iOS and OS X

• The flaw in the certificate verification step allowed an attacker to sign a certificate with any private key, or no key at all, and the certificate would still be accepted by the device
• This means an attacker could trivially perform a man-in-the-middle (MitM) attack, and intercept all traffic between you and a secure destination
• This would allow an attack to get your email passwords, logins for services like facebook and twitter, and compromise your online banking account
• A MitM attack is what TLS/SSL are designed to prevent
• A MitM is trivial to perform if you can trick a user into connecting to a WiFi access point you control, say at a coffee shop or other public space
• The flaw is also present in Mac OS X and fixed in 10.9.2 (Released Feb 25th, 4 days after the iOS update)
• The issue is caused by a duplicate ‘goto’ statement. The first is inside the if structure (with implied curly braces), but the 2nd is unconditional, causing the goto fail to happen in every case
• It is unclear how long Apple has known about the flaw, but the CVE for the bug was reserved on January 8th
• diff between Mac OS X 10.8.5 and 10.9 showing the addition of the errant goto
• OS X 10.9.2 also fixes an issue with cURL, where the TLS/SSL verification code did not check the hostname again the certificate if the URL was an IP address
• Hacker News thread
• More analysis
• Why were there gotos in apple software in the first place?
• Apple Announcement

University of Maryland ID card system breached

• 309,079 of the students, faculty, and staff of the University of Maryland College Park and Shady Grove campuses have had their personal information exposed in an attack against the ID card system
• The breach occurred about 04:00 February 18th
• An attacker was able to get access to the ID card database that holds information on all card holders dating back to 1998
• The data includes full name, SSN, birth date and University ID number
• Brian Voss, CIO of U Md., said “what most concerns him is the sophistication of the attack: The hacker or hackers must have had a “very significant understanding” of how the school’s data are designed and protected”
• Voss claims that this was not a case of a ‘door left open’, that the attackers had to ‘pick through multiple locks’
• It will be interesting to see if details of the attack are published
• Related: The total cost of unmasked data

New Zeus trojan variant targets SalesForce.com

• “The Adallom Labs team recently discovered an unusual variant of the Zeus trojan that targets Salesforce users. We’ve been internally referring to this type of attack as “landmining”, since the attackers laid “landmines” on unmanaged devices used by employees to access company resources. The attackers, now bypassing traditional security measures, wait for the user to connect to *.my.salesforce.com in order to exfiltrate company data from the user’s Salesforce instance.”
• We have covered the Zeus trojan before, it is a sophisticated malware used to steal online banking credentials and perform transactions, even in the face of two-factor authentication schemes by performing ‘man-in-the-browser’ attacks
• This attack does not exploit a vulnerability of SalesForce, it is just taking over the user’s device used to access the site, in order to steal data from the site once logged in
• This attack seems to be a totally new kind of attack, not described by any existing Common Attack Pattern Enumeration and Classification (CAPEC) pattern.
• When the Adallom security system detected an employee accessing a large number of records in a short period of time, it triggered an ‘insider thread’ alert. This alert is fairly common and is usually related to a sales agent downloading their entire rolodex, sometimes in preparation for leaving the company
• When corporate security integrated the employee in question, they claimed no knowledge of the bulk download
• The employees laptop was scanned and found to be clean
• Further investigation lead to the employees home PC, which was running outdated windows XP, an unpatched version of Internet Explorer, and an expired virus scanner
• The machine was infected with various bits of malware, but specifically, a modified version of the Zeus Trojan (win32/ZBot)
• The interesting part is that the Trojan targets *.my.salesforce.com instead of banking sites
• The attack also leveraged devices not controlled by corporate security
• This highlights the risks involved with BYOD and allowing employees to use their home computers to access corporate applications, especially SaaS applications

Feedback:

• sshshark

• Fibre internet in Australia

• Advice for low data rate network?

• GCHQ Revelations

• Webmin Alternative

• Flight of the Intruder

• Flight of the Intruder Audiobook – Full Cast
• Influx Audiobook | Daniel Suarez

Round Up:

• Apple Drops Snow Leopard Security Updates, Doesn\’t Tell Anyone
• GCHQ hijacked webcams of Yahoo chat and stored images of over 1.8 million users in 6 months, program ran for 2 years and collected a large quantity of sexually explicit images
• MakerBot Starts Taking Pre-Orders For Their Itty-Bitty 3D Printer
• Netflix shuts down gift card sales temporarily after rash of fraud from Brazil
• Microsoft introduces Microsoft Lync, allows companies to spy on their employees the same way the NSA does. Find out who is dating who, and who is looking for a new job
• OpenBSD revs bcrypt password hash to solve issue with passwords over 255 characters
• Phishing scam sends fake credit card fraud alerts, targeting real companies to trick customers
• Zero day flaw in IE9 and 10 exploited in watering hole attacks targeting Veterans and Military contractors. CVE-2014-0322
• Operation Greedy Wonk, Flash and AIR exploit, CVE-2014-0502
• Inside the Flash zero day CVE-2014-0502
• Breaking the Bitcrypt ransomware
• Why is broadband not getting any fasters? ISPs don’t want to spend any money. Verizon and TWC not set to lay any new lines any time soon
• The problem with 3rd party email, sometimes it goes away. Facebook is shutting down its email service. Will forward to your registered email address, for now
• DDoSing Cell Phone Networks
• Schneier highlights a recent profile of Brian Krebs

The post Go Directly to Fail | TechSNAP 151 first appeared on Jupiter Broadcasting.

We\’ll be showing you how to do a fully-encrypted installation of FreeBSD and OpenBSD. We also have an interview with Damien Miller – one of the lead developers of OpenSSH – about some recent crypto changes in the project. If you\’re into data security, today\’s the show for you. The latest news and all your burning questions answered, right here on BSD Now – the place to B.. SD.

Thanks to:

• iXsystems: This is what 80 cores and 1TB of RAM looks like!

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Secure communications with OpenBSD and OpenVPN

• Starting off today\’s theme of encryption…
• A new blog series about combining OpenBSD and OpenVPN to secure your internet traffic
• Part 1 covers installing OpenBSD with full disk encryption (which we\’ll be doing later on in the show)
• Part 2 covers the initial setup of OpenVPN certificates and keys
• Parts 3 and 4 are the OpenVPN server and client configuration
• Part 5 is some updates and closing remarks

FreeBSD Foundation Newsletter

• The December 2013 semi-annual newsletter was sent out from the foundation
• In the newsletter you will find the president\’s letter, articles on the current development projects they sponsor and reports from all the conferences and summits they sponsored
• The president\’s letter alone is worth the read, really amazing
• Really long, with lots of details and stories from the conferences and projects

Use of NetBSD with Marvell Kirkwood Processors

• Article that gives a brief history of NetBSD and how to use it on an IP-Plug computer
• The IP-Plug is a \”multi-functional mini-server was developed by Promwad engineers by the order of AK-Systems. It is designed for solving a wide range of tasks in IP networks and can perform the functions of a computer or a server. The IP-Plug is powered from a 220V network and has low power consumption, as well as a small size (which can be compared to the size of a mobile phone charger).\”
• Really cool little NetBSD ARM project with lots of graphs, pictures and details

Experimenting with zero-copy network IO

• Long blog post from Adrian Chad about zero-copy network IO on FreeBSD
• Discusses the different OS\’ implementations and options
• He\’s able to get 35 gbit/sec out of 70,000 active TCP sockets, but isn\’t stopping there
• Tons of details, check the full post

Interview – Damien Miller – djm@openbsd.org / @damienmiller

Cryptography in OpenBSD and OpenSSH

Full disk encryption in FreeBSD & OpenBSD

• Shows how to install both FreeBSD and OpenBSD with full disk encryption
• We\’ll be using geli and bioctl and doing it step by step

News Roundup

OpenZFS office hours

• Our buddy George Wilson sat down to take some ZFS questions from the community
• You can see more info about it here

License summaries in pkgng

• A discussion between Justin Sherill and some NYCBUG guys about license frameworks in pkgng
• Similar to pkgsrc\’s \”ACCEPTABLE_LICENSES\” setting, pkgng could let the user decide which software licenses he wants to allow
• Maybe we could get a \”pkg licenses\” command to display the license of all installed packages
• Ok bapt, do it

The post Cryptocrystalline | BSD Now 16 first appeared on Jupiter Broadcasting.

We\’ll be looking at the new version of FreeNAS, a BSD-based network attached storage solution, as well as talking to Josh Paetzel – one of the key developers of FreeNAS. Actually, he\’s on the FreeBSD release engineering team too, and does quite a lot for the project. We\’ve got answers to viewer-submitted questions and plenty of news to cover, so get ready for some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

More faces of FreeBSD

• Another installment of the FoF series
• This time they talk with Reid Linnemann who works at Spectra Logic
• Gives a history of all the different jobs he\’s done, all the programming languages he knows
• Mentions how he first learned about FreeBSD, actually pretty similar to Kris\’ story
• \”I used the system to build and install ports, and explored, getting actively involved in the mailing lists and forums, studying, passing on my own limited knowledge to those who could benefit from it. I pursued my career in the open source software world, learning the differences in BSD and GNU licensing and the fragmented nature of Linux distributions, realizing the FreeBSD community was more mature and well distributed about industry, education, and research. Everything steered me towards working with and on FreeBSD.\”
• Now works on FreeBSD as his day job
• The second one covers Brooks Davis
• FreeBSD committer since 2001 and core team member from 2006 through 2012
• He\’s helped drive our transition from a GNU toolchain to a more modern LLVM-based toolchain
• \”One of the reasons I like FreeBSD is the community involved in the process of building a principled, technically-advanced operating system platform. Not only do we produce a great product, but we have fun doing it.\”
• Lots more in the show notes

We cannot trust Intel and Via’s chip-based crypto

• We woke up to see FreeBSD on the front page of The Register, Ars Technica and Hacker News for their strong stance on security and respecting privacy – good to see big news outlets giving credit where it\’s due
• At the EuroBSDCon dev summit, there was some discussion about removing support for hardware-based random number generators.
• FreeBSD\’s /dev/random got some updates and, for 10.0, will no longer allow the use of Intel or VIA\’s hardware RNGs as the sole point of entropy
• \”It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more\”
• Hopefully others will follow FreeBSD\’s example very soon

OpenSMTPD 5.4.1 released

• The OpenBSD developers came out with major a new version
• Improved config syntax (please check your smtpd.conf before upgrading)
• Adds support for TLS Perfect Forward Secrecy and custom CA certificate
• MTA, Queue and SMTP server improvements
• SNI support confirmed for the next version
• Check the show notes for the full list of changes, pretty huge release
• Watch Episode 3 for an interview we did with the developers

More getting to know your portmgr

• The portmgr secretary, Thomas Abthorpe, interviews… himself!
• Joined as -secretary in March 2010, upgraded to full member in March 2011
• His inspiration for using BSD is \”I wanted to run a webserver, and I wanted something free. I was going to use something linux, then met up with a former prof from university, and shared my story with him. He told me FreeBSD was the way to go.\”
• Mentions how he loves that anyone can contribute and watch it \”go live\”
• The second one covers Baptiste Daroussin
• The reason for his nick, bapt, is \”Baptiste is too long to type\”
• There\’s even a video of bapt joining the team!

Interview – Josh Paetzel – josh@ixsystems.com / @freenasteam

FreeNAS 9.2.0

Tutorial

[FreeNAS walkthrough]

News Roundup

Introducing configinit

• CloudInit is \”a system originally written for Ubuntu which performs configuration of a system at boot-time based on user-data provided via EC2\”
• Wasn\’t ideal for FreeBSD since it requires python and is designed around the concept of configuring a system by running commands (rather than editing configuration files)
• Colin Percival came up with configinit, a FreeBSD alternative
• Alongside his new \”firstboot-pkgs\” port, it can spin up a webserver in 120 seconds from \”launch\” of the EC2 instance
• Check the show notes for full blog post

OpenSSH support for Ed25519 and bcrypt keys

• New Ed25519 key support (hostkeys and user identities) using the public domain ed25519 reference code
• SSH private keys were encrypted with a symmetric key that\’s just an MD5 of their password
• Now they\’ll be using bcrypt by default
• We\’ll get more into this in next week\’s interview

The FreeBSD challenge

• A member of the Linux foundation blogs about using FreeBSD
• Goes through all the beginner steps, has to \”unlearn\” some of his Linux ways
• Only a few posts as of this time, but it\’s a continuing series that may be helpful for switchers
• Maybe some day he\’ll be on the FreeBSD foundation instead!

PCBSD weekly digest

• GNOME3, cinnamon and mate desktops are in the installer
• Compat layer updated to CentOS 6, enables newest Skype
• Looking for people to test printers and hplip
• Continuing work on grub, but the ability to switch between bootloaders is back

Feedback/Questions

• Bostjan writes in: https://slexy.org/view/s20k2gumbP
• Jason writes in: https://slexy.org/view/s2PM8tfKfe
• John writes in: https://slexy.org/view/s2KgXIKqrJ
• Kjell-Aleksander writes in: https://slexy.org/view/s20DLk8bac
• Alexy writes in: https://slexy.org/view/s2nmmJHvgR

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Kickin' NAS | BSD Now 15 first appeared on Jupiter Broadcasting.

How Allan saved PayPal from an embarrassing leak and a bunch of cash, details on the FreeBSD project’s compromise, and the latest advances in password hashing.

Plus the bug in iOS 6 that could cost you money, and a batch of your questions and our answers!

All that and a lot more in this week’s TechSNAP!

Thanks to:

Use our code tech495 to get a .COM for $4.95, or go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: