firewall – Jupiter Broadcasting

NetBSD is a highly portable operating system which can be run on dozens of different hardware architectures. The operating system’s clean and minimal design allow it to be run in all sorts of environments, ranging from embedded devices, to servers, to workstations. While the base operating system is minimal, NetBSD users have access to a large repository of binary packages and a ports tree which I will touch upon later.
I last tried NetBSD 7.0 about three years ago and decided it was time to test drive the operating system again. In the past three years NetBSD has introduced a few new features, many of them security enhancements. For example, NetBSD now supports write exclusive-or execute (W^X) protection and address space layout randomization (ASLR) to protect programs against common attacks. NetBSD 8.0 also includes USB3 support and the ability to work with ZFS storage volumes.

Early impressions

Since I had set up NetBSD with a Full install and enabled xdm during the setup process, the operating system booted to a graphical login screen. From here we can sign into our account. The login screen does not provide options to shut down or restart the computer. Logging into our account brings up the twm window manager and provides a virtual terminal, courtesy of xterm. There is a panel that provides a method for logging out of the window manager. The twm environment is sparse, fast and devoid of distractions.

Software management

NetBSD ships with a fairly standard collection of command line tools and manual pages, but otherwise it is a fairly minimal platform. If we want to run network services, have access to a web browser, or use a word processor we are going to need to install more software. There are two main approaches to installing new packages. The first, and easier approach, is to use the pkgin package manager. The pkgin utility works much the same way APT or DNF work in the Linux world, or as pkg works on FreeBSD. We can search for software by name, install or remove items. I found pkgin worked well, though its output can be terse. My only complaint with pkgin is that it does not handle “close enough” package names. For example, if I tried to run “pkgin install vlc” or “pkgin install firefox” I would quickly be told these items did not exist. But a more forgiving package manager will realize items like vlc2 or firefox45 are available and offer to install those.
The pkgin tool installs new programs in the /usr/pkg/bin directory. Depending on your configuration and shell, this location may not be in your user’s path, and it will be helpful to adjust your PATH variable accordingly.
The other common approach to acquiring new software is to use the pkgsrc framework. I have talked about using pkgsrc before and I will skip the details. Basically, we can download a collection of recipes for building popular open source software and run a command to download and install these items from their source code. Using pkgsrc basically gives us the same software as using pkgin would, but with some added flexibility on the options we use.
Once new software has been installed, it may need to be enabled and activated, particularly if it uses (or is) a background service. New items can be enabled in the /etc/rc.conf file and started or stopped using the service command. This works about the same as the service command on FreeBSD and most non-systemd Linux distributions.

Hardware

I found that, when logged into the twm environment, NetBSD used about 130MB of RAM. This included kernel memory and all active memory. A fresh, Full install used up 1.5GB of disk space. I generally found NetBSD ran well in both VirtualBox and on my desktop computer. The system was quick and stable. I did have trouble getting a higher screen resolution in both environments. NetBSD does not offer VirtualBox add-on modules. There are NetBSD patches for VirtualBox out there, but there is some manual work involved in getting them working. When running on my desktop computer I think the resolution issue was one of finding and dealing with the correct video driver. Screen resolution aside, NetBSD performed well and detected all my hardware.

Personal projects

Since NetBSD provides users with a small, core operating system without many utilities if we want to use NetBSD for something we need to have a project in mind. I had four mini projects in mind I wanted to try this week: install a desktop environment, enable file sharing for computers on the local network, test multimedia (video, audio and YouTube capabilities), and set up a ZFS volume for storage.
I began with the desktop. Specifically, I followed the same tutorial I used three years ago to try to set up the Xfce desktop. While Xfce and its supporting services installed, I was unable to get a working desktop out of the experience. I could get the Xfce window manager working, but not the entire session. This tutorial worked beautifully with NetBSD 7.0, but not with version 8.0. Undeterred, I switched gears and installed Fluxbox instead. This gave me a slightly more powerful graphical environment than what I had before with twm while maintaining performance. Fluxbox ran without any problems, though its application menu was automatically populated with many programs which were not actually installed.
Next, I tried installing a few multimedia applications to play audio and video files. Here I ran into a couple of interesting problems. I found the music players I installed would play audio files, but the audio was quite slow. It always sounded like a cassette tape dragging. When I tried to play a video, the entire graphical session would crash, taking me back to the login screen. When I installed Firefox, I found I could play YouTube videos, and the video played smoothly, but again the audio was unusually slow.
I set up two methods of sharing files on the local network: OpenSSH and FTP. NetBSD basically gives us OpenSSH for free at install time and I added an FTP server through the pkgin package manager which worked beautifully with its default configuration.
I experimented with ZFS support a little, just enough to confirm I could create and access ZFS volumes. ZFS seems to work on NetBSD just as well, and with the same basic features, as it does on FreeBSD and mainstream Linux distributions. I think this is a good feature for the portable operating system to have since it means we can stick NetBSD on nearly any networked computer and use it as a NAS.

Conclusions

NetBSD, like its close cousins (FreeBSD and OpenBSD) does not do a lot of hand holding or automation. It offers a foundation that will run on most CPUs and we can choose to build on that foundation. I mention this because, on its own, NetBSD does not do much. If we want to get something out of it, we need to be willing to build on its foundation – we need a project. This is important to keep in mind as I think going into NetBSD and thinking, “Oh I’ll just explore around and expand on this as I go,” will likely lead to disappointment. I recommend figuring out what you want to do before installing NetBSD and making sure the required tools are available in the operating system’s repositories.
Some of the projects I embarked on this week (using ZFS and setting up file sharing) worked well. Others, like getting multimedia support and a full-featured desktop, did not. Given more time, I’m sure I could find a suitable desktop to install (along with the required documentation to get it and its services running), or customize one based on one of the available window managers. However, any full featured desktop is going to require some manual work. Media support was not great. The right players and codecs were there, but I was not able to get audio to play smoothly.
My main complaint with NetBSD relates to my struggle to get some features working to my satisfaction: the documentation is scattered. There are four different sections of the project’s website for documentation (FAQs, The Guide, manual pages and the wiki). Whatever we are looking for is likely to be in one of those, but which one? Or, just as likely, the tutorial we want is not there, but is on a forum or blog somewhere. I found that the documentation provided was often thin, more of a quick reference to remind people how something works rather than a full explanation.
As an example, I found a couple of documents relating to setting up a firewall. One dealt with networking NetBSD on a LAN, another explored IPv6 support, but neither gave an overview on syntax or a basic guide to blocking all but one or two ports. It seemed like that information should already be known, or picked up elsewhere.
Newcomers are likely to be a bit confused by software management guides for the same reason. Some pages refer to using a tool called pkg_add, others use pkgsrc and its make utility, others mention pkgin. Ultimately, these tools each give approximately the same result, but work differently and yet are mentioned almost interchangeably. I have used NetBSD before a few times and could stumble through these guides, but new users are likely to come away confused.
One quirk of NetBSD, which may be a security feature or an inconvenience, depending on one’s point of view, is super user programs are not included in regular users’ paths. This means we need to change our path if we want to be able to run programs typically used by root. For example, shutdown and mount are not in regular users’ paths by default. This made checking some things tricky for me.
Ultimately though, NetBSD is not famous for its convenience or features so much as its flexibility. The operating system will run on virtually any processor and should work almost identically across multiple platforms. That gives NetBSD users a good deal of consistency across a range of hardware and the chance to experiment with a member of the Unix family on hardware that might not be compatible with Linux or the other BSDs.

###Showing a Gigabit OpenBSD Firewall Some Monitoring Love

I have a pretty long history of running my home servers or firewalls on “exotic” hardware. At first, it was Sun Microsystem hardware, then it moved to the excellent Soekris line, with some cool single board computers thrown in the mix. Recently I’ve been running OpenBSD Octeon on the Ubiquiti Edge Router Lite, an amazing little piece of kit at an amazing price point.

Upgrade Time!

This setup has served me for some time and I’ve been extremely happy with it. But, in the #firstworldproblems category, I recently upgraded the household to the amazing Gigabit fibre offering from Sonic. A great problem to have, but also too much of a problem for the little Edge Router Lite (ERL).
The way the OpenBSD PF firewall works, it’s only able to process packets on a single core. Not a problem for the dual-core 500 MHz ERL when you’re pushing under ~200 Mbps, but more of a problem when you’re trying to push 1000 Mbps.
I needed something that was faster on a per core basis but still satisfied my usual firewall requirements. Loosely:

small form factor
fan-less
multiple Intel Ethernet ports (good driver support)
low power consumption
not your regular off-the-shelf kit
relatively inexpensive

After evaluating a LOT of different options I settled on the Protectli Vault FW2B. With the specs required for the firewall (2 GB RAM and 8 GB drive) it comes in at a mere $239 USD! Installation of OpenBSD 6.4 was pretty straight forward, with the only problem I had was Etcher did not want to recognize the ‘.fs’ extension on the install image as bootable image. I quickly fixed this with good old Unix dd(1) on the Mac. Everything else was incredibly smooth.
After loading the same rulesets on my new install, the results were fantastic!

Monitoring

Now that the machine was up and running (and fast!), I wanted to know what it was doing. Over the years, I’ve always relied on the venerable pfstat software to give me an overview of my traffic, blocked packets, etc. It looks like this:
As you can see it’s based on RRDtool, which was simply incredible in its time. Having worked on monitoring almost continuously for almost the past decade, I wanted to see if we could re-implement the same functionality using more modern tools as RRDtool and pfstat definitely have their limitations. This might be an opportunity to learn some new things as well.
I came across pf-graphite which seemed to be a great start! He had everything I needed and I added a few more stats from the detailed interface statistics and the ability for the code to exit for running from cron(8), which is a bit more OpenBSD style. I added code for sending to some SaaS metrics platforms but ultimately stuck with straight Graphite. One important thing to note was to use the Graphite pickle port (2004) instead of the default plaintext port for submission. Also you will need to set a loginterface in your ‘pf.conf’.
A bit of tweaking with Graphite and Grafana, and I had a pretty darn good recreation of my original PF stats dashboard!
As you can see it’s based on RRDtool, which was simply incredible in its time. Having worked on monitoring almost continuously for almost the past decade, I wanted to see if we could re-implement the same functionality using more modern tools as RRDtool and pfstat definitely have their limitations. This might be an opportunity to learn some new things as well.
I came across pf-graphite which seemed to be a great start! He had everything I needed and I added a few more stats from the detailed interface statistics and the ability for the code to exit for running from cron(8), which is a bit more OpenBSD style. I added code for sending to some SaaS metrics platforms but ultimately stuck with straight Graphite. One important thing to note was to use the Graphite pickle port (2004) instead of the default plaintext port for submission. Also you will need to set a loginterface in your ‘pf.conf’.
A bit of tweaking with Graphite and Grafana, and I had a pretty darn good recreation of my original PF stats dashboard!

###The Source History of Cat

I once had a debate with members of my extended family about whether a computer science degree is a degree worth pursuing. I was in college at the time and trying to decide whether I should major in computer science. My aunt and a cousin of mine believed that I shouldn’t. They conceded that knowing how to program is of course a useful and lucrative thing, but they argued that the field of computer science advances so quickly that everything I learned would almost immediately be outdated. Better to pick up programming on the side and instead major in a field like economics or physics where the basic principles would be applicable throughout my lifetime.
I knew that my aunt and cousin were wrong and decided to major in computer science. (Sorry, aunt and cousin!) It is easy to see why the average person might believe that a field like computer science, or a profession like software engineering, completely reinvents itself every few years. We had personal computers, then the web, then phones, then machine learning… technology is always changing, so surely all the underlying principles and techniques change too. Of course, the amazing thing is how little actually changes. Most people, I’m sure, would be stunned to know just how old some of the important software on their computer really is. I’m not talking about flashy application software, admittedly—my copy of Firefox, the program I probably use the most on my computer, is not even two weeks old. But, if you pull up the manual page for something like grep, you will see that it has not been updated since 2010 (at least on MacOS). And the original version of grep was written in 1974, which in the computing world was back when dinosaurs roamed Silicon Valley. People (and programs) still depend on grep every day.
My aunt and cousin thought of computer technology as a series of increasingly elaborate sand castles supplanting one another after each high tide clears the beach. The reality, at least in many areas, is that we steadily accumulate programs that have solved problems. We might have to occasionally modify these programs to avoid software rot, but otherwise they can be left alone. grep is a simple program that solves a still-relevant problem, so it survives. Most application programming is done at a very high level, atop a pyramid of much older code solving much older problems. The ideas and concepts of 30 or 40 years ago, far from being obsolete today, have in many cases been embodied in software that you can still find installed on your laptop.
I thought it would be interesting to take a look at one such old program and see how much it had changed since it was first written. cat is maybe the simplest of all the Unix utilities, so I’m going to use it as my example. Ken Thompson wrote the original implementation of cat in 1969. If I were to tell somebody that I have a program on my computer from 1969, would that be accurate? How much has cat really evolved over the decades? How old is the software on our computers?
Thanks to repositories like this one, we can see exactly how cat has evolved since 1969. I’m going to focus on implementations of cat that are ancestors of the implementation I have on my Macbook. You will see, as we trace cat from the first versions of Unix down to the cat in MacOS today, that the program has been rewritten more times than you might expect—but it ultimately works more or less the same way it did fifty years ago.

Research Unix

Ken Thompson and Dennis Ritchie began writing Unix on a PDP 7. This was in 1969, before C, so all of the early Unix software was written in PDP 7 assembly. The exact flavor of assembly they used was unique to Unix, since Ken Thompson wrote his own assembler that added some features on top of the assembler provided by DEC, the PDP 7’s manufacturer. Thompson’s changes are all documented in the original Unix Programmer’s Manual under the entry for as, the assembler.
The first implementation of cat is thus in PDP 7 assembly. I’ve added comments that try to explain what each instruction is doing, but the program is still difficult to follow unless you understand some of the extensions Thompson made while writing his assembler. There are two important ones. First, the ; character can be used to separate multiple statements on the same line. It appears that this was used most often to put system call arguments on the same line as the sys instruction. Second, Thompson added support for “temporary labels” using the digits 0 through 9. These are labels that can be reused throughout a program, thus being, according to the Unix Programmer’s Manual, “less taxing both on the imagination of the programmer and on the symbol space of the assembler.” From any given instruction, you can refer to the next or most recent temporary label n using nf and nb respectively. For example, if you have some code in a block labeled 1:, you can jump back to that block from further down by using the instruction jmp 1b. (But you cannot jump forward to that block from above without using jmp 1f instead.)
The most interesting thing about this first version of cat is that it contains two names we should recognize. There is a block of instructions labeled getc and a block of instructions labeled putc, demonstrating that these names are older than the C standard library. The first version of cat actually contained implementations of both functions. The implementations buffered input so that reads and writes were not done a character at a time.
The first version of cat did not last long. Ken Thompson and Dennis Ritchie were able to persuade Bell Labs to buy them a PDP 11 so that they could continue to expand and improve Unix. The PDP 11 had a different instruction set, so cat had to be rewritten. I’ve marked up this second version of cat with comments as well. It uses new assembler mnemonics for the new instruction set and takes advantage of the PDP 11’s various addressing modes. (If you are confused by the parentheses and dollar signs in the source code, those are used to indicate different addressing modes.) But it also leverages the ; character and temporary labels just like the first version of cat, meaning that these features must have been retained when as was adapted for the PDP 11.
The second version of cat is significantly simpler than the first. It is also more “Unix-y” in that it doesn’t just expect a list of filename arguments—it will, when given no arguments, read from stdin, which is what cat still does today. You can also give this version of cat an argument of – to indicate that it should read from stdin.
In 1973, in preparation for the release of the Fourth Edition of Unix, much of Unix was rewritten in C. But cat does not seem to have been rewritten in C until a while after that. The first C implementation of cat only shows up in the Seventh Edition of Unix. This implementation is really fun to look through because it is so simple. Of all the implementations to follow, this one most resembles the idealized cat used as a pedagogic demonstration in K&R C. The heart of the program is the classic two-liner:

while ((c = getc(fi)) != EOF)
putchar(c);

There is of course quite a bit more code than that, but the extra code is mostly there to ensure that you aren’t reading and writing to the same file. The other interesting thing to note is that this implementation of cat only recognized one flag, -u. The -u flag could be used to avoid buffering input and output, which cat would otherwise do in blocks of 512 bytes.

After the Seventh Edition, Unix spawned all sorts of derivatives and offshoots. MacOS is built on top of Darwin, which in turn is derived from the Berkeley Software Distribution (BSD), so BSD is the Unix offshoot we are most interested in. BSD was originally just a collection of useful programs and add-ons for Unix, but it eventually became a complete operating system. BSD seems to have relied on the original cat implementation up until the fourth BSD release, known as 4BSD, when support was added for a whole slew of new flags. The 4BSD implementation of cat is clearly derived from the original implementation, though it adds a new function to implement the behavior triggered by the new flags. The naming conventions already used in the file were adhered to—the fflg variable, used to mark whether input was being read from stdin or a file, was joined by nflg, bflg, vflg, sflg, eflg, and tflg, all there to record whether or not each new flag was supplied in the invocation of the program. These were the last command-line flags added to cat; the man page for cat today lists these flags and no others, at least on Mac OS. 4BSD was released in 1980, so this set of flags is 38 years old.
cat would be entirely rewritten a final time for BSD Net/2, which was, among other things, an attempt to avoid licensing issues by replacing all AT&T Unix-derived code with new code. BSD Net/2 was released in 1991. This final rewrite of cat was done by Kevin Fall, who graduated from Berkeley in 1988 and spent the next year working as a staff member at the Computer Systems Research Group (CSRG). Fall told me that a list of Unix utilities still implemented using AT&T code was put up on a wall at CSRG and staff were told to pick the utilities they wanted to reimplement. Fall picked cat and mknod. The cat implementation bundled with MacOS today is built from a source file that still bears his name at the very top. His version of cat, even though it is a relatively trivial program, is today used by millions.
Fall’s original implementation of cat is much longer than anything we have seen so far. Other than support for a -? help flag, it adds nothing in the way of new functionality. Conceptually, it is very similar to the 4BSD implementation. It is only longer because Fall separates the implementation into a “raw” mode and a “cooked” mode. The “raw” mode is cat classic; it prints a file character for character. The “cooked” mode is cat with all the 4BSD command-line options. The distinction makes sense but it also pads out the implementation so that it seems more complex at first glance than it actually is. There is also a fancy error handling function at the end of the file that further adds to its length.

MacOS

The very first release of Mac OS X thus includes an implementation of cat pulled from the NetBSD project. So the first Mac OS X implementation of cat is Kevin Fall’s cat. The only thing that had changed over the intervening decade was that Fall’s error-handling function err() was removed and the err() function made available by err.h was used in its place. err.h is a BSD extension to the C standard library.
The NetBSD implementation of cat was later swapped out for FreeBSD’s implementation of cat. According to Wikipedia, Apple began using FreeBSD instead of NetBSD in Mac OS X 10.3 (Panther). But the Mac OS X implementation of cat, according to Apple’s own open source releases, was not replaced until Mac OS X 10.5 (Leopard) was released in 2007. The FreeBSD implementation that Apple swapped in for the Leopard release is the same implementation on Apple computers today. As of 2018, the implementation has not been updated or changed at all since 2007.
So the Mac OS cat is old. As it happens, it is actually two years older than its 2007 appearance in MacOS X would suggest. This 2005 change, which is visible in FreeBSD’s Github mirror, was the last change made to FreeBSD’s cat before Apple pulled it into Mac OS X. So the Mac OS X cat implementation, which has not been kept in sync with FreeBSD’s cat implementation, is officially 13 years old. There’s a larger debate to be had about how much software can change before it really counts as the same software; in this case, the source file has not changed at all since 2005.
The cat implementation used by Mac OS today is not that different from the implementation that Fall wrote for the 1991 BSD Net/2 release. The biggest difference is that a whole new function was added to provide Unix domain socket support. At some point, a FreeBSD developer also seems to have decided that Fall’s raw_args() function and cook_args() should be combined into a single function called scanfiles(). Otherwise, the heart of the program is still Fall’s code.
I asked Fall how he felt about having written the cat implementation now used by millions of Apple users, either directly or indirectly through some program that relies on cat being present. Fall, who is now a consultant and a co-author of the most recent editions of TCP/IP Illustrated, says that he is surprised when people get such a thrill out of learning about his work on cat. Fall has had a long career in computing and has worked on many high-profile projects, but it seems that many people still get most excited about the six months of work he put into rewriting cat in 1989.

The Hundred-Year-Old Program

In the grand scheme of things, computers are not an old invention. We’re used to hundred-year-old photographs or even hundred-year-old camera footage. But computer programs are in a different category—they’re high-tech and new. At least, they are now. As the computing industry matures, will we someday find ourselves using programs that approach the hundred-year-old mark?
Computer hardware will presumably change enough that we won’t be able to take an executable compiled today and run it on hardware a century from now. Perhaps advances in programming language design will also mean that nobody will understand C in the future and cat will have long since been rewritten in another language. (Though C has already been around for fifty years, and it doesn’t look like it is about to be replaced any time soon.) But barring all that, why not just keep using the cat we have forever?
I think the history of cat shows that some ideas in computer science are in fact very durable. Indeed, with cat, both the idea and the program itself are old. It may not be accurate to say that the cat on my computer is from 1969. But I could make a case for saying that the cat on my computer is from 1989, when Fall wrote his implementation of cat. Lots of other software is just as ancient. So maybe we shouldn’t think of computer science and software development primarily as fields that disrupt the status quo and invent new things. Our computer systems are built out of historical artifacts. At some point, we may all spend more time trying to understand and maintain those historical artifacts than we spend writing new code.

##News Roundup
###Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems

A vulnerability that is trivial to exploit allows privilege escalation to root level on Linux and BSD distributions using X.Org server, the open source implementation of the X Window System that offers the graphical environment.
The flaw is now identified as CVE-2018-14665 (credited to security researcher Narendra Shinde). It has been present in xorg-server for two years, since version 1.19.0 and is exploitable by a limited user as long as the X server runs with elevated permissions.

Privilege escalation and arbitrary file overwrite

An advisory on Thursday describes the problem as an “incorrect command-line parameter validation” that also allows an attacker to overwrite arbitrary files.
Privilege escalation can be accomplished via the -modulepath argument by setting an insecure path to modules loaded by the X.org server. Arbitrary file overwrite is possible through the -logfile argument, because of improper verification when parsing the option.

Bug could have been avoided in OpenBSD 6.4

OpenBSD, the free and open-source operating system with a strong focus on security, uses xorg. On October 18, the project released version 6.4 of the OS, affected by CVE-2018-14665. This could have been avoided, though.
Theo de Raadt, founder and leader of the OpenBSD project, says that X maintainer knew about the problem since at least October 11. For some reason, the OpenBSD developers received the message one hour before the public announcement this Thursday, a week after their new OS release.
“As yet we don’t have answers about why our X maintainer (on the X security team) and his team provided information to other projects (some who don’t even ship with this new X server) but chose to not give us a heads-up which could have saved all the new 6.4 users a lot of grief,” Raadt says.
Had OpenBSD developers known about the bug before the release, they could have taken steps to mitigate the problem or delay the launch for a week or two.
To remedy the problem, the OpenBSD project provides a source code patch, which requires compiling and rebuilding the X server.
As a temporary solution, users can disable the Xorg binary by running the following command:

chmod u-s /usr/X11R6/bin/Xorg

Trivial exploitation

CVE-2018-14665 does not help compromise systems, but it is useful in the following stages of an attack.
Leveraging it after gaining access to a vulnerable machine is fairly easy. Matthew Hickey, co-founder, and head of Hacker House security outfit created and published an exploit, saying that it can be triggered from a remote SSH session.
Three hours after the public announcement of the security gap, Daemon Security CEO Michael Shirk replied with one line that overwrote shadow files on the system. Hickey did one better and fit the entire local privilege escalation exploit in one line.
Apart from OpenBSD, other operating systems affected by the bug include Debian and Ubuntu, Fedora and its downstream distro Red Hat Enterprise Linux along with its community-supported counterpart CentOS.

###OpenBSD on the Desktop: some thoughts

I’ve been using OpenBSD on my ThinkPad X230 for some weeks now, and the experience has been peculiar in some ways.
The OS itself in my opinion is not ready for widespread desktop usage, and the development team is not trying to push it in the throat of anybody who wants a Windows or macOS alternative.
You need to understand a little bit of how *NIX systems work, because you’ll use CLI more than UI.
That’s not necessarily bad, and I’m sure I learned a trick or two that could translate easily to Linux or macOS.
Their development process is purely based on developers that love to contribute and hack around, just because it’s fun.
Even the mailing list is a cool place to hang on!
Code correctness and security are a must, nothing gets committed if it doesn’t get reviewed thoroughly first – nowadays the first two properties should be enforced in every major operating system.
I like the idea of a platform that continually evolves.
pledge(2) and unveil(2) are the proof that with a little effort, you can secure existing software better than ever.
I like the “sensible defaults” approach, having an OS ready to be used – UI included if you selected it during the setup process – is great.
Just install a browser and you’re ready to go.
Manual pages on OpenBSD are real manuals, not an extension of the “–help” command found in most CLI softwares.
They help you understand inner workings of the operating system, no internet connection needed.
There are some trade-offs, too.
Performance is not first-class, mostly because of all the security mitigations and checks done at runtime3.
I write Go code in neovim, and sometimes you can feel a slight slowdown when you’re compiling and editing multiple files at the same time, but usually I can’t notice any meaningful difference.
Browsers are a different matter though, you can definitely feel something differs from the experience you can have on mainstream operating systems.
But again, trade-offs.
To use OpenBSD on the desktop you must be ready to sacrifice some of the goodies of mainstream OSes, but if you’re searching for a zen place to do your computing stuff, it’s the best you can get right now.

###Review: NomadBSD 1.1

One of the most recent additions to the DistroWatch database is NomadBSD. According to the NomadBSD website: “NomadBSD is a 64-bit live system for USB flash drives, based on FreeBSD. Together with automatic hardware detection and setup, it is configured to be used as a desktop system that works out of the box, but can also be used for data recovery.”
The latest release of NomadBSD (or simply “Nomad”, as I will refer to the project in this review) is version 1.1. It is based on FreeBSD 11.2 and is offered in two builds, one for generic personal computers and one for Macbooks. The release announcement mentions version 1.1 offers improved video driver support for Intel and AMD cards. The operating system ships with Octopkg for graphical package management and the system should automatically detect, and work with, VirtualBox environments.
Nomad 1.1 is available as a 2GB download, which we then decompress to produce a 4GB file which can be written to a USB thumb drive. There is no optical media build of Nomad as it is designed to be run entirely from the USB drive, and write data persistently to the drive, rather than simply being installed from the USB media.

Initial setup

Booting from the USB drive brings up a series of text-based menus which ask us to configure key parts of the operating system. We are asked to select our time zone, keyboard layout, keyboard model, keyboard mapping and our preferred language. While we can select options from a list, the options tend to be short and cryptic. Rather than “English (US)”, for example, we might be given “en_US”. We are also asked to create a password for the root user account and another one for a regular user which is called “nomad”. We can then select which shell nomad will use. The default is zsh, but there are plenty of other options, including csh and bash. We have the option of encrypting our user’s home directory.
I feel it is important to point out that these settings, and nomad’s home directory, are stored on the USB drive. The options and settings we select will not be saved to our local hard drive and our configuration choices will not affect other operating systems already installed on our computer. At the end, the configuration wizard asks if we want to run the BSDstats service. This option is not explained at all, but it contacts BSDstats to provide some basic statistics on BSD users.
The system then takes a few minutes to apply its changes to the USB drive and automatically reboots the computer. While running the initial setup wizard, I had nearly identical experiences when running Nomad on a physical computer and running the operating system in a VirtualBox virtual machine. However, after the initial setup process was over, I had quite different experiences depending on the environment so I want to divide my experiences into two different sections.

Physical desktop computer

At first, Nomad failed to boot on my desktop computer. From the operating system’s boot loader, I enabled Safe Mode which allowed Nomad to boot. At that point, Nomad was able to start up, but would only display a text console. The desktop environment failed to start when running in Safe Mode.
Networking was also disabled by default and I had to enable a network interface and DHCP address assignment to connect to the Internet. Instructions for enabling networking can be found in FreeBSD’s Handbook. Once we are on-line we can use the pkg command line package manager to install and update software. Had the desktop environment worked then the Octopkg graphical package manager would also be available to make browsing and installing software a point-n-click experience.
Had I been able to run the desktop for prolonged amounts of time I could have made use of such pre-installed items as the Firefox web browser, the VLC media player, LibreOffice and Thunderbird. Nomad offers a fairly small collection of desktop applications, but what is there is mostly popular, capable software.
When running the operating system I noted that, with one user logged in, Nomad only runs 15 processes with the default configuration. These processes require less than 100MB of RAM, and the whole system fits comfortably on a 4GB USB drive.

Conclusions

Ultimately using Nomad was not a practical option for me. The operating system did not work well with my hardware, or the virtual environment. In the virtual machine, Nomad crashed consistently after just a few minutes of uptime. On the desktop computer, I could not get a desktop environment to run. The command line tools worked well, and the system performed tasks very quickly, but a command line only environment is not well suited to my workflow.
I like the idea of what NomadBSD is offering. There are not many live desktop flavours of FreeBSD, apart from GhostBSD. It was nice to see developers trying to make a FreeBSD-based, plug-and-go operating system that would offer a desktop and persistent storage. I suspect the system would work and perform its stated functions on different hardware, but in my case my experiment was necessarily short lived.

##Beastie Bits

##Feedback/Questions

Tobias – Satisfying my storage hunger and wallet pains
Lasse – Question regarding FreeBSD backups
- https://twitter.com/dlangille
- https://dan.langille.org/

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post A Thoughtful Episode | BSD Now 273 first appeared on Jupiter Broadcasting.

Domestic Disappointments | TechSNAP 382

Angela Fisher — Fri, 07 Sep 2018 06:15:23 +0000

Show Notes: techsnap.systems/382

The post Domestic Disappointments | TechSNAP 382 first appeared on Jupiter Broadcasting.

Level Up Your LAN | LAS 377

chris — Sun, 09 Aug 2015 10:01:02 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We take a deep dive into the basics of getting a home network up and running. It you’ve lived with whatever the ISP has given you have no fear, not only are we going to show you how to do it, it’s going to be all done from Linux!

Plus Firefox has a major flaw that impacts Linux users, an update on the Jolla tablet, we discuss our big format experiment & more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

Overview

Default configurations are less secure and limited
Ability to setup VPN
Ability to setup DNS
Most consumer equipment is a modem/router/switch/access point all in one (Spork Syndrome)

Default Settings on Mikrotik

IP 192.168.88.1
username: admin
no password

Default Settings on (most) Linksys

IP 192.168.0.1
username: admin
password: admin

DHCP – Dynamic Host Configuration Protocol

Useful to push information to the clients about the network.
Can be setup on most routers
Comes setup by default
Linksys limits you to /24 meaning a maximum of 254 clients.

DNS – Domain Name Service

Phonebook of the internet
Useful to point non-registered hostnames to IP addresses
Can be used (somewhat) to block access to websites.

Firewall

Used to block traffic
Can be used on enterprise routers to separate switchports

Static IP (If your ISP allows it)

What is and Setting static IP
What is and Setting net mask
What is and Setting Default Gateway

Setting up an Access Point

Enable wireless on Mikrotik or Linksys
Purchase separate access point and use WebUI
Proper Channeling
Proper Power
POE

Easy Linux Networking

IPFire

From a technical point of view, IPFire is a minimalistic, hardened firewall system which comes with an integrated package manager called Pakfire. The primary task of Pakfire is to update the system with only a single click.

It is very easy to install security patches, bugfixes and feature enhancements, which make IPFire safer and faster – or simply, better.

Another task of Pakfire is to install additional software that adds new functionality to the IPFire system.
Some useful of them are:

File sharing services such as Samba and vsftpd
Communications server using Asterisk
Various command-line tools as tcpdump, nmap, traceroute & many more.

Smoothwall.org

The goals of the project can be summed up as:

Be simple enough to be installed by home users with no knowledge of Linux
Support a wide variety of network cards, modems and other hardware
Work with many different connection methods and ISPs from across the world
Manage and configure the software using a web browser
Run efficiently on older, cheaper hardware
Develop a supportive user community
Use sponsorship from Smoothwall Limited to further these goals

The Smoothwall Open Source Project is funded and supported by Smoothwall Limited.

Smoothwall Express Download

— PICKS —

Runs Linux

School Bell in the UK – Runs Linux!

Fantastic show, keep up the good work.
I wanted to share my own small runs Linux with you. I’m an IT Tech working in a secondary school in the UK. I got fed-up of our old outdated lesson change bell system from the 70’s so i made a pi powered one. It uses cron to run a python script that turns the relay on for a set amount of time. The cron file is edited via the UI that runs on php, MySQL on top of Apache. Photos of the UI and the project build attached.
its been in production since feb and still going strong.

Hope you like it

Thanks

Sent in by Robin T.

Desktop App Pick

Zoiper

Our VoIP softphone will look everywhere for your contacts and will display them in a combined list for easy access. Outlook, windows/mac, LDAP, XMPP, XCAP, android, iOs. You name it, we got it and we will lookup incoming calls as well so you know who calls before you answer.

Weekly Spotlight

SeaFile

Organize files into libraries. A library can be selectively synced into any device. Reliable and efficient file syncing improves your productivity.

A library can be encrypted by a password chosen by you. Files are encrypted before syncing to the server. Even the system admin can’t view the files.

Sharing into groups and collaboration around files. Permission control, versioning and activity notification make collaboration easy and reliable.

The core of Seafile server is written in C programming language. It is small and has a fantastic performance.

Upgrade can be done via running a simple script within a few seconds. Seafile records very few items in database. No huge database upgrade is needed.

AD/LDAP integration, group syncing, fine-grained permission control make the tool easily applied to your enterprise environment.

Celebrate BSD Now’s 2 year Anniversary!

BONUS SPOTLIGHT

Privacy Badger, an Addon That Algorithmically Blocks Online Trackers

Online tracking has become a pervasive invisible reality of the modern web. Most sites you load are likely to be full of ads, tracking pixels, social media share buttons, and other invisible trackers all harvesting data about your web browsing. These trackers use cookies and other methods to read unique IDs associated with your browser, the result being that they record all the sites you visit as you browse around the internet. This sort of tracking is invisible to most web users, meaning they never get the option to agree to or opt-out of it. Today the EFF has launched the 1.0 version of Privacy Badger, an extension designed to prevent these trackers from accessing unique info about you and your browsing.

— NEWS —

Firefox exploit found in the wild | Mozilla Security Blog

Yesterday morning, August 5, a Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine. This morning Mozilla released security updates that fix the vulnerability. All Firefox users are urged to update to Firefox 39.0.3. The fix has also been shipped in Firefox ESR 38.1.1.

LibreOffice 5.0 Released!

It is also the first version to come in 64 bits for Windows. As such LibreOffice 5 serves as the foundation of our current developments and is a great platform to extend, innovate and collaborate with!

LibreOffice 5.0 ships an impressive number of new features for its spreadsheet module, Calc: complex formulae image cropping, new functions, more powerful conditional formatting, table addressing and much more. Calc’s blend of performance and features makes it an enterprise-ready, heavy duty spreadsheet application capable of handling all kinds of workload for an impressive range of use cases.

New icons, major improvements to menus and sidebar : no other LibreOffice version has looked that good and helped you be creative and get things done the right way. In addition, style management is now more intuitive thanks to the visualization of styles right in the interface.

LibreOffice 5 ships with numerous improvements to document import and export filters for MS Office, PDF, RTF, and more. You can now timestamp PDF documents generated with LibreOffice and enjoy enhanced document conversion fidelity all around.

LibreOffice 5 combines innovative features and long term efforts towards enhanced stability. As a result, expect both improvements in performance and in stability over the lifetime of the 5.0.x series.

LibreOffice under the hood: progress to 5.0

Gtk3 backend: Wayland

An very rough, initial gtk3 port was hacked together long ago by yours truly to prototype LibreOffice online via gdk-broadway.
However thanks to Caolán McNamara (RedHat) who has done the 80% of the hard work to finish this, giving us a polished and complete VCL backend for gtk3.
His blog entry focuses on the importance of this for running LibreOffice natively under wayland – the previous gtk2 backend was heavily tied to raw X11 rendering, while the new gtk3 backend uses CPU rendering via the VCL headless backend, of which more below.

OpenGL rendering improvements

The OpenGL rendering backend also significantly matured in this version, allowing us to talk directly to the hardware to accelerate
much of our rendering, with large numbers of bug fixes and improvements.
Many thanks to Louis-Francis Ratté-Boulianne (Collabora), Markus Mohrhard, Luboš Luňák (Collabora), Tomaž Vajngerl (Collabora), Jan Holesovsky (Collabora), Tor Lillqvist (Collabora), Chris Sherlock & others.
It is hoped that with the ongoing bug-fixing here, that this can be enabled by default as a late feature, after suitable review, for LibreOffice 5.0.1 or at the outside 5.0.2.

LibreOffice 5.0 Is a Milestone Release for Ubuntu Touch

LibreOffice will land on Ubuntu Touch

The developers from The Document Foundation haven’t gone into much detail about their plans, but they have said that the office suite is coming to Android. Coupled with the things we already know about Ubuntu Touch, we can safely say that LibreOffice 5.0 will bring some very interesting changes to the mobile platform from Canonical.

“A new version for new endeavours: LibreOffice 5.0 is the cornerstone of the mobile clients on Android and Ubuntu Touch, as well as the upcoming cloud version. As such, LibreOffice 5.0 serves as the foundation of current developments and is a great platform to extend, innovate and collaborate!” reads the announcement from The Document Foundation.

Jolla Tablet – First Batch out of Factory

Last week was very busy for Jolla, but few issues delaying the process by couple of days were catch up during the weekend by hard working Sailors. The first batch of Jolla Tablets is now complete and is told to look great! This batch is pre-production batch delivered to selected developers and internal test personnel

July 27th all the components were ready to be mounted on the circuit boards in China. All that was missing was the circuit boards themselves, as the flight delivering them was delayed by couple of hours. This delay was short, and assembling the boards was started as planned without major issues.

Earlier delays with material preparation and board delivery forced Jolla to agree on a new schedule with the assembly factory. July 30th, circuit boards were tested and the batch was sent to factory to be assembled on the next day. Surprise came with a glue machine, display assembly wasn’t possible

Jolla Tablet

White House Petition to use FOSS whenever possible

We believe that the federal government, for the security of the information it manages and the efficient allocation of the public’s funds, should divest itself of costly proprietary software contracts wherever possible.

Healthcare.gov’s initial failings had much to do with the old, proprietary infrastructure that government contracting details required the application be built on. The US Navy recently spent considerable amounts of taxpayer money to extend support for Windows XP and Office 2003, both inherently obsolete and insecure.

Use of proprietary software costs our taxpayers needless money. It’s become clear that governments such as those of the UK and much of the European Union can adopt open source software and be better off for it. We should join them.

Feedback:

https://slexy.org/view/s21WAMBD7L
https://slexy.org/view/s2FgS2pShD
https://slexy.org/view/s25ZrXOyoO
Some crazy LAS idea
Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

Find us on Twitter

Follow us on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

The post Level Up Your LAN | LAS 377 first appeared on Jupiter Broadcasting.

I’ll Fix Everything | BSD Now 101

chris — Thu, 06 Aug 2015 10:10:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week, we’ll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like “what would you like to see in FreeBSD?” and hundreds of responses, well, we’ve got a lot to cover…

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

OpenBSD, from distribution to project

Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through
It’s the third part of his ongoing series of posts about OpenBSD removing large bits of code in favor of smaller replacements
In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..)
After importing new updates every release cycle, they eventually hit a transitional phase – things were updated, but nothing new was imported
When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed
In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons
More discussion on HN and reddit

Remote ZFS mirrors, the hard way

Backups to “the cloud” have become a hot topic in recent years, but most of them require trade-offs between convenience and security
You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren’t without some compromise
As the author puts it: “We don’t need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we’ll-deletes, or any of the noise that comes with using someone else’s infrastructure.”
This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself
The end result is an automatic system for incremental backups that’s backed (pun intended) by ZFS
If you’re serious about keeping your important data safe and sound, you’ll want to give this one a read – lots of detailed instructions

Various DragonFlyBSD updates

The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree
Intel ValleyView graphics support was finally committed to the main repository
While on the topic of graphics, they’ve also issued a call for testing for a DRM update (matching Linux 3.16’s and including some more Broadwell fixes)
Their base GCC compiler is also now upgraded to version 5.2
If your hardware supports it, DragonFly will now use an accelerated console by default

QuakeCon runs on OpenBSD

QuakeCon, everyone’s favorite event full of rocket launchers, recently gave a mini-tour of their network setup
For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF
In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more
He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution
There’s also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff
Follow-up questions can be asked in this reddit thread
The host doesn’t seem to be that familiar with the topics at hand, mentioning “OpenPF” multiple times among other things, so our listeners should get a kick out of it

Interview – Adrian Chadd – adrian@freebsd.org / @erikarn

Rethinking ways to improve FreeBSD

News Roundup

CII contributes to OpenBSD

If you recall back to when we talked to the OpenBSD foundation, one of the things Ken mentioned was the Core Infrastructure Initiative
In a nutshell, it’s an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet
The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers)
To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they’ve just made a large donation to the foundation – this makes them the first “platinum” level donor as well
While the exact amount wasn’t disclosed, it was somewhere between $50,000 and $100,000
The donation comes less than a month after Microsoft’s big donation, so it’s good to see these large organizations helping out important open source projects that we depend on every day

Another BSDCan report

The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon
In his report, he mainly covers the devsummit and some discussion with the portmgr team
One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch – Mark talks a bit about this as well
He also gives his thoughts on using QEMU for cross-compiling packages and network performance testing

Lumina 0.8.6 released

The PC-BSD team has released another version of Lumina, their BSD-licensed desktop environment
This is mainly a bugfix and performance improvement release, rather than one with lots of new features
The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc)
Lots of non-English translation updates and assorted fixes are included as well
If you haven’t given it a try yet, or maybe you’re looking for a new window manager, Lumina runs on all the BSDs

More c2k15 hackathon reports

Even more reports from OpenBSD’s latest hackathon are starting to pour in
The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle)
He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD
Second up is Andrew Fresh, who went without any specific plans, but still ended up getting some UTF8 work done
On the topic of ARMv7, “I did enjoy being there when things weren’t working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn’t much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon.”
Florian Obser sent in a report that includes a little bit of everything: setting up the hackathon’s network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food
Paul Irofti wrote in as well about his activities, which were mainly focused on the Octeon CPU architecture
He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification
This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices)

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post I'll Fix Everything | BSD Now 101 first appeared on Jupiter Broadcasting.

Spy vs MSpy | TechSNAP 216

chris — Thu, 28 May 2015 08:36:33 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Spyware creator mSpy hacked, find out why this breach is particularly egregious, what’s wrong with pcap & why RSA’s death has been greatly exaggerated.

Plus a great batch of questions, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

What is wrong with pcap filters

pcap filters are the language used to filter packet captures, and is used by tcpdump, wireshark and the like
This post is an attempt to look at some classes of problems that the pcap filtering language fails on, why those deficiencies exist, and why I continue using it even despite the flaws.
It also includes a link to a video about the history of pcap
Just to be clear, libpcap is an amazing piece of software. It was originally written for one purpose, and it really is my fault that I end up too often using it for a different one.
pcap is a usermode implementation of BPF, allowing
BPF (Berkeley Packet Filter) is a UNIX interface that allows an application to read and write raw packets
In addition to providing the interface to get raw packets into an application (like tcpdump) so you can read them, it also has the ability to filter the packets, so you only have to read the ones you care about
This is especially important when there are gigabits per second of traffic flowing back and forth
BPF Internals – Part 1
Why We Need eBPF
Towards Faster Trace Filters using eBPF and JIT

Mobile Spyware Maker mSpy Hacked, Customer Data Leaked

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked.
Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.”
KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor.
The Tor-based site hosts several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software.
The message left by the unknown hackers who’ve claimed responsibility for this intrusion suggests that the data dump includes information on more than 400,000 users, including Apple IDs and passwords, tracking data, and payment details on some 145,000 successful transactions.
There is a crazy amount of personal and sensitive data in this cache, including photos, calendar data, corporate email threads, and very private conversations. Also included in the data dump are thousands of support request emails from people around the world who paid between $8.33 to as much as $799 for a variety of subscriptions to mSpy’s surveillance software.
U.S. regulators and law enforcers have taken a dim view of companies that offer mobile spyware services like mSpy. In September 2014, U.S. authorities arrested a 31-year-old Hammad Akbar, the CEO of a Lahore-based company that makes a spyware app called StealthGenie. The FBI noted that while the company advertised StealthGenie’s use for “monitoring employees and loved ones such as children,” the primary target audience was people who thought their partners were cheating. Akbar was charged with selling and advertising wiretapping equipment.
mSpy Denies Breach, Even as Customers Confirm I
Child spy firm hit by blackmailers – BBC News

About the supposed factoring of a 4096 bit RSA key

Last week a blog was posted claiming to have published the factoring of a 4096-bit RSA key
“The key in question was the PGP key of a well-known Linux kernel developer.”
The other of the rebuttal post, thinks that the researchers are mistaken
He thinks this because, he once thought that he had factored the same key, but then found out otherwise.
A little background:
- “RSA public keys consist of two values called N and e. The N value, called the modulus, is the interesting one here. It is the product of two very large prime numbers. The security of RSA relies on the fact that these two numbers are secret. If an attacker would be able to gain knowledge of these numbers he could use them to calculate the private key. That’s the reason why RSA depends on the hardness of the factoring problem. If someone can factor N he can break RSA. For all we know today factoring is hard enough to make RSA secure (at least as long as there are no large quantum computers).”
- “Now imagine you have two RSA keys, but they have been generated with bad random numbers. They are different, but one of their primes is the same. That means we have N1=pq1 and N2=pq2. In this case RSA is no longer secure, because calculating the greatest common divisor (GCD) of two large numbers can be done very fast with the euclidean algorithm, therefore one can calculate the shared prime value.”
“PGP keyservers have been around since quite some time and they have a property that makes them especially interesting for this kind of research: They usually never delete anything. You can add a key to a keyserver, but you cannot remove it, you can only mark it as invalid by revoking it. Therefore using the data from the keyservers gives you a large set of cryptographic keys.”
He noticed that some keys appeared to contain subkeys that are near identical copies of a valid subkey, but with tiny errors
“I don’t know how they appear on the key servers, I assume they are produced by network errors, harddisk failures or software bugs. It may also be that someone just created them in some experiment.”
“The important thing is: Everyone can generate a subkey to any PGP key and upload it to a key server. That’s just the way the key servers work. They don’t check keys in any way. However these keys should pose no threat to anyone. The only case where this could matter would be a broken implementation of the OpenPGP key protocol that does not check if subkeys really belong to a master key.”
“However you won’t be able to easily import such a key into your local GnuPG installation. If you try to fetch this faulty sub key from a key server GnuPG will just refuse to import it. The reason is that every sub key has a signature that proves that it belongs to a certain master key. For those faulty keys this signature is obviously wrong.”
“Now here’s my personal tie in to this story: Last year I started a project to analyze the data on the PGP key servers. And at some point I thought I had found a large number of vulnerable PGP keys – including the key in question here. In a rush I wrote a mail to all people affected. Only later I found out that something was not right and I wrote to all affected people again apologizing. Most of the keys I thought I had found were just faulty keys on the key servers.”

Feedback:

digital preservation
Pfsense question
ZFS … is Raidz2 fault tolerance offset by rebuild stress/time?
FreeBSD Mastery: ZFS has been sent to the publisher

Round Up:

The post Spy vs MSpy | TechSNAP 216 first appeared on Jupiter Broadcasting.

SMBTrapped in Microsoft | TechSNAP 210

chris — Thu, 16 Apr 2015 19:01:23 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Researches find an 18 year old bug in Windows thats rather nasty, we’ve got the details. A new perspective on the bug bounty arms race & the security impact of Wifi on a plane.

Plus great feedback, a bursting round up & much much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Cylance finds “SPEAR” a new spin on an 18 year old Windows vulnerability

In 1997 Aaron Spangler discovered a flaw in Windows
By causing a user to navigate to a file://1.2.3.4/ url in Internet Explorer, the user’s windows credentials would be sent to the remote server, to attempt to login to it
“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password”
“It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network.”
“Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability”
“Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.”
“Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools.”
“While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day.”
“Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 — either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps.”
“Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”
Cylance Whitepaper (PDF)

Given enough money, all bugs are shallow

Eric Raymond, in The Cathedral and the Bazaar, famously wrote: “Given enough eyeballs, all bugs are shallow.”
“The idea is that open source software, by virtue of allowing anyone and everyone to view the source code, is inherently less buggy than closed source software. He dubbed this “Linus’s Law”.”
“However, the Heartbleed SSL vulnerability was a turning point for Linus’s Law, a catastrophic exploit based on a severe bug in open source software. How catastrophic? It affected about 18% of all the HTTPS websites in the world, and allowed attackers to view all traffic to these websites, unencrypted… for two years.”
“OpenSSL, the library with this bug, is one of the most critical bits of Internet infrastructure the world has – relied on by major companies to encrypt the private information of their customers as it travels across the Internet. OpenSSL was used on millions of servers and devices to protect the kind of important stuff you want encrypted, and hidden away from prying eyes, like passwords, bank accounts, and credit card information.”
“This should be some of the most well-reviewed code in the world. What happened to our eyeballs, man?”
“In reality, it’s generally very, very difficult to fix real bugs in anything but the most trivial Open Source software. I know that I have rarely done it, and I am an experienced developer. Most of the time, what really happens is that you tell the actual programmer about the problem and wait and see if he/she fixes it”
“Even if a brave hacker communities to read the code, they’re not terribly likely to spot one of the hard-to-spot problems. Why? Few open source hackers are security experts”
“There’s a big difference between usage eyeballs and development eyeballs.”
“Most eyeballs are looking at the outside of the code, not the inside. And while you can discover bugs, even important security bugs, through usage, the hairiest security bugs require inside knowledge of how the code works.”
Peer reviewing code is a lot harder than writing code.
“The amount of code being churned out today – even if you assume only a small fraction of it is “important” enough to require serious review – far outstrips the number of eyeballs available to look at the code”
“There are not enough qualified eyeballs to look at the code. Sure, the overall number of programmers is slowly growing, but what percent of those programmers are skilled enough, and have the right security background, to be able to audit someone else’s code effectively? A tiny fraction”
“But what’s the long term answer to the general problem of not enough eyeballs on open source code? It’s something that will sound very familiar to you, though I suspect Eric Raymond won’t be too happy about it.”
“Money. Lots and lots of money.”
“Increasingly, companies are turning to commercial bug bounty programs. Either ones they create themselves, or run through third party services like Bugcrowd, Synack, HackerOne, and Crowdcurity. This means you pay per bug, with a larger payout the bigger and badder the bug is.”
However, adding more money to the equation might actually make things worse
“There’s now a price associated with exploits, and the deeper the exploit and the lesser known it is, the more incentive there is to not tell anyone about it until you can collect a major payout. So you might wait up to a year to report anything, and meanwhile this security bug is out there in the wild – who knows who else might have discovered it by then?”
“If your focus is the payout, who is paying more? The good guys, or the bad guys? Should you hold out longer for a bigger payday, or build the exploit up into something even larger? I hope for our sake the good guys have the deeper pockets, otherwise we are all screwed.”
I like that Google addressed a few of these concerns by making Pwnium, their Chrome specific variant of Pwn2Own, a) no longer a yearly event but all day, every day and b) increasing the prize money to “infinite”. I don’t know if that’s enough, but it’s certainly going in the right direction.
“Money turns security into a “me” goal instead of an “us” goal“
“Am I now obligated, on top of providing a completely free open source project to the world, to pay people for contributing information about security bugs that make this open source project better? Believe me, I was very appreciative of the security bug reporting, and I sent them whatever I could, stickers, t-shirts, effusive thank you emails, callouts in the code and checkins. But open source isn’t supposed to be about the money… is it?”
“Easy money attracts all skill levels — The submitter doesn’t understand what is and isn’t an exploit, but knows there is value in anything resembling an exploit, so submits everything they can find.”
“But I have some advice for bug bounty programs, too”:
“You should have someone vetting these bug reports, and making sure they are credible, have clear reproduction steps, and are repeatable, before we ever see them.”
“You should build additional incentives in your community for some kind of collaborative work towards bigger, better exploits. These researchers need to be working together in public, not in secret against each other”.
“You should have a reputation system that builds up so that only the better, proven contributors are making it through and submitting reports”.
“Encourage larger orgs to fund bug bounties for common open source projects, not just their own closed source apps and websites. At Stack Exchange, we donated to open source projects we used every year. Donating a bug bounty could be a big bump in eyeballs on that code.”

FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen

The Federal Aviation Administration (FAA) faces cybersecurity challenges in at least three areas:
(1) protecting air-traffic control (ATC) information systems,
(2) protecting aircraft avionics used to operate and guide aircraft
(3) clarifying cybersecurity roles and responsibilities among multiple FAA offices
“FAA has taken steps to protect its ATC systems from cyber-based threats; however, significant security-control weaknesses remain that threaten the agency’s ability to ensure the safe and uninterrupted operation of the national airspace systems”
“Modern aircraft are increasingly connected to the Internet. This interconnectedness can potentially provide unauthorized remote access to aircraft avionics systems. As part of the aircraft certification process, FAA’s Office of Safety (AVS) currently certifies new interconnected systems through rules for specific aircraft and has started reviewing rules for certifying the cybersecurity of all new aircraft systems.”
“FAA officials and experts we interviewed said that modern aircraft are also increasingly connected to the Internet, which also uses IP-networking technology and can potentially provide an attacker with remote access to aircraft information systems. According to cybersecurity experts we interviewed, Internet connectivity in the cabin should be considered a direct link between the aircraft and the outside world, which includes potential malicious actors. FAA officials and cybersecurity and aviation experts we spoke to said that increasingly passengers in the cabin can access the Internet via onboard wireless broadband systems.”
“Four cybersecurity experts with whom we spoke discussed firewall vulnerabilities, and all four said that because firewalls are software components, they could be hacked like any other software and circumvented. The experts said that if the cabin systems connect to the cockpit avionics systems (e.g., share the same physical wiring harness or router) and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin. The presence of personal smartphones and tablets in the cockpit increases the risk of a system’s being compromised by trusted insiders, both malicious and non-malicious, if these devices have the capability to transmit information to aircraft avionics systems”
One would hope that the cockpit avionics are separated from the onboard entertainment and wifi systems by more than just a firewall. Even if they are not, a properly configured firewall is very difficult to compromise.
Additional Coverage – BatBlue
It seems that the authors of this report were not experts on the subject, and when interviewing experts on the topic, they asked questions like “is there any way to get around a firewall”

Feedback:

Round Up:

The post SMBTrapped in Microsoft | TechSNAP 210 first appeared on Jupiter Broadcasting.

The Deepin Review | Linux Action Show 348

chris — Sun, 18 Jan 2015 16:07:02 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Deepin Linux might just be one of the freshest takes on the desktop this year. We review this compelling Ubuntu based alternative.

Plus: The Steam bug that leaves you fresh and clean, some great new open source releases, goodbye Photoshop…

AND SO MUCH MORE!

All this week on, The Linux Action Show!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Deepin

Fast, Elegant and easy to use. Deepin currently runs on millions of desktop and laptop computers around the world.

Brought to you by: System76

deepin @linux_deepin

Official Twitter Account for Deepin. Deepin, Worth the Diggin’!

Deepin Software Center

Linux Deepin – Features

Deepin Software Center, aka DSC, is one of the most talked about applications of Linux Deepin. Installing new applications is just a one-click operation. DSC supports parallel downloading, resuming downloads, update notification and cache cleaning. DSC also comes with colorful skins that can be swapped as your mood changes.

Deepin Desktop Environment

Similar to other projects Deepin went ahead and developed their own Shell which was simply called Deepin Desktop Environment. DDE is based on HTML5 and WebKit and uses a mix of QML and Go Language for different components. Core components of DDE include the desktop itself, the brand new launcher, bottom Dock, and the control center.

Release Cycle

Deepin – Wikipedia, the free encyclopedia

The release cycle of deepin new versions has been changed from twice a year (in June and in December) to four times a year, including two new versions and two amended versions, for example, Deepin 2014.1 is the amended version of Deepin 2014.

— PICKS —

Runs Linux

Mars One, Runs Linux.

Time was covering the mars one project and apparently most if not all thier pc’s could be running ubuntu, I can’t tell if it is 12.04 or 14.04 as Ubuntu loooks the same, you have to pause the video as it moves by fast, here are the time urls for the video. I hope Ubuntu becomes the first disro on mars, espiacly before arch, XD

Video snaps:

Desktop App Pick

StarFaux

Remake of Star Fox for SNES using OpenGL/GLUT

Weekly Spotlight

Douane: Linux personal firewall with per application rule controls

Douane is a personal firewall that protects a user’s privacy by allowing a user to control which applications can connect to the internet from their GNU/Linux computer.

Our Past Picks

These are the weekly picks provided by the Jupiter Broadcasting podcast, the Linux Action Show.

This site includes a separate picks lists for the “Runs Linux”, Desktop Apps, Spotlight Picks, Android Picks, and Distro Picks.

— NEWS —

Moving the Steam folder on Linux is causing users’ entire file systems to be deleted

Users of Steam on GNU/Linux are reporting that attempting to move the Steam folder – something that the GNU/Linux Steam installer doesn’t allow you to set at the time of installation – is leading to everything able to be deleted being deleted recursively from root. First entered as a bug report by the Github user keyvin, he explained how he tried to move the directory somewhere else and symlink it to the original location. In almost every use case under the Sun, this usually works without too many problems. Unfortunately for keyvin, however, a bug in Steam proceeded to delete everything it was able to on his computer – even the content on his 3TB external storage.

‘Goodbye Photoshop’ and ‘Hello Krita’ at University Paris 8

The ATI (Art and Technology of Image) department at University Paris 8 is switching to Krita this year. This department has the double aim to train students both to use graphic software (2D,3D,VFX and Compositing) and to code their own (Python, C#, C++). Until recently the classes used only Adobe Photoshop, but because of inadequate support from the company the department decided to
replace that.

Xonotic 0.8 Release

Today we are very excited to give you the next iteration of Xonotic, the free and fast arena shooter. Yep, you guessed it: Xonotic 0.8.0 is out! This version is the culmination of months of effort from many individuals from across the globe. It contains improvements in just about all visible aspects of the game and onto the web. There are new menu screens, gameplay features, and a much-anticipated new weapon: the Arc! We’re excited for the what the future holds, and we hope to see you out on the servers soon. Happy fragging!

— FEEDBACK —

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— MATT’S STASH —

Find us on Google+

Find us on Twitter

Follow the network on Facebook

Jupiter Broadcasting on Facebook

Catch the show LIVE Sunday 10am Pacific / 1pm Eastern / 6pm UTC:

The post The Deepin Review | Linux Action Show 348 first appeared on Jupiter Broadcasting.

Common *Sense Approach | BSD Now 72

chris — Thu, 15 Jan 2015 12:55:22 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We’ll learn some of the backstory and see what they’ve got planned for the future. We’ve also got all this week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Be your own VPN provider with OpenBSD

We’ve covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past – but what if you don’t trust any VPN company?
It’s easy for anyone to say “of course we don’t run a modified version of OpenVPN that logs all your traffic… what are you talking about?”
The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
With this guide, you’ll be able to cut out the middleman and create your own VPN, using OpenBSD
It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN

FreeBSD vs Gentoo comparison

People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
If you’re a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more

Kernel W^X in OpenBSD

W^X, “Write XOR Execute,” is a security feature of OpenBSD with a rather strange-looking name
It’s meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
This helps prevent some types of buffer overflows: code injected into it won’t execute, but will crash the program (quite obviously the lesser of the two evils)
Through some recent work, OpenBSD’s kernel now has no part of the address space without this feature – whereas it was only enabled in the userland previously
Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that’s been in the works for a while
More technical details can be found in some recent CVS commits

Building an IPFW-based router

We’ve covered building routers with PF many times before, but what about IPFW?
A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something FreeBSD-based
In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
If you’re an IPFW fan and are thinking about putting together a new router, give this post a read

Interview – Jos Schellevis – project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

Adrian Chadd, who we’ve had on the show before, has been doing some more ultra-high performance testing
Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
According to him, it’s “not very pretty”
He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
You can check out his new code on Github right now

Using divert(4) to reduce attacks

We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you’re running
PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won’t work
The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
Consider setting this up to reduce the attack spam in your logs if you run public services

ChaCha20 patchset for GELI

A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
There are also some benchmarks that look pretty good in terms of performance
Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
There’s some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet

PCBSD update system enhancements

The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
You can choose what parts of your system you want to let it automatically handle (packages, security updates)
There’s also a new graphical frontend available for it
The update system uses ZFS + Boot Environments for safe updating and bypasses some dubious pkgng functionality

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Common *Sense Approach | BSD Now 72 first appeared on Jupiter Broadcasting.