Show Notes: linuxunplugged.com/359

The post Death of the Mac | LINUX Unplugged 359 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/337

The post Kubernetes on bhyve | BSD Now 337 first appeared on Jupiter Broadcasting.

##Headlines
###The byproducts of reading OpenBSD netcat code

When I took part in a training last year, I heard about netcat for the first time. During that class, the tutor showed some hacks and tricks of using netcat which appealed to me and motivated me to learn the guts of it. Fortunately, in the past 2 months, I was not so busy that I can spend my spare time to dive into OpenBSD‘s netcat source code, and got abundant byproducts during this process.
(1) Brush up socket programming. I wrote my first network application more than 10 years ago, and always think the socket APIs are marvelous. Just ~10 functions (socket, bind, listen, accept…) with some IO multiplexing buddies (select, poll, epoll…) connect the whole world, wonderful! From that time, I developed a habit that is when touching a new programming language, network programming is an essential exercise. Even though I don’t write socket related code now, reading netcat socket code indeed refresh my knowledge and teach me new stuff.
(2) Write a tutorial about netcat. I am mediocre programmer and will forget things when I don’t use it for a long time. So I just take notes of what I think is useful. IMHO, this “tutorial” doesn’t really mean teach others something, but just a journal which I can refer when I need in the future.
(3) Submit patches to netcat. During reading code, I also found bugs and some enhancements. Though trivial contributions to OpenBSD, I am still happy and enjoy it.
(4) Implement a C++ encapsulation of libtls. OpenBSD‘s netcat supports tls/ssl connection, but it needs you take full care of resource management (memory, socket, etc), otherwise a small mistake can lead to resource leak which is fatal for long-live applications (In fact, the two bugs I reported to OpenBSD are all related resource leak). Therefore I develop a simple C++ library which wraps the libtls and hope it can free developer from this troublesome problem and put more energy in application logic part.
Long story to short, reading classical source code is a rewarding process, and you can consider to try it yourself.

###What I learned from porting my projects to FreeBSD

• Introduction

I set up a local FreeBSD VirtualBox VM to test something, and it seems to work very well. Due to the novelty factor, I decided to get my software projects to build and pass the tests there.

• The Projects

• https://github.com/shlomif/shlomif-computer-settings/ (my dotfiles).

• https://web-cpan.shlomifish.org/latemp/

• https://fc-solve.shlomifish.org/

• https://www.shlomifish.org/open-source/projects/black-hole-solitaire-solver/

• https://better-scm.shlomifish.org/source/

• https://perl-begin.org/source/

• https://www.shlomifish.org/meta/site-source/

• Written using a mix of C, Perl 5, Python, Ruby, GNU Bash, XML, CMake, XSLT, XHTML5, XHTML1.1, Website META Language, JavaScript and more.

• Work fine on several Linux distributions and have https://en.wikipedia.org/wiki/Travis_CI using Ubuntu 14.04 hosts

• Some pass builds and tests on AppVeyor/Win64

• What I Learned:

• FreeBSD on VBox has become very reliable

• Some executables on FreeBSD are in /usr/local/bin instead of /usr/bin

• make on FreeBSD is not GNU make

• m4 on FreeBSD is not compatible with GNU m4

• Some CPAN Modules fail to install using local-lib there

• DocBook/XSL Does Not Live Under /usr/share/sgml

• FreeBSD’s grep does not have a “-P” flag by default

• FreeBSD has no “nproc” command

• Conclusion:

• It is easier to port a shell than a shell script. — Larry Wall

• I ran into some cases where my scriptology was lacking and suboptimal, even for my own personal use, and fixed them.

##News Roundup
###OpenBSD’s unveil()

One of the key aspects of hardening the user-space side of an operating system is to provide mechanisms for restricting which parts of the filesystem hierarchy a given process can access. Linux has a number of mechanisms of varying capability and complexity for this purpose, but other kernels have taken a different approach. Over the last few months, OpenBSD has inaugurated a new system call named unveil() for this type of hardening that differs significantly from the mechanisms found in Linux.
The value of restricting access to the filesystem, from a security point of view, is fairly obvious. A compromised process cannot exfiltrate data that it cannot read, and it cannot corrupt files that it cannot write. Preventing unwanted access is, of course, the purpose of the permissions bits attached to every file, but permissions fall short in an important way: just because a particular user has access to a given file does not necessarily imply that every program run by that user should also have access to that file. There is no reason why your PDF viewer should be able to read your SSH keys, for example. Relying on just the permission bits makes it easy for a compromised process to access files that have nothing to do with that process’s actual job.
In a Linux system, there are many ways of trying to restrict that access; that is one of the purposes behind the Linux security module (LSM) architecture, for example. The SELinux LSM uses a complex matrix of labels and roles to make access-control decisions. The AppArmor LSM, instead, uses a relatively simple table of permissible pathnames associated with each application; that approach was highly controversial when AppArmor was first merged, and is still looked down upon by some security developers. Mount namespaces can be used to create a special view of the filesystem hierarchy for a set of processes, rendering much of that hierarchy invisible and, thus, inaccessible. The seccomp mechanism can be used to make decisions on attempts by a process to access files, but that approach is complex and error-prone. Yet another approach can be seen in the Qubes OS distribution, which runs applications in virtual machines to strictly control what they can access.
Compared to many of the options found in Linux, unveil() is an exercise in simplicity. This system call, introduced in July, has this prototype:

int unveil(const char *path, const char *permissions);

A process that has never called unveil() has full access to the filesystem hierarchy, modulo the usual file permissions and any restrictions that may have been applied by calling pledge(). Calling unveil() for the first time will “drop a veil” across the entire filesystem, rendering the whole thing invisible to the process, with one exception: the file or directory hierarchy starting at path will be accessible with the given permissions. The permissions string can contain any of “r” for read access, “w” for write, “x” for execute, and “c” for the ability to create or remove the path.
Subsequent calls to unveil() will make other parts of the filesystem hierarchy accessible; the unveil() system call itself still has access to the entire hierarchy, so there is no problem with unveiling distinct subtrees that are, until the call is made, invisible to the process. If one unveil() call applies to a subtree of a hierarchy unveiled by another call, the permissions associated with the more specific call apply.
Calling unveil() with both arguments as null will block any further calls, setting the current view of the filesystem in stone. Calls to unveil() can also be blocked using pledge(). Either way, once the view of the filesystem has been set up appropriately, it is possible to lock it so that the process cannot expand its access in the future should it be taken over and turn hostile.
unveil() thus looks a bit like AppArmor, in that it is a path-based mechanism for restricting access to files. In either case, one must first study the program in question to gain a solid understanding of which files it needs to access before closing things down, or the program is likely to break. One significant difference (beyond the other sorts of behavior that AppArmor can control) is that AppArmor’s permissions are stored in an external policy file, while unveil() calls are made by the application itself. That approach keeps the access rules tightly tied to the application and easy for the developers to modify, but it also makes it harder for system administrators to change them without having to rebuild the application from source.
One can certainly aim a number of criticisms at unveil() — all of the complaints that have been leveled at path-based access control and more. But the simplicity of unveil() brings a certain kind of utility, as can be seen in the large number of OpenBSD applications that are being modified to use it. OpenBSD is gaining a base level of protection against unintended program behavior; while it is arguably possible to protect a Linux system to a much greater extent, the complexity of the mechanisms involved keeps that from happening in a lot of real-world deployments. There is a certain kind of virtue to simplicity in security mechanisms.

###NetBSD Virtual Machine Monitor (NVVM)

• NetBSD Virtual Machine Monitor

The NVMM driver provides hardware-accelerated virtualization support on NetBSD. It is made of an ~MI frontend, to which MD backends can be plugged. A virtualization API is provided in libnvmm, that allows to easily create and manage virtual machines via NVMM. Two additional components are shipped as demonstrators, toyvirt and smallkern: the former is a toy virtualizer, that executes in a VM the 64bit ELF binary given as argument, the latter is an example of such binary.

• Download

The source code of NVMM, plus the associated tools, can be downloaded here.

• Technical details

NVMM can support up to 128 virtual machines, each having a maximum of 256 VCPUs and 4GB of RAM.
Each virtual machine is granted access to most of the CPU registers: the GPRs (obviously), the Segment Registers, the Control Registers, the Debug Registers, the FPU (x87 and SSE), and several MSRs.
Events can be injected in the virtual machines, to emulate device interrupts. A delay mechanism is used, and allows VMM software to schedule the interrupt right when the VCPU can receive it. NMIs can be injected as well, and use a similar mechanism.
The host must always be x86_64, but the guest has no constraint on the mode, so it can be x86_32, PAE, real mode, and so on.
The TSC of each VCPU is always re-based on the host CPU it is executing on, and is therefore guaranteed to increase regardless of the host CPU. However, it may not increase monotonically, because it is not possible to fully hide the host effects on the guest during #VMEXITs.
When there are more VCPUs than the host TLB can deal with, NVMM uses a shared ASID, and flushes the shared-ASID VCPUs on each VM switch.
The different intercepts are configured in such a way that they cover everything that needs to be emulated. In particular, the LAPIC can be emulated by VMM software, by intercepting reads/writes to the LAPIC page in memory, and monitoring changes to CR8 in the exit state.

###What ‘dependency’ means in Unix init systems is underspecified (utoronto.ca)

I was reading Davin McCall’s On the vagaries of init systems (via) when I ran across the following, about the relationship between various daemons (services, etc):
I do not see any compelling reason for having ordering relationships without actual dependency, as both Nosh and Systemd provide for. In comparison, Dinit’s dependencies also imply an ordering, which obviates the need to list a dependency twice in the service description.
Well, this may be an easy one but it depends on what an init system means by ‘dependency’. Let’s consider ®syslog and the SSH daemon. I want the syslog daemon to be started before the SSH daemon is started, so that the SSH daemon can log things to it from the beginning. However, I very much do not want the SSH daemon to not be started (or to be shut down) if the syslog daemon fails to start or later fails. If syslog fails, I still want the SSH daemon to be there so that I can perhaps SSH in to the machine and fix the problem.
This is generally true of almost all daemons; I want them to start after syslog, so that they can syslog things, but I almost never want them to not be running if syslog failed. (And if for some reason syslog is not configured to start, I want enabling and starting, say, SSH, to also enable and start the syslog daemon.)
In general, there are three different relationships between services that I tend to encounter:

• a hard requirement, where service B is useless or dangerous without service A. For instance, many NFS v2 and NFS v3 daemons basically don’t function without the RPC portmapper alive and active. On any number of systems, firewall rules being in place are a hard requirement to start most network services; you would rather your network services not start at all than that they start without your defenses in place.

• a want, where service B wants service A to be running before B starts up, and service A should be started even if it wouldn’t otherwise be, but the failure of A still leaves B functional. Many daemons want the syslog daemon to be started before they start but will run without it, and often you want them to do so so that at least some of the system works even if there is, say, a corrupt syslog configuration file that causes the daemon to error out on start. (But some environments want to hard-fail if they can’t collect security related logging information, so they might make rsyslogd a requirement instead of a want.)

• an ordering, where if service A is going to be started, B wants to start after it (or before it), but B isn’t otherwise calling for A to be started. We have some of these in our systems, where we need NFS mounts done before cron starts and runs people’s @reboot jobs but neither cron nor NFS mounts exactly or explicitly want each other. (The system as a whole wants both, but that’s a different thing.)

Given these different relationships and the implications for what the init system should do in different situations, talking about ‘dependency’ in it systems is kind of underspecified. What sort of dependency? What happens if one service doesn’t start or fails later?
My impression is that generally people pick a want relationship as the default meaning for init system ‘dependency’. Usually this is fine; most services aren’t actively dangerous if one of their declared dependencies fails to start, and it’s generally harmless on any particular system to force a want instead of an ordering relationship because you’re going to be starting everything anyway.

• (In my example, you might as well say that cron on the systems in question wants NFS mounts. There is no difference in practice; we already always want to do NFS mounts and start cron.)

###Jailing The bhyve Hypervisor

As FreeBSD nears the final 12.0-RELEASE release engineering cycles, I’d like to take a moment to document a cool new feature coming in 12: jailed bhyve.
You may notice that I use HardenedBSD instead of FreeBSD in this article. There is no functional difference in bhyve on HardenedBSD versus bhyve on FreeBSD. The only difference between HardenedBSD and FreeBSD is the aditional security offered by HardenedBSD.
The steps I outline here work for both FreeBSD and HardenedBSD. These are the bare minimum steps, no extra work needed for either FreeBSD or HardenedBSD.

• A Gentle History Lesson

At work in my spare time, I’m helping develop a malware lab. Due to the nature of the beast, we would like to use bhyve on HardenedBSD. Starting with HardenedBSD 12, non-Cross-DSO CFI, SafeStack, Capsicum, ASLR, and strict W^X are all applied to bhyve, making it an extremely hardened hypervisor.
So, the work to support jailed bhyve is sponsored by both HardenedBSD and my employer. We’ve also jointly worked on other bhyve hardening features, like protecting the VM’s address space using guard pages (mmap(…, MAP_GUARD, …)). Further work is being done in a project called “malhyve.” Only those modifications to bhyve/malhyve that make sense to upstream will be upstreamed.

• Initial Setup

We will not go through the process of creating the jail’s filesystem. That process is documented in the FreeBSD Handbook. For UEFI guests, you will need to install the uefi-edk2-bhyve package inside the jail.
I network these jails with traditional jail networking. I have tested vnet jails with this setup, and that works fine, too. However, there is no real need to hook the jail up to any network so long as bhyve can access the tap device. In some cases, the VM might not need networking, in which case you can use a network-less VM in a network-less jail.
By default, access to the kernel side of bhyve is disabled within jails. We need to set allow.vmm in our jail.conf entry for the bhyve jail.

• We will use the following in our jail, so we will need to set up devfs(8) rules for them:

• A ZFS volume

• A null-modem device (nmdm(4))

• UEFI GOP (no devfs rule, but IP assigned to the jail)

• A tap device

• Conclusion

The bhyve hypervisor works great within a jail. When combined with HardenedBSD, bhyve is extremely hardened:

• PaX ASLR is fully applied due to compilation as a Position-Independent Executable (HardenedBSD enhancement)
• PaX NOEXEC is fully applied (strict W^X) (HardenedBSD enhancement)
• Non-Cross-DSO CFI is fully applied (HardenedBSD enhancement)
• Full RELRO (RELRO + BIND_NOW) is fully applied (HardenedBSD enhancement)
• SafeStack is applied to the application (HardenedBSD enhancement)
• Jailed (FreeBSD feature written by HardenedBSD)
• Virtual memory protected with guard pages (FreeBSD feature written by HardenedBSD)
• Capsicum is fully applied (FreeBSD feature)

Bad guys are going to have a hard time breaking out of the userland components of bhyve on HardenedBSD.

##Beastie Bits

• GhostBSD 18.10 has been released
• Project Trident RC3 has been released
• The OpenBSD Foundation receives the first Silver contribution from a single individual
• Monitoring pf logs gource
• NetBSD on the RISC-V is alive
• The X hole
• Announcing the pkgsrc-2018Q3 release (2018-10-05)
• NAT performance on EdgeRouter X and Lite with EdgeOS, OpenBSD, and OpenWRT
• UNIX (as we know it) might not have existed without Mrs. Thompson
• Free Pizza for your dev events
• Portland BSD Pizza Night: Nov 29th 7pm

##Feedback/Questions

• Dennis – Core developers leaving illumOS?
• Ben – Jumping from snapshot to snapshot
• Ias – Question about ZFS snapshots

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Detain the bhyve | BSD Now 272 first appeared on Jupiter Broadcasting.

##Headlines
###OpenBSD/NetBSD on FreeBSD using grub2-bhyve

When I was writing a blog post about the process title, I needed a couple of virtual machines with OpenBSD, NetBSD, and Ubuntu. Before that day I mainly used FreeBSD and Windows with bhyve. I spent some time trying to set up an OpenBSD using bhyve and UEFI as described here. I had numerous problems trying to use it, and this was the day I discovered the grub2-bhyve tool, and I love it!
The grub2-bhyve allows you to load a kernel using GRUB bootloader. GRUB supports most of the operating systems with a standard configuration, so exactly the same method can be used to install NetBSD or Ubuntu. First, let’s install grub2-bhyve on our FreeBSD box:

# pkg install grub2-bhyve

To run grub2-bhyve we need to provide at least the name of the VM. In bhyve, if the memsize is not specified the default VM is created with 256MB of the memory.

# grub-bhyve test
GNU GRUB version 2.00
Minimal BASH-like line editing is supported. For the first word, TAB lists possible command
completions. Anywhere else TAB lists possible device or file completions.


grub>

After running grub-bhyve command we will enter the GRUB loader. If we type the ls command, we will see all the available devices. In the case of the grub2-bhyve there is one additional device called “(host)” that is always available and allows the host filesystem to be accessed. We can list files under that device.

grub> ls
(host)
grub> ls (host)/
libexec/ bin/ usr/ bhyve/ compat/ tank/ etc/ boot/ net/ entropy proc/ lib/ root/ sys/ mnt/ rescue/ tmp/ home/ sbin/ media/ jail/ COPYRIGHT var/ dev/
grub>

To exit console simply type ‘reboot’. I would like to install my new operating system under a ZVOL ztank/bhyve/post. On another terminal, we create:

# zfs create -V 10G ztank/bhyve/post

If you don’t use ZFS for some crazy reason you can also create a raw blob using the truncate(1) command.

# truncate -s 10G post.img

I recommend installing an operating system from the disk image (installXX.fs for OpenBSD and NetBSD-X.X-amd64-install.img for NetBSD). Now we need to create a device map for a GRUB.

cat > /tmp/post.map << EOF
(hd0) /directory/to/disk/image
(hd1) /dev/zvol/ztank/bhyve/post
EOF

The mapping files describe the names for files in the GRUB. In our case under hd0 we will have an installation image and in hd1 we will have our ZVOL/blob. You can also try to use an ISO image then instead of using hd0 device name use a cd0. When we will run the grub-bhyve command we will see two additional devices.

# grub-bhyve -m /tmp/post.map post
grub> ls
(hd0) (hd0,msdos4) (hd0,msdos1) (hd0,openbsd9) (hd0,openbsd1) (hd1) (host)

The hd0 (in this example OpenBSD image) contains multiple partitions. We can check what is on it.

grub> ls (hd0,msdos4)/
boot bsd 6.4/ etc/

And this is the partition that contains a kernel. Now we can set a root device, load an OpenBSD kernel and boot:

grub> set root=(hd0,msdos4)
grub> kopenbsd -h com0 -r sd0a /bsd
grub> boot

After that, we can run bhyve virtual machine. In my case it is:

# bhyve -c 1 -w -u -H \
-s 0,amd_hostbridge \
-s 3,ahci-hd,/directory/to/disk/image \
-s 4,ahci-hd,/dev/zvol/ztank/bhyve/post \
-s 31,lpc -l com1,stdio \
post

Unfortunately explaining the whole bhyve(8) command line is beyond this article. After installing the operating system remove hd0 from the mapping file and the image from the bhyve(8) command. If you don’t want to type all those GRUB commands, you can simply redirect them to the standard input.

cat << EOF | grub-bhyve -m /tmp/post.map -M 512 post
set root=(hd0,4)
kopenbsd -h com0 -r sd0a /bsd
boot
EOF

###My FreeBSD Story

My first devices/computers/consoles (not at the same time) that I remember were Atari 2600 and Pegasus console which was hardware clone of the Nintendo NES.
Back then I did not even knew that it was Atari 2600 as I referred to it as Video Computer System … and I did not even knew any english by then. It took me about two decades to get to know (by accident) that this Video Computer System was Atari 2600
Then I got AMIGA 600 computer (or should I say my parents bought it for me) which served both for playing computer games and also other activities for the first time. AMIGA is the computer that had the greatest influence on me, as it was the first time I studied the books about Amiga Workbench operating system and learned commands from Amiga Shell terminal. I loved the idea of Ram Disk icon/directory on the desktop that allowed me to transparently put any things in system memory. I still miss that concept on today’s desktop systems … and I still remember how dismal I was when I watched Amiga Deathbed Vigil movie.
At the end of 1998 I got my first PC that of course came with Windows and that computer served both as gaming machine and as well as typical tool. One time I dig into the internals with Windows Registry (which left me disgusted by its concepts and implementation) and its limited command line interface provided by CMD.EXE executable. I remember that the heart of this box was not the CPU or the motherboard but the graphics accelerator – the legendary 3Dfx Voodoo card. This company (3Dfx) – their attitude and philosophy – also left solid fingerprint on my way. Like AMIGA did.
After ‘migration’ from AMIGA to PC it never again ‘felt right’. The games were cool but the Windows system was horrible. Time has passed and different Windows versions and hardware modifications took place. Windows XP felt really heavy at that time, not to mention Windows 2000 for example with even bigger hardware requirements. I also do not understand all the hate about Windows ME. It crashed with the same frequency as Windows 98 or later Windows 98 Second Edition but maybe my hardware was different ??
I do not have any ‘mine’ screenshots from that period as I lost all my 40 GB (huge then) drive of data when I moved/resized the partition with Partition Magic to get some more space from the less filled C: drive. That day I learned hard that “there are people who do backups and people who will do backups”. I never lost data again as I had multiple copies of my data, but the same as Netheril fall the lost data was was gone forever.
I always followed various alternatives which led me to try Linux in 2003, after reading about various distributions philosophies I decided to run Slackware Linux with KDE 3. My buddy used Aurox Linux by then (one of the few Linux distributions from Poland) and encouraged me to do the same – especially in the context of fixing possible problems as he already knew it and also as he recently dumped Windows system. But Slackware sounded like a better idea so I took that path instead. At first I dual booted between Windows XP and Slackware Linux cause I had everything worked out on the Windows world while I often felt helpless in the Linux world, so I would reboot into Windows to play some games or find a solution for Linux problem if that was required. I remember how strange the concept of dual clipboards (PRIMARY and SECONDARY) was for me by then. I was amazed why ‘so much better’ system as Linux (at least marketed that way) needs a system tray program to literally manage the clipboard. On Windows it was obvious, you do [CTRL]+[C] to copy and [CTRL]+[V] to paste things, but on Linux there (no I know its X11 feature) there were two clipboards that were synchronized by this little system tray program from KDE 3. It was also unthinkable for me that I will ‘lost’ contents of last/recent [CTRL]+[C] operation if I close the application from which the copy was made. I settled down a little on Slackware but not for long. I really did not liked manual dependency management for packages for example. Also KDE 3 was really ugly and despite trying all possible options I was not able to tweak it into something nice looking.
After half a year on Slackware I checked the Linux distributions again and decided to try Gentoo Linux. I definitely agree with the image below which visualizes Gentoo Linux experience, especially when You install it for he first time ??
Of course I went with the most hardcore version with self building Stage 1 (compiler and toolchain) which was horrible idea at that time because compilation on slow single core machine took forever … but after many hours I got Gentoo installed. I now have to decide which desktop environment to use. I have read a lot of good news about Fluxbox at that time so this is what I tried. It was very weird experience (to create everything in GUI from scratch) but very pleasant one. That recalled me the times of AMIGA … but Linux came in the way too much often. The more I dig into Gentoo Linux the more I read that lots of Gentoo features are based on FreeBSD solutions. Gentoo Portage is a clone of FreeBSD Ports. That ‘central’ /etc/rc.conf system configuration file concept was taken from FreeBSD as well. So I started to gather information about FreeBSD. The (then) FreeBSD website or FreeBSD Ports site (still) felt little outdated to say the least but that did not discouraged me.
Somewhere in 2005 I installed FreeBSD 5.4 on my computer. The beginnings were hard, like the earlier step with Gentoo but similarly like Gentoo the FreeBSD project came with a lot of great documentation. While Gentoo documentation is concentrated within various Gentoo Wiki sites the FreeBSD project comes with ‘official’ documentation in the form of Handbook and FAQ. I remember my first questions at the now nonexistent BSDForums.org site – for example one of the first ones – how to scroll the terminal output in the plain console. I now know that I had to push Scroll Lock button but it was something totally new for me.
Why FreeBSD and not OpenBSD or NetBSD? Probably because Gentoo based most their concepts on the FreeBSD solutions, so that led me to FreeBSD instead of the other BSD operating systems. Currently I still use FreeBSD but I keep an steady eye on the OpenBSD, HardenedBSD and DragonFly BSD solutions and improvements.
As the migration path from Linux to FreeBSD is a lot easier – all configuration files from /home can be just copied – the migration was quite fast easy. I again had the Fluxbox configuration which I used on the Gentoo. Now – on FreeBSD – it started to fell even more like AMIGA times. Everything is/has been well thought and had its place and reason. The documentation was good and the FreeBSD Community was second to none.
After 15 years of using various Windows, UNIX (macOS/AIX/HP-UX/Solaris/OpenSolaris/Illumos/FreeBSD/OpenBSD/NetBSD) and UNIX-like (Linux) systems I always come to conclusion that FreeBSD is the system that sucks least. And sucks least with each release and one day I will write why FreeBSD is such great operating system … if I already haven’t

##News Roundup
###OpenBSD on the Desktop: some thoughts

I’ve been using OpenBSD on my ThinkPad X230 for some weeks now, and the experience has been peculiar in some ways.
The OS itself in my opinion is not ready for widespread desktop usage, and the development team is not trying to push it in the throat of anybody who wants a Windows or macOS alternative. You need to understand a little bit of how *NIX systems work, because you’ll use CLI more than UI. That’s not necessarily bad, and I’m sure I learned a trick or two that could translate easily to Linux or macOS. Their development process is purely based on developers that love to contribute and hack around, just because it’s fun. Even the mailing list is a cool place to hang on! Code correctness and security are a must, nothing gets committed if it doesn’t get reviewed thoroughly first – nowadays the first two properties should be enforced in every major operating system.
I like the idea of a platform that continually evolves. pledge(2) and unveil(2) are the proof that with a little effort, you can secure existing software better than ever.
I like the “sensible defaults” approach, having an OS ready to be used – UI included if you selected it during the setup process – is great.
Just install a browser and you’re ready to go.
Manual pages on OpenBSD are real manuals, not an extension of the “–help” command found in most CLI softwares. They help you understand inner workings of the operating system, no internet connection needed. There are some trade-offs, too.
Performance is not first-class, mostly because of all the security mitigations and checks done at runtime.
I write Go code in neovim, and sometimes you can feel a slight slowdown when you’re compiling and editing multiple files at the same time, but usually I can’t notice any meaningful difference. Browsers are a different matter though, you can definitely feel something differs from the experience you can have on mainstream operating systems. But again, trade-offs.
To use OpenBSD on the desktop you must be ready to sacrifice some of the goodies of mainstream OSes, but if you’re searching for a zen place to do your computing stuff, it’s the best you can get right now.

###The history of file type information being available in Unix directories

The two things that Unix directory entries absolutely have to have are the name of the directory entry and its ‘inode’, by which we generically mean some stable kernel identifier for the file that will persist if it gets renamed, linked to other directories, and so on. Unsurprisingly, directory entries have had these since the days when you read the raw bytes of directories with read(), and for a long time that was all they had; if you wanted more than the name and the inode number, you had to stat() the file, not just read the directory. Then, well, I’ll quote myself from an old entry on a find optimization:
[…], Unix filesystem developers realized that it was very common for programs reading directories to need to know a bit more about directory entries than just their names, especially their file types (find is the obvious case, but also consider things like ‘ls -F’). Given that the type of an active inode never changes, it’s possible to embed this information straight in the directory entry and then return this to user level, and that’s what developers did; on some systems, readdir(3) will now return directory entries with an additional d_type field that has the directory entry’s type.
On Twitter, I recently grumbled about Illumos not having this d_type field. The ensuing conversation wound up with me curious about exactly where d_type came from and how far back it went. The answer turns out to be a bit surprising due to there being two sides of d_type.
On the kernel side, d_type appears to have shown up in 4.4 BSD. The 4.4 BSD /usr/src/sys/dirent.h has a struct dirent that has a d_type field, but the field isn’t documented in either the comments in the file or in the getdirentries(2) manpage; both of those admit only to the traditional BSD dirent fields. This 4.4 BSD d_type was carried through to things that inherited from 4.4 BSD (Lite), specifically FreeBSD, but it continued to be undocumented for at least a while.
(In FreeBSD, the most convenient history I can find is here, and the d_type field is present in sys/dirent.h as far back as FreeBSD 2.0, which seems to be as far as the repo goes for releases.)
Documentation for d_type appeared in the getdirentries(2) manpage in FreeBSD 2.2.0, where the manpage itself claims to have been updated on May 3rd 1995 (cf). In FreeBSD, this appears to have been part of merging 4.4 BSD ‘Lite2’, which seems to have been done in 1997. I stumbled over a repo of UCB BSD commit history, and in it the documentation appears in this May 3rd 1995 change, which at least has the same date. It appears that FreeBSD 2.2.0 was released some time in 1997, which is when this would have appeared in an official release.
In Linux, it seems that a dirent structure with a d_type member appeared only just before 2.4.0, which was released at the start of 2001. Linux took this long because the d_type field only appeared in the 64-bit ‘large file support’ version of the dirent structure, and so was only return by the new 64-bit getdents64() system call. This would have been a few years after FreeBSD officially documented d_type, and probably many years after it was actually available if you peeked at the structure definition.
As far as I can tell, d_type is present on Linux, FreeBSD, OpenBSD, NetBSD, Dragonfly BSD, and Darwin (aka MacOS or OS X). It’s not present on Solaris and thus Illumos. As far as other commercial Unixes go, you’re on your own; all the links to manpages for things like AIX from my old entry on the remaining Unixes appear to have rotted away.
Sidebar: The filesystem also matters on modern Unixes
Even if your Unix supports d_type in directory entries, it doesn’t mean that it’s supported by the filesystem of any specific directory. As far as I know, every Unix with d_type support has support for it in their normal local filesystems, but it’s not guaranteed to be in all filesystems, especially non-Unix ones like FAT32. Your code should always be prepared to deal with a file type of DT_UNKNOWN.
It’s also possible to have things the other way around, where you have a filesystem with support for file type information in directories that’s on a Unix that doesn’t support it. There are a number of plausible reasons for this to happen, but they’re either obvious or beyond the scope of this entry.

###Multiboot Pinebook KDE neon

Recently a KDE neon image for the Pinebook was announced. There is a new image, with a handful of fixes, which the KDE Plasma team has been working on over the past week and a half.
Here’s a picture of my Pinebook running KDE neon — watching Panic! At the Disco’s High Hopes — sitting in front of my monitor that’s hooked up to one of my openSUSE systems. There are still some errata, and watching video sucks up battery, but for hacking on documentation from my hammock in the garden, or doing IRC meetings it’s a really nice machine.
But one of the neat things about running KDE neon off of an SD card on the Pinebook is that it’s portable — that SD card can move around. So let’s talk about multiboot in the sense of “booting the same OS storage medium in different hardware units” rather than “booting different OS from a medium in a single hardware unit”. On these little ARM boards, u-boot does all the heavy lifting early in the boot process. So to re-use the KDE neon Pinebook image on another ARM board, the u-boot blocks need to be replaced.
I have the u-boot from a Pine64 image (I forget what) lying around, 1015 blocks of 1024 bytes, which I can dd over the u-boot blocks on the SD card, dd bs=1k conv=notrunc,sync if=uboot.img of=/dev/da0 seek=8, and then the same SD card, with the filesystem and data from the Pinebook, will boot on the Pine64 board. Of course, to move the SD card back again, I need to restore the Pinebook u-boot blocks.
Here’s a picture of my Pineboard (the base is a piece of the garden fence, it’s Douglas pine, with 4mm threaded rods acting as the corner posts for my Pine64 mini-rack), with power and network and a serial console attached, along with the serial console output of the same.
The nice thing here is that the same software stack runs on the Pine64 but then has a wired network — which in turn means that if I switch on the other boards in that mini-rack, I’ve got a distcc-capable cluster for fast development, and vast NFS storage (served from ZFS on my FreeBSD machines) for source. I can develop in a high(er) powered environment, and then swap the card around into the Pinebook for testing-on-the-go.
So to sum up: you can multiboot the KDE neon Pinebook image on other Pine64 hardware (i.e. the Pine64 board). To do so, you need to swap around u-boot blocks. The blocks can be picked out of an image built for each board, and then a particular image (e.g. the latest KDE neon Pinebook) can be run on either board.

##Beastie Bits

• Unexpected benefit with Ryzen – reducing power for build server
• Happy #CIDRDay!
• Absolute FreeBSD 3e ship date
• MWL FreeBSD talk @ October 9th 2018 – MUG Meeting
• MeetBSD Oct 19-20
• October’s London *BSD meetup – 9th Oct 2018
• NRW BUG Meeting at Trivago Oct. 9
• Lars Wittebrood blogs about his visit to EuroBSDCon 2018
• EuroBSDcon 2018 OpenBSD slides available
• EuroBSDCon conference site has most slides as well

##Feedback/Questions

• Brad – Unmounted ZFS sends
• Niclas – Report from a Meetup
• Ghislain – Bhyve not used?
• Shane – zpool history and snapshots

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post File Type History | BSD Now 266 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New password guidelines say everything we thought about passwords is wrong

• No more periodic password changes

• No more imposed password complexity

• Mandatory validation of newly created passwords against a list of commonly-used, expected, or compromised passwords.

• We recommend you use a password manager, use a different password on every login

• Rainbow tables used to convert hashes to passwords

Enterprise hard disks are faster and use more power, but are they more reliable?

• The enterprise disks also use more power: 9W idle and 10W operational, compared to 7.2W idle and 9W operational for comparable consumer disks.

• If you have one or two spindles, that’s no big deal, but each Backblaze rack has 20 “storage pods” with 60 disks each. An extra 2.2kW for an idle rack is nothing to sniff at.

• Other HGST models are also continuing to show impressive longevity, with three 4TB models and one 3TB model both boasting a sub-1 percent annualized failure rate.

Don’t trust OAuth: Why the “Google Docs” worm was so convincing

• Access to all your mail

• access to any of your google hangout chats

• access to all your contacts

• makes a good case for encryption/decryption at the client

• OAuth

Feedback

• Intel AMT bug

• bhyve VGA pass-through see also mailing list post

• Amazing, and keep it up!

• Borg Backup see Borg Documentation

  • Borg demonstration

• inexpensive, managed switches

Round Up:

• Why Security Backdoors are Bad (Common Sense Version)

• How to remote hijack computers using Intel’s insecure chips: Just use an empty login string

• Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

• NASA wants YOU (to make its Fortran code run faster)

The post All Drives Die | TechSNAP 318 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

SQUIRRELMAIL REMOTE CODE EXECUTION VULNERABILITY

• improperly santized parameters

• Invoking sendmail binary from with PHP

• Dawid Golunski disclosed the vulnerability

• FreeBSD version is newer than articles states is latest release

Anonymous domain purchases

• Anonymity has long been practiced for activism. Many famous authors have published under a pseudonym.

• Domain name is from Laos, but company is based in St Kitts.

• What are the risks with trusting this group?

Net Neutrality Alive and Well in Canada: CRTC Crafts Full Code With Zero Rating Decision

• Very strong decision and very postive for Canadian consumers.

Feedback

• Advice on a virtualization server

• Short oveview of DNS – phone book analogy

Round Up:

• reverse engineer of the Apple File System

• How Swat.io migrated from MySQL to PostgreSQL in 2 yearsPosted

• And this is why you secure ssh on web facing servers…

• Dan’s switch replacement turned into a rewire

• Used this for WIFI until things worked

• Nearly done

• Cable Comb

• The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

The post PHP Steals Your Nuts | TechSNAP 316 first appeared on Jupiter Broadcasting.

It’s already our two-year anniversary! This time on the show, we’ll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year’s vBSDCon. What’s it have to offer in that’s different in the BSD conference space? We’ll find out!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD hypervisor coming soon

• Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
• From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled “vmm”
• Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
• Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
• One thing to note: this isn’t just a port of something like Xen or Bhyve; it’s all-new code, and Mike explains why he chose to go that route
• He also answered some basic questions about the requirements, when it’ll be available, what OSes it can run, what’s left to do, how to get involved and so on

Why FreeBSD should not adopt launchd

• Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
• One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we’ve learned)
• In this article, the author talks about why he thinks this is a bad idea
• He doesn’t oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself – this is also explained in more detail
• The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
• Reddit had quite a bit to say about this one, some in agreement and some not

DragonFly graphics improvements

• The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
• This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
• You should also see some power management improvements, longer battery life and various other bug fixes
• If you’re running DragonFly, especially on a laptop, you’ll want to get this stuff on your machine quick – big improvements all around

OpenBSD tames the userland

• Last week we mentioned OpenBSD’s tame framework getting support for file whitelists, and said that the userland integration was next – well, now here we are
• Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
• It’s still a work-in-progress version; there’s still more to be added (including the file path whitelist stuff)
• Some classic utilities are even being reworked to make taming them easier – the “w” command, for example
• The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
• More discussion can be found on HN, as one might expect
• If you’re a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release

Interview – Scott Courtney – vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

• We first heard about OPNsense back in January, and they’ve since released nearly 40 versions, spanning over 5,000 commits
• This is their first big status update, covering some of the things that’ve happened since the project was born
• There’s been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more – the report touches on a little of everything

LibreSSL nukes SSLv3

• With their latest release, LibreSSL began to turn off SSLv3 support, starting with the “openssl” command
• At the time, SSLv3 wasn’t disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
• They’ve now flipped the switch, and the process of complete removal has started
• From the Undeadly summary, “This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!”
• With this change and a few more to follow shortly, LibreSSL won’t actually support SSL anymore – time to rename it “LibreTLS”

FreeBSD MPTCP updated

• For anyone unaware, Multipath TCP is “an ongoing effort of the Internet Engineering Task Force’s (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy.”
• There’s been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
• Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
• Some big performance gains can be had with MPTCP, but only if both the client and server systems support it – getting it into the FreeBSD kernel would be a good start

UEFI and GPT in OpenBSD

• There hasn’t been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
• Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
• This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
• Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should “just work” with GPT (once everything’s in)
• The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made

Feedback/Questions

• John writes in
• Mason writes in
• Earl writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now anniversary shirts are no longer available, and should be shipping out very soon (if they haven’t already) – big thanks to everyone who bought one (183 sold!)
• This week is the last episode written/organized by TJ

The post Virginia BSD Assembly | BSD Now 105 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
• It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• “It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
• If you’re using an older configuration file, the “without-password” option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

• As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn’t actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

• We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
• SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

• James writes in
• Stuart writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
• Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be chatting with Marc Espie. He’s recently added some additional security measures to dpb, OpenBSD’s package building tool, and we’ll find out why they’re so important. We’ve also got all this week’s news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2015 videos

• BSDCan just ended last week, but some of the BSD-related presentation videos are already online
• Allan Jude, UCL for FreeBSD
• Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
• Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
• Brooks Davis, CheriBSD: A research fork of FreeBSD
• Giuseppe Lettieri, Even faster VM networking with virtual passthrough
• Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
• Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
• Peter Hessler, Using routing domains / routing tables in a production network
• Ryan Lortie, a stitch in time: jhbuild
• Ted Unangst, signify: Securing OpenBSD From Us To You
• Many more still to come…

Documenting my BSD experience

• Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it’s finally time to give BSD a try
• “That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in.”
• In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
• The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you’re into that)
• You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
• He’s also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
• His second post explores replacing the firewall on his self-described “over complicated home network” with an OpenBSD box
• After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
• All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
• Getting to hear experiences like this are very important – they show areas where all the BSD developers’ hard work has paid off, but can also let us know where we need to improve

PC-BSD starts experimental HardenedBSD builds

• The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
• They’re not the first major FreeBSD-based project to offer an alternate build – OPNsense did that a few weeks ago – but this might open the door for more projects to give it a try as well
• With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won’t have
• Time will tell if more projects and products like FreeNAS might be interested too

C-states in OpenBSD

• People who run BSD on their notebooks, you’ll want to pay attention to this one
• OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
• According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
• If you’re running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings

NetBSD at Open Source Conference 2015 Hokkaido

• The Japanese NetBSD users group never sleeps, and they’ve hit yet another open source conference
• As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
• We’ll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD’s dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

• We’ve talked about FreeBSD’s “bhyve” hypervisor a lot on the show, and now it’s been ported to another OS
• As the name “xhyve” might imply, it’s a port of bhyve to Mac OS X
• Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
• It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
• There are also a few examples on how to use it

4K displays on DragonFlyBSD

• If you’ve been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you’ll be pleased to know that 4K displays work just fine
• Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
• Some GUI applications might look weird on such a huge resolution,
• HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience

Sandboxing port daemons on OpenBSD

• We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD’s base as chrooted by default – things from ports or packages don’t always get the same treatment
• This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn’t chroot by default
• It goes through the process of manually building a sandbox with all the libraries you’ll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
• With a few small changes, similar tricks could be done on the other BSDs as well – everybody has chroots

SmallWall 1.8.2 released

• SmallWall is a relatively new BSD-based project that we’ve never covered before
• It’s an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
• They’ve just released the first official version, so you can give it a try now
• If you’re interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks…

Feedback/Questions

• David writes in
• Brian writes in
• Dan writes in
• Joel writes in
• Steve writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Builder's Insurance | BSD Now 94 first appeared on Jupiter Broadcasting.

Coming up this time on the show, we’ll be speaking with Christos Zoulas, a NetBSD security officer. He’s got a new project called blacklistd, with some interesting possibilities for stopping bruteforce attacks. We’ve also got answers to your emails and all this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

New PAE support in OpenBSD

• OpenBSD has just added Physical Address Extention support to the i386 architecture, but it’s probably not what you’d think of when you hear the term
• In most operating systems, PAE’s main advantage is to partially circumvent the 4GB memory limit on 32 bit platforms – this version isn’t for that
• Instead, this change specifically allows the system to use the No-eXecute Bit of the processor for the userland, further hardening the in-place memory protections
• Other operating systems enable the CPU feature without doing anything to the page table entries, so they do get the available memory expansion, but don’t get the potential security benefit
• As we discussed in a previous episode, the AMD64 platform already saw some major W^X kernel and userland improvements – the i386 kernel reworking will begin shortly
• Not all CPUs support this feature, but, if yours supports NX, this will improve upon the previous version of W^X that was already there
• The AMD64 improvements will be in 5.7, due out in just a couple days as of when we’re recording this, but the i386 improvements will likely be in 5.8

Booting Windows in bhyve

• Work on FreeBSD’s bhyve continues, and a big addition is on the way
• Thus far, bhyve has only been able to boot operating systems with a serial console – no VGA, no graphics, no Windows
• This is finally changing, and a teasing screenshot of Windows Server was recently posted on Twitter
• Graphics emulation is still in the works; this image was taken by booting headless and using RDP
• A lot of the needed code is being committed to -CURRENT now, but the UEFI portion of it requires a bit more development (and the aim for that is around the time of BSDCan)
• Not a lot of details on the matter currently, but we’ll be sure to bring you more info as it comes out
• Are you more interested in bhyve or Xen on FreeBSD? Email us your thoughts

MidnightBSD 0.6 released

• MidnightBSD is a smaller project we’ve not covered a lot on the show before
• It’s an operating system that was forked from FreeBSD back in the 6.1 days, and their focus seems to be on ease-of-use
• They also have their own, smaller version of FreeBSD ports, called “mports”
• If you’re already using it, this new version is mainly a security and bugfix release
• It syncs up with the most recent FreeBSD security patches and gets a lot of their ports closer to the latest versions
• You can check their site for more information about the project
• We’re trying to get the lead developer to come on for an interview, but haven’t heard anything back yet

OpenBSD rewrites the file utility

• We’re all probably familiar with the traditional file command – it’s been around since the 1970s
• For anyone who doesn’t know, it’s used to determine what type of file something actually is
• This tool doesn’t see a lot of development these days, and it’s had its share of security issues as well
• Some of those security issues remain unfixed in various BSDs even today, despite being publicly known for a while
• It’s not uncommon for people to run file on random things they download from the internet, maybe even as root, and some of the previous bugs have allowed file to overwrite other files or execute code as the user running it
• When you think about it, file was technically designed to be used on untrusted files
• OpenBSD developer Nicholas Marriott, who also happens to be the author of tmux, decided it was time to do a complete rewrite – this time with modern coding practices and the usual OpenBSD scrutiny
• This new version will, by default, run as an unprivileged user with no shell, and in a systrace sandbox, strictly limiting what system calls can be made
• With these two things combined, it should drastically reduce the damage a malicious file could potentially do
• Ian Darwin, the original author of the utility, saw the commit and replied, in what may be a moment in BSD history to remember
• It’ll be interesting to see if the other BSDs, OS X, Linux or other UNIXes consider adopting this implementation in the future – someone’s already thrown together an unofficial portable version
• Coincidentally, the lead developer and current maintainer of file just happens to be our guest today…

Interview – Christos Zoulas – christos@netbsd.org

blacklistd and NetBSD advocacy

News Roundup

GSoC-accepted BSD projects

• The Google Summer of Code people have published a list of all the projects that got accepted this year, and both FreeBSD and OpenBSD are on that list
• FreeBSD’s list includes: NE2000 device model in userspace for bhyve, updating Ficl in the bootloader, type-aware kernel virtual memory access for utilities, JIT compilation for firewalls, test cluster automation, Linux packages for pkgng, an mtree parsing and manipulation library, porting bhyve to ARM-based platforms, CD-ROM emulation in CTL, libc security extensions, gptzfsboot support for dynamically discovering BEs during startup, CubieBoard support, a bhyve version of the netmap virtual passthrough for VMs, PXE support for FreeBSD guests in bhyve and finally.. memory compression and deduplication
• OpenBSD’s list includes: asynchronous USB transfer submission from userland, ARM SD/MMC & controller driver in libsa, improving USB userland tools and ioctl, automating module porting, implementing a KMS driver to the kernel and, wait for it… porting HAMMER FS to OpenBSD
• We’ll be sure to keep you up to date on developments from both projects
• Hopefully the other BSDs will make the cut too next year

FreeBSD on the Gumstix Duovero

• If you’re not familiar with the Gumstix Duovero, it’s an dual core ARM-based computer-on-module
• They actually look more like a stick of RAM than a mini-computer
• This article shows you how to build a FreeBSD -CURRENT image to run on them, using crochet-freebsd
• If anyone has any interesting devices like this that they use BSD on, write up something about it and send it to us

EU study recommends OpenBSD

• A recent study by the European Parliament was published, explaining that more funding should go into critical open source projects and tools
• This is especially important, in all countries, after the mass surveillance documents came out
• “[…] the use of open source computer operating systems and applications reduces the risk of privacy intrusion by mass surveillance. Open source software is not error free, or less prone to errors than proprietary software, the experts write. But proprietary software does not allow constant inspection and scrutiny by a large community of experts.”
• The report goes on to mention users becoming more and more security and privacy-aware, installing additional software to help protect themselves and their traffic from being spied on
• Alongside Qubes, a Linux distro focused on containment and isolation, OpenBSD got a special mention: “Proactive security and cryptography are two of the features highlighted in the product together with portability, standardisation and correctness. Its built-in cryptography and packet filter make OpenBSD suitable for use in the security industry, for example on firewalls, intrusion-detection systems and VPN gateways”
• Reddit, Undeadly and Hacker News also had some discussion, particularly about corporations giving back to the BSDs that they make use of in their infrastructure – something we’ve discussed with Voxer and M:Tier before

FreeBSD workflow with Git

• If you’re interested in contributing to FreeBSD, but aren’t a big fan of SVN, they have a Github mirror too
• This mailing list post talks about interacting between the official source repository and the Git mirror
• This makes it easy to get pull requests merged into the official tree, and encourages more developers to get involved

Feedback/Questions

• Sean writes in
• Bryan writes in
• Sean writes in
• Charles writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – don’t be shy, we’re here to help with any questions you have
• We’re always looking for interviews, so feel free to suggest someone you’d like for us to talk to (or volunteer yourself if you’re doing something cool)

The post On the List | BSD Now 87 first appeared on Jupiter Broadcasting.

This week on the show we’ll be chatting with David Maxwell, a former NetBSD security officer. He’s got an interesting project called Pipecut that takes a whole new approach to the commandline. We’ve also got answers to viewer-submitted questions and all this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted an updated on some of their activities between October and December of 2014
• They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements
• As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure
• The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs
• FreeBSD’s forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released)
• Git was promoted from beta to an officially-supported version control system (Kris is happy)
• The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints
• Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more “cloud” services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements
• Check out the full report for all the details that we didn’t cover

OpenBSD package signature audit

• “Linux Audit” is a website focused on auditing and hardening systems, as well as educating people about securing their boxes
• They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure
• The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed
• Package signature formats and public key distribution methods are also touched on
• After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future
• If you haven’t seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this

Replacing a Linux router with BSD

• There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one
• The poster begins with “I’m in the camp that doesn’t trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I’d run Windows NT, not Linux. So I’ve decided to migrate my homebrew router/firewall/samba server to one of the BSDs.”
• A lot of people were quick to recommend OPNsense and pfSense, being that they’re very easy to administer (requiring basically no BSD knowledge at all)
• Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD
• If you’ve been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through
• Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you’ll have to wade through some of that to get to the good information

LibreSSL in FreeBSD and OPNsense

• A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL)
• The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly
• OPNsense developers are looking into switching away from OpenSSL to LibreSSL’s portable version, for both their ports and base system, which would be a pretty huge differentiator for their project
• Some ports still need fixing to be compatible though, particularly a few python-related ones
• If you’re a FreeBSD ports person, get involved and help squash some of the last remaining bugs
• A lot of the work has already been done in OpenBSD’s ports tree – some patches just need to be adopted
• More and more upstream projects are incorporating LibreSSL patches in their code – let your favorite software vendor know that you’re using it

Interview – David Maxwell – david@netbsd.org / @david_w_maxwell

Pipecut, text processing, commandline wizardry

News Roundup

Jetpack, a new jail container system

• A new project was launched to adapt FreeBSD jails to the “app container specification”
• While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker
• It’s a similar project to iocage or bsdploy, which we haven’t talked a whole lot about
• There was also some discussion about it on Hacker News

Separating base and package binaries

• All of the main BSDs make a strong separation between the base system and third party software
• This is in contrast to Linux where there’s no real concept of a “base system” – more recently, some distros have even merged all the binaries into a single directory
• A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies
• Read the comments for the full explanation, but having things separated really helps keep things organized

Updated i915kms driver for FreeBSD

• This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward
• This update does not introduce Haswell support just yet, but was required before the Haswell bits can be added

Year of the OpenBSD desktop

• Here we have an article about using OpenBSD as a daily driver for regular desktop usage
• The author says he “ran fifty thousand different distributions, never being satisfied”
• After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook
• He also used FreeBSD between versions 7 and 9, finding a “a mostly harmonious environment,” but regressions lead him to give up on desktop *nix once again
• Starting with 2015, he’s back and is using OpenBSD on a Thinkpad x201
• The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup
• He apparently used our desktop tutorial – thanks for watching!

Unattended FreeBSD installation

• A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE
• His goal was to have a setup similar to Redhat’s “kickstart” or OpenBSD’s autoinstall
• The article shows you how to set up DHCP and TFTP, with no NFS share setup required
• He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you

Feedback/Questions

• Robert writes in
• Sean writes in
• l33tname writes in
• Charlie writes in
• Eric writes in

Mailing List Gold

• Clowning around
• Better than succeeding in this case
• Kris was having trouble with disk labels, googled for the answer, found it

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We’re thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It’s meant to be informative like a tutorial, but more of a “free discussion” format. If you have any subjects you want us to explore, or even just a good name for it, send in an email. We may incorporate guests too, so if you’d like to join us for something like that, let us know.
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Pipe Dreams | BSD Now 73 first appeared on Jupiter Broadcasting.

This week on the show we’re joined by Olivier Cochard-Labbé, the creator of both FreeNAS and the BSD Router Project! We’ll be discussing what the BSD Router Project is, what it’s for and where it’s going. All this week’s headlines and answers to viewer-submitted questions, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSD Devroom CFP

• This year’s FOSDEM conference (Belgium, Jan 31st – Feb 1st) is having a dedicated BSD devroom
• They’ve issued a call for papers on anything BSD-related, and we always love more presentations
• If you’re in the Belgium area or plan on going, submit a talk about something cool you’re doing
• There’s also a mailing list and some more information in the original post

Bhyve SVM code merge

• The bhyve_svm code has been in the “projects” tree of FreeBSD, but is now ready for -CURRENT
• This changeset will finally allow bhyve to run on AMD CPUs, where it was previously limited to Intel only
• All the supported operating systems and utilities should work on both now
• One thing to note: bhyve doesn’t support PCI passthrough on AMD just yet
• There may still be some issues though

NetBSD at Open Source Conference Tokyo

• The Japanese NetBSD users group held a booth at another recent open source conference
• As always, they were running NetBSD on everything you can imagine
• One of the users reports back to the mailing list on their experience, providing lots of pictures and links
• Here’s an interesting screenshot of NetBSD running various other BSDs in Xen

More BSD switchers every day

• A decade-long Linux user is considering making the switch, and asks Reddit about the BSD community
• Tired of the pointless bickering he sees in his current community, he asks if the same problems exist over here and what he should expect
• So far, he’s found that BSD people seem to act more level-headed about things, and are much more practical, whereas some FSF/GNU/GPL people make open source a religion
• There’s also another semi-related thread about another Linux user wanting to switch to BSD because of systemd and GNU people
• There are some extremely well written and thought-out comments in the replies (in both threads), be sure to give them all a read
• Maybe the OPs should’ve just watched this show

Interview – Olivier Cochard-Labbé – olivier@cochard.me / @ocochardlabbe

The BSD Router Project

News Roundup

FreeBSD -CURRENT on a T420

• Thinkpads are quite popular with BSD developers and users
• Most of the hardware seems to be supported across the BSDs (especially wifi)
• This article walks through installing FreeBSD -CURRENT on a Thinkpad T420 with UEFI
• If you’ve got a Thinkpad, or especially this specific one, have a look at some of the steps involved
• PR/194359 tracks this issue
• Includes a URL to modified snapshots with a patch for the Auto (ZFS) mode in the installer to solve the GPT on some Lenovos issue

FreeNAS on a Supermicro 5018A-MHN4

• More and more people are migrating their NAS devices to BSD-based solutions
• In this post, the author goes through setting up FreeNAS on some of his new hardware
• His new rack-mounted FreeNAS machine has a low power Atom with eight cores and 64GB of RAM – quite a lot for its small form factor
• The rest of the post details all of the hardware he chose and goes through the build process (with lots of cool pictures)

Hardening procfs and linprocfs

• There was an exploit published recently for SFTP in OpenSSH, but it mostly just affected Linux
• There exists a native procfs in FreeBSD, which was the target point of that exploit, but it’s not used very often
• The Linux emulation layer also supports its own linprocfs, which was affected as well
• The HardenedBSD guys weigh in on how to best solve the problem, and now support an additional protection layer from writing to memory with procfs
• If you want to learn more about ASLR and HardenedBSD, be sure to check out our interview with Shawn too

pfSense monitoring with bandwidthd

• A lot of people run pfSense on their home network, and it’s really useful to monitor the bandwidth usage
• This article will walk you through setting up bandwidthd to do exactly that
• bandwidthd monitors based on the IP address, rather than per-interface
• It can also build some cool HTML graphs, and we love those pfSense graphs
• Have a look at our bandwidth monitoring and testing tutorial for some more ideas

Feedback/Questions

• Dave writes in
• Chris writes in
• Zeke writes in
• Bostjan writes in
• Patrick writes in

Mailing List Gold

• More old bugs
• The Right Font (see also)

• All the tutorials are posted in their entirety at bsdnow.tv
• Send your BSD-related questions, comments, show ideas or stories you want mentioned on the show to feedback@bsdnow.tv – don’t hesitate to ask us if you need help with something
• OpenBSD is now 19 years old as of a few days ago, and also just passed the 300,000 commit mark – happy late birthday and congrats
• PCBSD will be at the Ohio Linuxfest (Columbus, Ohio on October 24–26) this year, so stop by and say hi if you’re there
• If you’re in or around New York’s Capital District, our friend bcallah is giving a talk about OpenBSD on October 24th at the Rensselaer Polytechnic Institute
• The FreeBSD graphics team has a new blog with some interesting content if you’re interested in that
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Don't Buy a Router | BSD Now 60 first appeared on Jupiter Broadcasting.

Pre-crime is here, with technology that lets you predicting a hack before it happens. We’ll tell you how. Google’s project zero goes to war, we get real about virtualization.

And then its a great batch of your questions, our answers & much more!

Thanks to:

Become a supporter on Patreon:

— Show Notes: —

Predicting which sites will get hacked, before it happens

• Researchers from Carnegie Mellon University have developed a tool that can help predict if a website is likely to become compromised or malicious in the future
• Using the Archive.org “Wayback Machine” they looked at websites before they were hacked, and tried to identify trends and other information that may be predictors
• “The classifier correctly predicted 66 percent of future hacks in a one-year period with a false positive rate of 17 percent”
• “The classifier is focused on Web server malware or, put more simply, the hacking and hijacking of a website that is then used to attack all its visitors”
• The tool looks at the server software, outdated versions of Apache and PHP can be good indicators of future vulnerabilities
• It also looks at how the website is laid out, how often it is updated, what applications it runs (outdated wordpress is a good hacking target)
• It also compares the sites to sites that have been compromised. If a site is very like another, and that other was compromised, there is an increased probability that the first site will also be compromised
• The classifier looks at many other factors as well: “For instance, if a certain website suddenly sees a change in popularity, it could mean that it became used as part of a [malicious] redirection campaign,”
• The most common marker for a hackable website: The presence of the ‘generator’ meta tag with a value of ‘Wordpress 3.2.1’ or ‘Wordpress 3.3.1’
• Research PDF from USENIX
• There are tools like those from Norse, that analyze network traffic and attempt to detect new 0-day exploits before they are known

Google’s Project Zero exploits the unexploitable bug

• Well over a month ago Google’s Project Zero reported a bug in glibc, however there was much skepticism about the exploitability of the bug, so it was not fixed
• However, this week the Google researchers were able to create a working exploit for the bug, including an ASLR bypass for 32bit OSs
• The blog post details the process the Project Zero team went through to develop the exploit and gain root privileges
• The blog post also details an interesting (accidental) mitigation found in Ubuntu, they caused the researchers to target Fedora to more easily develop the exploit
• The blog also discusses a workaround for other issues they ran into. Once they had exploited the set-uid binary, they found that running: system(“/bin/bash”) started the shell with their original privileges, rather than as root. Instead, they called chroot() on a directory they had setup to contain their own /bin/sh that calls setuid(0) and then executes a real shell as the system root user.
• The path they used to get a root shell relies on a memory leak in the setuid binary pkexec, which they recommend be fixed as well as the original glibc bug
• “The ability to lower ASLR strength by running setuid binaries with carefully chosen ulimits is unwanted behavior. Ideally, setuid programs would not be subject to attacker-chosen ulimit values”
• “The exploit would have been complicated significantly if the malloc main linked listed hardening was also applied to the secondary linked list for large chunks”
• The glibc bug has since been fixed

Secret Service warns over 1000 businesses hit by Backoff Point-of-Sales terminal malware

• The Secret Service and DHS have released an advisory warning businesses about the POS (Point-of-Sales terminal) malware that has been going around for a while
• Advisory
• “The Department of Homeland Security (DHS) encourages organizations, regardless of size, to proactively check for possible Point of Sale (PoS) malware infections. One particular family of malware, which was detected in October 2013 and was not recognized by antivirus software solutions until August 2014, has likely infected many victims who are unaware that they have been compromised”
• “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected“
• “Backoff has experts concerned because it’s effective in swiping customer credit card data from businesses using a variety of exfiltration tools, including memory, or RAM scraping, techniques, keyloggers and injections into running processes”
• “A report from US-CERT said attackers use Backoff to steal payment card information once they’ve breached a remote desktop or administration application, especially ones that are using weak or default credentials”
• “Backoff is then installed on a point-of-sale device and injects code into the explorer.exe process that scrapes memory from running processes in order to steal credit card numbers before they’re encrypted on the device and sent to a payment processor. “
• “Keylogging functionality is also present in most recent variants of ‘Backoff’. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware,”
• US-CERT Advisory
• Krebs reports that Dairy Queen may also be a victim of this attack
• “Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters”

Feedback:

• HVAC remote access protection fear.

• Deconstruct malware?

• Virtualisation

• Metric for success of an attack campaign

Round Up:

• Chromecast software vulnerability paves way for another root exploit
• Netflix releases two of their internal threat monitoring tools, used to detect origanization of attacks against their networks
• FBI, Secret Service investigate reports of cyber attacks on U.S. banks
• Seagate ships worlds first 8TB hard drive, with “Enhanced Rotational Vibration (RV) tolerance for reliable performance in multi-drive environments”, allowing more drives to stuffed in a single chassis
• Feds warn first responders of dangerous hacking tool: Google Search
• UK Ministry of Justice fined 180,000 GBP for not encrypting data. Data was being backed up to an external hard drive that was then lost, potentially exposing data on almost 3000 prisoners. The external drive supported some type of ‘encryption’, but it was not enabled
• 300 oil companies hacked in Norway
• Google, Facebook, and others did not read the Apple Documentation. In iOS, clicking a tel:// link in Safari prompts the user to confirm they want to place the call. However in native apps, it is left up to the app to check for permission, to allow apps to initiate calls at the users request, without the user having to confirm it a 2nd time. Apple’s docs state that the app should confirm that the user wants to place the call, but they do not. Using javascript or server-side redirects, a malicious attacker can have your phone place calls without your permission when you click a link in a Facebook, Gmail or G+ message on iOS.
• CouchSurfing email system compromised, many users sent AirBnB prank message
• Browsers will be removing 1024 bit CA certificates from the trust chain in the latest NSS, which will ship in FireFox 32, due for release September 2nd. Even though these certificates have not expired, they will no longer be trusted because of their low security
• Comcast training material leaked, shows how employees are directed to upsell customers during support calls
• Krebs: new razor think ATM insert skimmer goes inside the card slot, nearly impossible to spot. Most skimmers now use hidden cameras to capture your PIN number, rather than a pinpad overlay. Krebs recommends covering the keypad with your free hand while entering your pin number

The post Project Zero Goes To War | TechSNAP 177 first appeared on Jupiter Broadcasting.

Coming up this week on the show, we’ve got something special for you! We’ll be giving you an in-depth look at all of the graphical PC-BSD utilities. That’s right, BSD doesn’t have to be command line only anymore! There’s also the usual round of answers to your emails and all the latest headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD foundation semi-annual newsletter

• The FreeBSD foundation published their semi-annual newsletter, complete with a letter from the president of the foundation
• “In fact after reading [the president’s] letter, I was motivated to come up with my own elevator pitch instead of the usual FreeBSD is like Linux, only better!”
• It talks about the FreeBSD journal as being one of the most exciting things they’ve launched this year, conferences they funded and various bits of sponsored code that went into -CURRENT
• The full list of funded projects is included, also with details in the financial reports
• There are also a number of conference wrap-ups: NYCBSDCon, BSDCan, AsiaBSDCon and details about the upcoming EuroBSDCon
• A new application page for travel grants to EuroBSDCon is also up

OpenBSD on an Intel NUC

• A lot of people love small form factor PCs, and we love ones that can run BSD – so does the author of this write-up
• The Intel NUC is a small, almost Mac Mini-like device that’s pretty cheap and offers some nice specs
• “The NUC has integrated Intel graphics (Intel HD Graphics 5000) which as an OpenBSD user is exactly what I wanted” – fully supported
• The post goes into detail about PXE booting the installation and talks about his experiences

BAFUG presentation videos

• A couple of talks from BAFUG, the Bay Area FreeBSD Users Group, were uploaded to YouTube
• The first talk is by Craig Rodrigues about libvirt and bhyve integration
• libvirt is a c library for interacting with various Hypervisors and virtualization technology – bhyve support was recently added
• The second is by Adrian Chadd, titled “Upcoming RSS enhancements to the FreeBSD Network Stack”
• Adrian also wrote a blog post that accompanies the video
• We need more good quality BSD presentation videos!

TLS decompression

• A new blog post from our buddy Ted Unangst](https://www.bsdnow.tv/episodes/2014_02_05-time_signatures), this time about a feature he recently removed from LibreSSL
• The original commit message was just “decompress libressl” with no details – these are the missing details of that change
• It talks about the different network layers where compression is applied and how code has to be refactored for that
• “I might download a zip file (of png files!). The web server, if configured just wrong, can apply http compression to it. If it’s https, the TLS layer can compress it again. If I’m using an SSH tunnel, that can compress it. If it’s travelling over IPsec, it can get compressed again. It can get compressed again by IP compression. How many layers of compression do we really need?”

Special segment

The PC-BSD Tour

News Roundup

Introducing pkgfs

• A new tool, pkgfs, was committed to FreeBSD -CURRENT
• It’s described as “a file system implementation for reading files out of a compressed tarball”
• Users will now be able to view pkgng packages (or any compressed tarball) just like NFS, SMB, SSHFS, etc

BSDMag’s July 2014 issue is out

• Continuing their monthly release cycle, BSD Magazine has another issue for us
• Topics include using Wireshark in a SAN environment, more GIMP image manipulation tutorials, an interview with Brett Davis about TrueNAS, an article about pkgng in DragonFlyBSD and a few other things
• The PDF is free to download, as always

A new OpenSMTPD interview

• Way back in episode three, we talked to Gilles and Eric from the OpenBSD team about OpenSMTPD
• One of the developers gave a text-only interview with a Russian website about some recent activity
• It talks about their development process, testing the code on various platforms and architectures, stress testing via the “Twitter flash mob” and a few other things

FreeBSD as a syslog server

• If you have a large number of servers, examining their logs individually is a pain
• Fortunately, you can configure them to send their logs to a dedicated system to receive them
• This blog post goes through the process of setting up the “client” systems as well as the “server” system to get all your logs in one place

Feedback/Questions

• Andre writes in
• Vincent writes in
• Callum writes in
• Stephen writes in
• John writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• An important notice: OpenBSD is moving to a new distributor in September, so between now and then is your last chance to buy any of the current shirts, CDs, mugs, posters – grab them now while you still can!

The post The PC-BSD Tour | BSD Now 49 first appeared on Jupiter Broadcasting.

We chat with Warren Block to discuss BSD documentation efforts and future plans. If you\’ve ever wondered about the scary world of mailing lists, today\’s tutorial will show you the basics of how to get help and contribute back. There\’s lots to get to today, so sit back and enjoy some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD on a Sun T5120

• Our buddy Ted Unangst got himself a cool Sun box
• Of course he had to write a post about installing and running OpenBSD on it
• The post goes through some of the quirks and steps to go through in case you\’re interested in one of these fine SPARC machines
• He\’s also got another post about OpenBSD on a Dell CS24-SC server

Bhyvecon 2014 videos are up

• Like we mentioned last week, Bhyvecon was an almost-impromptu conference before AsiaBSDCon
• The talks have apparently already been uploaded!
• Subjects include Bhyve\’s past, present and future, OSv on Bhyve, a general introduction to the tool, migrating those last few pesky Linux boxes to virtualization
• Lots more detail in the videos, so check \’em all out

Building a FreeBSD wireless access point

• We\’ve got a new blog post about creating a wireless access point with FreeBSD
• After all the recent news of consumer routers being pwned like candy, it\’s time for people to start building BSD routers
• The author goes through a lot of the process of getting one set up using good ol\’ FreeBSD
• Using hostapd, he\’s able to share his wireless card in hostap mode and offer DHCP to all the clients
• Plenty of config files and more messy details in the post

Switching from Synology to FreeNAS

• The author has been considering getting a NAS for quite a while and documents his research
• He was faced with the compromise of convenience vs. flexibility – prebuilt or DIY
• After seeing the potential security issues with proprietary NAS devices, and dealing with frustration with trying to get bugs fixed, he makes the right choice
• The post also goes into some detail about his setup, all the things he needed a NAS to do as well as all the advantages an open source solution would give
• Speaking of FreeNAS…

This episode was brought to you by

Interview – Warren Block – wblock@freebsd.org

FreeBSD\’s documentation project, igor, doceng

Tutorial

The world of BSD mailing lists

News Roundup

HAMMER2 work and notes

• Matthew Dillon has posted some updated notes about the development of the new HAMMER version
• The start of a cluster API was committed to the tree
• There are also links to design document, a freemap design document, that should be signed with a digital signing software from the
  sodapdf esign site

BSD Breaking Barriers

• Our friend MWL gave a talk at NYCBSDCon about BSD \”breaking barriers\”
• \”What makes the BSD operating systems special? Why should you deploy your applications on BSD? Why does the BSD community keep growing, and why do Linux sites like DistroWatch say that BSD is where the interesting development work is happening? We\’ll cover the not-so-obvious reasons why BSD still stands tall after almost 40 years.\”
• He also has another upcoming talk, (or \”webcast\”) called \”Beyond Security: Getting to Know OpenBSD\’s Real Purpose\”
• \”OpenBSD is frequently billed as a high-security operating system. That\’s true, but security isn\’t the OpenBSD Project\’s main goal. This webcast will introduce systems administrators to OpenBSD, explain the project\’s mission, and discuss the features and benefits.\”
• It\’s on May 27th and will hopefully be recorded

FreeBSD in a chroot

• Finch, \”FreeBSD running IN a CHroot,\” is a new project
• It\’s a way to extend the functionality of restricted USB-based FreeBSD systems (FreeNAS, etc.)
• All the details and some interesting use cases are on the github page
• He really needs to change the project name though

PCBSD weekly digest

• Lots of bugfixes for PCBSD coming down the tubes
• LZ4 compression is now enabled by default on the whole pool
• The latest 10-STABLE has been imported and builds are going
• Also the latest GNOME and Cinnamon builds have been imported and much more

Feedback/Questions

• Bostjan writes in (IRC suggests md5deep)
• Don writes in
• kaltheat writes in (We use R0DE Podcast microphones and Logitech C920 HD webcams)
• Harri writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We wanted to give the Bay Area FreeBSD Users Group a special mention, if you\’re in the San Francisco Bay Area, there\’s a very healthy BSD community there and they regularly have meet-ups
• If you listened to the audio-only version of this week\’s episode, you\’re really missing out on Warren\’s fun animations in the interview!

The post Documentation is King | BSD Now 30 first appeared on Jupiter Broadcasting.

25k UNIX systems spread infections to over half a million Windows boxes, and the method of attack simply put, is brilliant we’ll share the details!

Google DNS gets hijacked we’ll explain how, and then a great big batch of your question, a rocking round up, and much much more!

On this week’s TechSNAP!

Thanks to:

— Show Notes: —

Allan’s Trip

• bhyvecon Tokyo – Slides and Videos

• AsiaBSDCon 2014

• iXsystems G+ Photo Album

• AsiaBSDCON 2014 Recap | iXsystems, Inc.

Operation Windigo

• The attack leverages previously compromised (how is unknown) servers, and using them to scan for other hosts to compromise, serve malware, infect sites hosted on the compromised servers with malware, and to send spam

• Victims have included cPanel and Kernel.org (the official Linux kernel archive)

• “The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH,”

• During an analysis of stolen credentials, the researchers found:

  • 66% of the stolen passwords contained only alpha numeric characters

  • 41% of the stolen credentials were for the root user

• Remote login as root should never be allowed. Disable root login over SSH and login as a regular user and use su or sudo. If you use sudo you should read Sudo Mastery and probably SSH Mastery too.

• The researchers also found 23 victims running Windows 98, and 1 running Windows 95

• “We found an official mirror of CentOS packages infected with Linux/Ebury. Fortunately, no package files were seemingly altered by the malicious operators. However knowing that Linux RPM packages are cryptographically signed such tampering is probably infeasible”

• However, amateur administrators have been conditioned to accept unknown GPG keys for CentOS repositories.

• When users visit an infected site, Windows users are given malware, Mac users are served ads for dating sites, and iPhone users are served ads for “strong pornography”, likely as these are each the most profitable way to exploit such users

• The operators maintain control on the infected servers by installing a backdoor in the OpenSSH instance. The backdoor provides them with a remote root shell even if local credentials are changed on the infected host

• The attackers used a number of techniques to remain stealthy:

  • Use Unix pipes as much as possible when deploying their backdoor to avoid landing files on the filesystem

  • Leave no trace in log files when using the backdoor

  • Change original signatures in the package manager for the modified file

  • Avoid exfiltrating information when a network interface is in promiscuous mode

  • Use POSIX shared memory segments with random system user owners to store stolen credentials

  • Inject code at runtime into three OpenSSH binaries instead of modifying the original OpenSSH files on disk

  • Change OpenSSH daemon configuration in memory instead of on disk

• Centralize their backdoor in a library instead of an executable (libkeyutils.so)

• Researcher PDF

Google Public DNS (8.8.8.8) suffers brief BGP hijack redirecting it to Venezuela

• At approximately 17:23 UTC on March 15th, a router on the British Telecom Latin America network (BT LATAM, AS 7908) in Venezuela began announcing 8.8.8.8/32

• A /32 prefix is unusual, most BGP routers will not propagate such short prefixes, only passing routes of /24 or larger. This resulted in the bad route not spreading as far, however because routing tables always take the ‘most specific’ match, it resulted in more of the traffic being rerouted than would have normally been the case

• This resulted in most all traffic in Venezuela and Brazil, among other networks, including a University Network in Florida, to be misdirected to a server in Venezuela

• The false BGP (Border Gateway Protocol) announcement was retracted 23 minutes later

• It is possible that this was an effort by the Venezuelan government to intercept traffic bound for the Google Public DNS service, and it was accidently leaked upstream, disrupting the internet outside of Venezuela

• Similar cases have happened in Pakistan and other countries attempting to block Youtube and other services

• The network that sent the request, Madory said, “leaked other internal routes earlier in the day. So I suppose someone was tinkering with the network over the weekend. We see routing goof-ups like this almost every day.”

• Additional Coverage

• There are BCPs and RFCs that cover ways to prevent this kind of hijacking, by only allowing ASs to announce prefixes they control, however there is a lot of administrative overhead, especially when an ISP announces routes for its customers

• There is another system, RPKI, that allows a network to specify which AS numbers are allowed to announce an IP block, as well as specifying the maximum prefix length, to prevent someone from announcing a more specific prefix (like in this case)

• However RPKI has not yet received wide adoption

• Providers ignore routing and DNS security

Feedback:

• Follow Up to HIPAA Question

• Better answer for David with wifi latency

• Soooo, I got one of those \”Your computer is infected\” scam calls a little bit ago.

• Single server, SSH multiple users over LAN and SFTP single user over internet

• Wifi Security Fix

• Sharing Resources Between 2 or more computers

• Unraid to Freenas

• SSH Config Exmaple

Round Up:

• In sudden announcement, US to give up control of DNS root zone

• Snowden gives TED talk — “Here\’s how we take back the Internet”

• File advertised as MtGox data archive is actually bitcoin stealing malware

• Why people get malware

• Google Hangouts, Gmail Chat And Google Spreadsheets Go Down

• Full disclosure mailing list shuts down after member requests some content be redacted

• NTP Amplification DDoS Attacks Increasing

• Weev (posted link to AT&T iPad activation database that was left publically accessible) is in jail because the government can’t understand what he did. \”He had download the entire iOS system on his computer, he had to decrypt it, he had to do all of these things I don\’t even understand,\” Assistant US Attorney Glenn Moramarco argued

• Tech Giants Knew About Prism All Along, the NSA\’s Top Lawyer Says

• Hashing MAC addresses does not really improve privacy. The limit address space means calculating the hash table of every possible MAC address only takes minutes

• New development model, Unreal Engine 4 with source code (on Github) will be available to everyone for $19/month and 5% of gross sales revenue

• Survey finds 16% of websites running old vulnerable versions of PHP. The vuln only applies to CGI type installations, which many of these may not be. Also, it is possible that some of these are redhat/centos installations which are patched but have frozen version numbers

The post Worst Server Practices | TechSNAP 154 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD automatic installation

• A CFT (call for testing) was posted for OpenBSD’s new automatic installer process
• Using this new system, you can spin up fully-configured OpenBSD installs very quickly
• Allows you to PXE boot the system and load the answer file via HTTP by each machines MAC address, with fallback to a default config file
• It will answer all the questions for you and can put files into place and start services
• Great for large deployments, help test it and report your findings

FreeNAS install guide and blog posts

• A multipart series on YouTube about installing FreeNAS
• In part 1, the guy (who is possibly Dracula, with his very Transylvanian accent..) builds his new file server and shows off the hardware
• In part 2, he shows how to install and configure FreeNAS, uses IPMI, sets up his pools
• He pronounces gigabytes as jiggabytes and it’s hilarious
• We’ve also got an unrelated blog post about a very satisfied FreeNAS user who details his setup
• As well as another blog post from our old pal Devin Teske about his recent foray into the FreeNAS development world

FreeBSD 10.0-RC5 is out

• Another, unexpected RC is out for 10.0
• Includes an ABI change, you must recompile/reinstall all ports/packages if you are upgrading from a previous 10.0-RC
• Minor fixes included, please help test and report any bugs
• You can update via freebsd-update or from source
• Hopefully this will be the last one before 10.0-RELEASE, which has tons of new features we’ll talk about
• It’s been tagged -RELEASE in SVN already too!

OpenBSD 5.5-beta is out

• Theo updated the branch status to 5.5-beta
• A list of changes is available
• Help test and report any bugs you find
• Lots of rapid development with signify (which we mentioned last week), the beta includes some “test keys”
• Does that mean it’ll be part of the final release? We’ll find out in May.. or when we interview Ted (soon)

This episode was brought to you by

iX doesn’t just make big servers for work, they also make little servers for home. The FreeNAS Mini is a compact little rig that will take up to 4 drives and makes a great home storage server.

Interview – Neel Natu & Peter Grehan – neel@freebsd.org & grehan@freebsd.org

BHyVe – the BSD hypervisor
+ Could you tell us a bit about yourselves and how you first got into BSD?
+ What’s your current roles in the FreeBSD project, and how did you get there?
+ What exactly is bhyve and how did the project get started?
+ What is the current status of bhyve? What guest OSes are supported?
+ What bugs remain when running different guest OSs?
+ How is support for AMD hardware virtualization progressing?
+ Is there any work on supporting older hardware that does not have EPT?
+ What will it take to be able to boot FreeBSD root-on-zfs inside bhyve?
+ Any progress on a ‘vfs hack’ to mount/passthru a file system (zfs dataset?) from the host to the guest, a la Jails?
+ How is the performance? How does the network performance compare to alternatives? How much benchmarking has been done?
+ What features have been added recently? (nmdm etc)
+ When is VGA support planned?
+ When might we see Windows (server) as a guest? What else would be required to make that happen?
+ What features are you planning for the future? How far do you plan to take bhyve (snapshots, live migration etc)

Tutorial

Virtualization with bhyve

News Roundup

Hostname canonicalisation in OpenSSH

• Blog post from our friend Damien Miller
• This new feature allows clients to canonicalize unqualified domain names
• SSH will know if you typed “ssh bsdnow” you meant “ssh bsdnow.tv” with new config options
• This will help clean up some ssh configs, especially if you have many hosts
• Should make it into OpenSSH 6.5, which is “due really soon”

Dragonfly on a Chromebook

• Some work has been done by Matthew Dillon to get DragonflyBSD working on a Google Chromebook
• These couple of posts detail some of the things he’s got working so far
• Changes were needed to the boot process, trackpad and wifi drivers needed updating…
• Also includes a guide written by Dillon on how to get yours working

Spider in a box

• “Spiderinabox” is a new OpenBSD-based project
• Using a combination of OpenBSD, Firefox, XQuartz and VirtualBox, it creates a secure browsing experience for OS X
• Firefox runs encapsulated in OpenBSD and doesn’t have access to OS X in any way
• The developer is looking for testers on other operating systems!

PCBSD weekly digest

• PCBSD 10 has entered into the code freeze phase
• They’re focusing on fixing bugs now, rather than adding new features
• The update system got a lot of improvements
• PBI load times reduced by up to 40%! what!!!

Feedback/Questions

• Scott writes in: https://slexy.org/view/s25zbSPtcm
• Chris writes in: https://slexy.org/view/s2EarxbZz1
• SW writes in: https://slexy.org/view/s2MWKxtWxF
• Ole writes in: https://slexy.org/view/s20kzex2qm
• Gertjan writes in: https://slexy.org/view/s2858Ph4o0

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: OpenBSD still really needs funding for electricity – if you know a company that can help, please contact Theo or the foundation
• Reminder: NYCBSDCon February 8th – The BSDs in Production
• Reminder: Our tutorial contest is going until the end of this month, check bsdnow.tv/contest for info and rules, win a cool BSD pillow!

The post Bhyve Mind | BSD Now 20 first appeared on Jupiter Broadcasting.

On this week\’s show, you\’ll be getting the full jail treatment. We\’ll show you how to create and deploy BSD jails, as well as chatting with Poul-Henning Kamp – the guy who actually invented them! There\’s lots of interesting news items to cover as well.

So stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD turns it up to 11

• The -CURRENT branch is now known as 11
• 10 has been branched to -STABLE
• 10-BETA1 ISOs are available now
• Will be the next -RELEASE, probably next year

Stopping the SSH bruteforce with OpenBSD and pf

• The Hail Mary Cloud is an SSH bruteforce botnet that takes a different approach
• While most botnets pound port 22 rapidly, THMB does it very slowly and passively
• This makes prevention based on rate limiting more involved and complex
• Nice long blog post about some potential solutions and what we\’ve learned

ZFS and GELI in bsdinstall coming soon

• The man with the beard strikes again, new patch allows for ZFS-on-root installs
• Supports GELI for disk encryption
• Might be the push we need to make Michael W Lucas update his FreeBSD book

AsiaBSDCon 2014 announced

• Will be held in Tokyo, 13-16 March, 2014
• The conference is for anyone developing, deploying and using systems based on FreeBSD, NetBSD, OpenBSD, DragonFlyBSD, Darwin and Mac OS X
• Call for papers can be found here

Interview – Poul-Henning Kamp – phk@freebsd.org / @bsdphk

FreeBSD beginnings, md5crypt, jails, varnish and his… telescope project?

Tutorial

Everything you need to know about Jails

• Last week we showed you how to run VNC in a jail, but people asked \”how do I make a jail in the first place?\”
• This time around, we\’ll show you how to do exactly that
• Jails are a dream come true for both security experts and clean freaks, keeping everything isolated
• We\’ll be using the ezjail utility and making a basic jail setup

News Roundup

New pf queue system

• Henning Brauer committed the new kernel-side bandwidth shaping subsystem
• Uses the HFSC algorithm behind the scenes
• ALTQ to be retired \”in a release or two\” – everyone should migrate soon

Dragonfly imports FreeBSD KMS driver

• Hot on the trails of OpenBSD and later FreeBSD, Dragonfly gets AMD KMS
• Ported over from the FreeBSD port

Weekly PCBSD feature digest

• Weekly status update every Friday
• Will be a \”highlight of what important features have been added, what major bugs have been fixed, and what is presently going on in general with the project.\”

Get paid to hack OpenSSH

• Google has announced they will pay up to $3113.70 for security patches to OpenSSH
• Patches can fix security or improve security
• If you come up with something, send it to the OpenSSH guys

Feedback/Questions

• Darren writes in: https://slexy.org/view/s24RmwvEvE
• Kjell-Aleksander writes in: https://slexy.org/view/s2wFcFk9Yz
• Ryan writes in: https://slexy.org/view/s23e920gNG
• Alexander writes in: https://slexy.org/view/s2usxPqO9k

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Go Directly to Jail(8) | BSD Now 7 first appeared on Jupiter Broadcasting.

Researchers find exploits for popular game engines, putting both clients and servers at risk, we’ll share the details.

Plus TerraCom epic privacy breach, a recap from BSDcan 2013, your questions our answers, and much much more!

On this week’s TechSNAP!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 32% off your ENTIRE first order just use our code go32off3 until the end of the month!

Support the Show: