gateway – Jupiter Broadcasting

Insecurity Appliance | TechSNAP 245

chris — Thu, 17 Dec 2015 19:45:41 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Meet BOOTTRASH the Malware that executes before your OS does, the hard questions you need to ask when buying a security appliance, Project Zero finds flaws in Fireeye hardware.

Plus some great audience questions, a big round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

BOOTRASH malware executes before your OS does

“Researchers at FireEye spotted the financial threat group FIN1 targeting payment card data using sophisticated malware dubbed “BOOTRASH” that executes before the operating system boots.”
The malware only works against MBR formatted disks, if it detects GPT it just exists
It backs up the original VBR (Volume Boot Record, the boot code at the start of the partition, which is calls from the boot code installed in the MBR) to a different location on the disk
It finds some free space between partitions or at the end of the disk, and uses that to create its own tiny virtual file system, to store the actual malware files
Additional files and resources are encoded into a registry hive, so they do not leave any files on the regular file system. Only the invisible virtual file system (not listed in the partition table, hiding in unused space), and some random strings on encoded binary in the registry
“As previously discussed, during a normal boot process the MBR loads the VBR, which loads the operating system code. However, during the hijacked boot process, the compromised system’s MBR will attempt to load the boot partition’s VBR, which has been overwritten with the malicious BOOTRASH bootstrap code. This code loads the Nemesis bootkit components from the custom virtual file system. The bootkit then passes control to the original boot sector, which was saved to a different location on disk during the installation process. From this point the boot process continues with the loading and executing of the operating system software.”
“The bootkit intercepts several system interrupts to assist with the injection of the primary Nemesis components during the boot process. The bootkit hijacks the BIOS interrupt responsible for miscellaneous system services and patches the associated Interrupt Vector Table entry so it can intercept memory queries once the operating system loader gains control. The bootkit then passes control to the original VBR to allow the boot process to continue. While the operating system is being loaded, the bootkit also intercepts the interrupt and scans the operating system loader memory for a specific instruction that transfers the CPU from real mode to protected mode. This allows the bootkit to patch the Interrupt Descriptor Table each time the CPU changes from real mode to protected mode. This patch involves a modified interrupt handler that redirects control to the bootkit every time a specific address is executed. This is what allows the bootkit to detect and intercept specific points of the operating system loader execution and inject Nemesis components as part of the normal kernel loading.”
So it dynamically replaces bits of kernel code with its own code, making it a very hard to detect rootkit, since it is actually injected before the kernel is loaded (hence the name, bootkit)
Researcher Blog

“A decisionmaker’s guide to buying security appliances and gateways”

“With the prevalence of targeted “APT-style” attacks and the business risks of data breaches reaching the board level, the market for “security appliances” is as hot as it has ever been. Many organisations feel the need to beef up their security – and vendors of security appliances offer a plethora of content-inspection / email-security / anti-APT appliances, along with glossy marketing brochures full of impressive-sounding claims.”
This article provides a bit of a guide to help you shop for an appliance that might actually be worth the number of zeros on the price tag
“Most security appliances are Linux-based, and use a rather large number of open-source libraries to parse the untrusted data stream which they are inspecting. These libraries, along with the proprietary code by the vendor, form the “attack surface” of the appliance, e.g. the code that is exposed to an outside attacker looking to attack the appliance. All security appliances require a privileged position on the network – a position where all or most incoming and outgoing traffic can be seen. This means that vulnerabilities within security appliances give an attacker a particularly privileged position – and implies that the security of the appliance itself is rather important.”
Five questions to ask the vendor of a security appliance
- What third-party libraries interact directly with the incoming data, and what are the processes to react to security issues published in these libraries?
- Are all these third-party libraries sandboxed in a sandbox that is recognized as industry-standard? The sandbox Google uses in Chrome and Adobe uses in Acrobat Reader is open-source and has undergone a lot of scrutiny, so have the isolation features of KVM and qemu. Are any third-party libraries running outside of a sandbox or an internal virtualization environment? If so, why, and what is the timeline to address this?
- How much of the proprietary code which directly interacts with the incoming data runs outside of a sandbox? To what extent has this code been security-reviewed?
- Is the vendor willing to provide a hard disk image for a basic assessment by a third-party security consultancy? Misconfigured permissions that allow privilege escalation happen all-too often, so basic permissions lockdown should have happened on the appliance.
- In the case of a breach in your company, what is the process through which your forensics team can acquire memory images and hard disk images from the appliance?
Not to mention, in the case of a breach at the vendor, what information could the attacker get about your appliance, your network, or your security? How are the trusted keys protected on the vendor’s network?
- Bonus Question: Does the vendor publish hashes of the packages they install on the appliance so in case of a forensic investigation it is easy to verify that the attacker has not replaced some?
“A vendor that takes their product quality (and hence your data security) seriously will be able to answer these questions, and will be able to confidently state that all third-party parsers and a large fraction of their proprietary code runs sandboxed or virtualized, and that the configuration of the machine has been reasonably locked down – and will be willing to provide evidence for this (for example a disk image or virtual appliance along with permission to inspect).”
All of these are very good questions, and I happen to know one vendor who answered these questions in their recent BSDNow interview.

Project Zero finds flaws in FireEye security appliance

“FireEye sell security appliances to enterprise and government customers. FireEye’s flagship products are monitoring devices designed to be installed at egress points of large networks”
The device is connected to a SPAN, MONITOR, or MIRROR port. A feature of high end switches that allows all traffic from a port or set of ports to be copied to another port
“The FireEye device then watches all network traffic passively, monitoring common protocols like HTTP, FTP, SMTP, etc, for any transferred files. If a file transfer is detected (for example, an email attachment or a HTTP download) the FireEye extracts the file and scans it for malware.”
If the device detects malware, it alerts the security team
The device can also be configured in a IPS (Intrusion Prevention System) mode, where it would block such traffic
“For networks with deployed FireEye devices, a vulnerability that can be exploited via the passive monitoring interface would be a nightmare scenario. This would mean an attacker would only have to send an email to a user to gain access to a persistent network tap – the recipient wouldn’t even have to read the email, just receiving it would be enough”
If you compromise one of these devices, you are basically sitting on a wiretap of the entire network. These devices are sometimes even installed behind devices that decrypt encrypted traffic, giving you even more access
“A network tap is one of the most privileged machines on the network, with access to employee’s email, passwords, downloads, browsing history, confidential attachments, everything. In some deployment configurations an attacker could tamper with traffic, inserting backdoors or worse. Because FireEye devices typically have a secondary internet-connected interface for updates and management, the issue could even be wormable across the internet.”
“FireEye have issued a patch for this vulnerability, and customers who have not updated should do so immediately to protect their infrastructure.” Devices with security content release 427.334 and higher have this issue resolved
Q. How long did FireEye take to resolve this issue after it was reported?
A. FireEye responded very quickly, pushed out temporary mitigations to customers within hours of our report and resolved the issue completely within 2 days.
- Q. Have FireEye supported your security research?
A. Yes, FireEye have been very cooperative. They worked with us closely, provided test equipment, support, and have responded very quickly to any issues we reported.
“Project Zero have been evaluating a FireEye NX 7500 appliance, and created a lab to generate sample traffic. The test environment consisted of a workstation with four network interfaces. Two interfaces were connected to a hub, which were used for simulating network traffic. The FireEye passive monitoring interface (called pether3) was connected to a third port on the hub (acting like a mirror port) so that it could observe traffic being exchanged between the two interfaces on the test machine. This simulates an intranet user receiving email or downloading files from the internet.”
“The main analyses performed by the FireEye appliance are monitoring for known malicious traffic (blacklisted netblocks, malware domains, snort rules, etc), static analysis of transferred files (antivirus, yara rules, and analysis scripts), and finally tracing the execution of transferred files in instrumented virtual machines. Once an execution trace has been generated, pattern matching against known-bad behaviour is performed.”
“The MIP (Malware Input Processor) subsystem is responsible for the static analysis of files, invoking helper programs and plugins to decode various file types. For example, the swf helper invokes flasm to disassemble flash files, the dmg helper invokes p7zip to extract the contents of Mac OS Disk Images and the png helper invokes pngcheck to check for malformed images. The jar helper is used to analyze captured Java Archives, which checks for signatures using jarsigner, then attempts to decompile the contents using an open source Java decompiler called JODE.”
The problem is that the JODE decompiler, actually executes small bits of the java code, to try to deobfuscate it
“With some trial and error, we were eventually able to construct a class that JODE would execute, and used it to invoke java.lang.Runtime.getRuntime().exec(), which allows us to execute arbitrary shell commands. This worked during our testing, and we were able to execute commands just by transferring JAR files across the passive monitoring interfaces.”
So, just by emailing someone behind this device a .jar file, it would end up getting executed on the security device, running arbitrary shell commands
“As FireEye is shipped with ncat installed by default, creating a connect-back shell is as simple as specifying the command we want and the address of our control server.”
“We now have code execution as user mip, the Malware Input Processor. The mip user is already quite privileged, capable of accessing sensitive network data. However, , there is a very simple privilege escalation to root”
“FireEye have requested additional time to prepare a fix for the privilege escalation component of this attack”
“This allows exfiltration of confidential data, tampering with traffic, lateral movement around networks and even self-propagating internet worms.”
“If you would like to read more from our series on attacks against security products, we have also published research into ESET, Kaspersky, Sophos, Avast and more, with further research scheduled for release soon.”

Feedback:

Round Up:

The post Insecurity Appliance | TechSNAP 245 first appeared on Jupiter Broadcasting.

May Contain ZFS | BSD Now 102

chris — Thu, 13 Aug 2015 10:05:32 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
In part two of the series, he talks about the GPIO and how you can configure it
Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
“It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
This guide also covers PPP and IPv6, in case you have those requirements
In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
If you’re using an older configuration file, the “without-password” option still works, so no change is required
You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
Various bug fixes and documentation improvements are also included
Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
Renato Westphal sent in a report of his very first hackathon
He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
Unlike with iocage, ZFS isn’t actually a requirement for this method
If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

I’ll Fix Everything | BSD Now 101

chris — Thu, 06 Aug 2015 10:10:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week, we’ll be talking with Adrian Chadd about an infamous reddit thread he made. With a title like “what would you like to see in FreeBSD?” and hundreds of responses, well, we’ve got a lot to cover…

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

OpenBSD, from distribution to project

Ted Unangst has yet another interesting blog post up, this time covering a bit of BSD history and some different phases OpenBSD has been through
It’s the third part of his ongoing series of posts about OpenBSD removing large bits of code in favor of smaller replacements
In the earliest days, OpenBSD collected and maintained code from lots of other projects (Apache, lynx, perl..)
After importing new updates every release cycle, they eventually hit a transitional phase – things were updated, but nothing new was imported
When the need arose, instead of importing a known tool to do the job, homemade replacements (OpenNTPD, OpenBGPD, etc) were slowly developed
In more recent times, a lot of the imported code has been completely removed in favor of the homegrown daemons
More discussion on HN and reddit

Remote ZFS mirrors, the hard way

Backups to “the cloud” have become a hot topic in recent years, but most of them require trade-offs between convenience and security
You have to trust (some of) the providers not to snoop on your data, but even the ones who allow you to locally encrypt files aren’t without some compromise
As the author puts it: “We don’t need live synchronisation, cloud scaling, SLAs, NSAs, terms of service, lock-ins, buy-outs, up-sells, shut-downs, DoSs, fail whales, pay-us-or-we’ll-deletes, or any of the noise that comes with using someone else’s infrastructure.”
This guide walks you through setting up a FreeBSD server with ZFS to do secure offsite backups yourself
The end result is an automatic system for incremental backups that’s backed (pun intended) by ZFS
If you’re serious about keeping your important data safe and sound, you’ll want to give this one a read – lots of detailed instructions

Various DragonFlyBSD updates

The DragonFly guys have been quite busy this week, making an assortment of improvements throughout the tree
Intel ValleyView graphics support was finally committed to the main repository
While on the topic of graphics, they’ve also issued a call for testing for a DRM update (matching Linux 3.16’s and including some more Broadwell fixes)
Their base GCC compiler is also now upgraded to version 5.2
If your hardware supports it, DragonFly will now use an accelerated console by default

QuakeCon runs on OpenBSD

QuakeCon, everyone’s favorite event full of rocket launchers, recently gave a mini-tour of their network setup
For such a crazy network, unsurprisingly, they seem to be big fans of OpenBSD and PF
In this video interview, one of the sysadmins discusses why he chose OpenBSD, what he likes about it, different packet queueing systems, how their firewalls and servers are laid out and much more
He also talks about why they went with vanilla PF, writing their ruleset from the ground up rather than relying on a prebuilt solution
There’s also some general networking talk about nginx, reverse proxies, caching, fiber links and all that good stuff
Follow-up questions can be asked in this reddit thread
The host doesn’t seem to be that familiar with the topics at hand, mentioning “OpenPF” multiple times among other things, so our listeners should get a kick out of it

Interview – Adrian Chadd – adrian@freebsd.org / @erikarn

Rethinking ways to improve FreeBSD

News Roundup

CII contributes to OpenBSD

If you recall back to when we talked to the OpenBSD foundation, one of the things Ken mentioned was the Core Infrastructure Initiative
In a nutshell, it’s an organization of security experts that helps facilitate (with money, in most cases) the advancement of the more critical open source components of the internet
The group is organized by the Linux foundation, and gets its multi-million dollar backing from various big companies in the technology space (and donations from volunteers)
To ensure that OpenBSD and its related projects (OpenSSH, LibreSSL and PF likely being the main ones here) remain healthy, they’ve just made a large donation to the foundation – this makes them the first “platinum” level donor as well
While the exact amount wasn’t disclosed, it was somewhere between $50,000 and $100,000
The donation comes less than a month after Microsoft’s big donation, so it’s good to see these large organizations helping out important open source projects that we depend on every day

Another BSDCan report

The FreeBSD foundation is still getting trip reports from BSDCan, and this one comes from Mark Linimon
In his report, he mainly covers the devsummit and some discussion with the portmgr team
One notable change for the upcoming 10.2 release is that the default binary repository is now the quarterly branch – Mark talks a bit about this as well
He also gives his thoughts on using QEMU for cross-compiling packages and network performance testing

Lumina 0.8.6 released

The PC-BSD team has released another version of Lumina, their BSD-licensed desktop environment
This is mainly a bugfix and performance improvement release, rather than one with lots of new features
The on-screen display widget should be much faster now, and the configuration now allows for easier selection of default applications (which browser, which terminal, etc)
Lots of non-English translation updates and assorted fixes are included as well
If you haven’t given it a try yet, or maybe you’re looking for a new window manager, Lumina runs on all the BSDs

More c2k15 hackathon reports

Even more reports from OpenBSD’s latest hackathon are starting to pour in
The first one is from Alexandr Nedvedicky, one of their brand new developers (the guy from Oracle)
He talks about his experience going to a hackathon for the first time, and lays out some of the plans for integrating their (very large) SMP PF patch into OpenBSD
Second up is Andrew Fresh, who went without any specific plans, but still ended up getting some UTF8 work done
On the topic of ARMv7, “I did enjoy being there when things weren’t working so [Brandon Mercer] could futilely try to explain the problem to me (I wasn’t much help with kernel memory layouts). Fortunately others overheard and provided words of encouragement and some help which was one of my favorite parts of attending this hackathon.”
Florian Obser sent in a report that includes a little bit of everything: setting up the hackathon’s network, relayd and httpd work, bidirectional forwarding detection, airplane stories and even lots of food
Paul Irofti wrote in as well about his activities, which were mainly focused on the Octeon CPU architecture
He wrote a new driver for the onboard flash of a DSR-500 machine, which was built following the Common Flash Interface specification
This means that, going forward, OpenBSD will have out-of-the-box support for any flash memory device (often the case for MIPS and ARM-based embedded devices)

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post I'll Fix Everything | BSD Now 101 first appeared on Jupiter Broadcasting.

Below the Clouds | BSD Now 88

chris — Thu, 07 May 2015 10:06:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be talking with Ed Schouten about CloudABI. It’s a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week’s BSD news and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted a report of the activities that went on between January and March of this year
As usual, it’s broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
FreeBSD’s future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
Lots of activity is happening in bhyve, some of which we’ve covered recently, and a number of improvements were made this quarter
Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64)

OpenBSD 5.7 released

OpenBSD has formally released another new version, complete with the giant changelog we’ve come to expect
In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
If you’re using one of the Soekris boards, there’s even a new driver to manipulate the GPIO and LEDs on them – this has some fun possibilities
Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic “random” functions being replaced with strong randomness, and support for remote logging over TLS
The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD’s libc from being vulnerable to earlier attacks affecting other BSDs’ implementations
Being that it’s OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore (very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily)
BIND and nginx have been taken out, so you’ll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
Speaking of httpd, it’s gotten a number of new features, and has had time to grow and mature since its initial debut – if you’ve been considering trying it out, now would be a great time to do so
This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
Groundwork has also been laid for some major SMP scalability improvements – look forward to those in future releases
There’s a song and artwork to go along with the release as always, and CDs should be arriving within a few days – we’ll show some pictures next week
Consider picking one up to support the project (and it’s the only way to get puffy stickers)
For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now…

Tor-BSD diversity project

We’ve talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
A new initiative has started to do just that, called the Tor-BSD diversity project
“Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. […] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity.”
In addition to encouraging people to put up more relays, they’re also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
There’s an additional progress report for that part specifically, and it looks like most of the work is done now
Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
If you’ve been considering running a node to help out, there’s always our handy tutorial on getting set up

PC-BSD 10.1.2-RC1 released

If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
This quarterly update includes a number of new features, improvements and even some additional utilities
PersonaCrypt is one of them – it’s a new tool for easily migrating encrypted home directories between systems
A new “stealth mode” option allows for a one-time login, using a blank home directory that gets wiped after use
Similarly, a new “Tor mode” allows for easy tunneling of all your traffic through the Tor network (hopefully through some BSD nodes, as we just mentioned..)
IPFW is now the default firewall, offering improved VIMAGE capabilities
The life preserver backup tool now allows for bare-metal restores via the install CD
ISC’s NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
It also includes the latest Lumina desktop, and there’s another post dedicated to that
Binary packages have also been updated to fresh versions from the ports tree
More details, including upgrade instructions, can be found in the linked blog post

Interview – Ed Schouten – ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

This article introduces OpenHRC, the “Open Household Router Contraption”
In short, it’s a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
It also makes use of Ansible playbooks for configuration, allowing for a more “mass deployment” type of setup
Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver – it even does DNSSEC validation
All the code is open source and on Github, so you can read through what’s actually being changed and put in place
There’s also a video guide to the entire process, if you’re more of a visual person

OPNsense 15.1.10 released

Speaking of BSD routers, if you’re looking for a more “prebuilt and ready to go” option, OPNsense has just released a new version
15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
Going along with this theme, they’ve redone how they do ports, and are now kept totally in sync with the regular ports tree
Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs

IBM Workpad Z50 and NetBSD

Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640×480 display
You can probably tell where this is going… the article is about installing NetBSD it
“What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running”
The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
He’s also got a couple videos of the bootup process and running Xorg (neither of which we’d call “speedy” by any stretch of the imagination)

FreeBSD from the trenches

The FreeBSD foundation has a new blog post up in their “from the trenches” series, detailing FreeBSD in some real-world use cases
In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
While the installer allows for an automatic ZFS layout, Glen notes that it’s not a one-size-fits-all thing, and goes through doing everything manually
Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool

Broadwell in DragonFly

DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
Their i915 driver has been brought up to speed with Linux 3.14’s, adding not only Broadwell support, but many other bugfixes for other cards too
It’s planned for commit to the main tree very soon, but you can test it out with a git branch for the time being

Feedback/Questions

Mailing List Gold

How did you guess

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you guys if you’re working on anything cool
The OpenBSD router tutorial has been reorganized and updated for 5.7, it has a new section on bandwidth statistics and has finally gotten so big that it now has a table of contents
This year’s vBSDCon has been formally announced, and will take place between September 11th-13th in Reston, Virginia (eastern USA)
There’s no official call for papers, but they do welcome people to submit talk ideas for consideration
If you’re in Michigan, there’s a new BSD users group just starting up – LivBUG
If there’s a local BUG in your area, let us know and we’ll be glad to mention it

The post Below the Clouds | BSD Now 88 first appeared on Jupiter Broadcasting.

Puffy in a Box | BSD Now 81

chris — Thu, 19 Mar 2015 09:37:38 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’re back from AsiaBSDCon! This week on the show, we’ll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They’re getting BSD in the hands of Windows admins who don’t even realize it. We also have all this week’s news and answer to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Using OpenBGPD to distribute pf table updates

For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol – a way for routers on the internet to discover and exchange routes to different addresses
This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
It begins with “One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems.”
If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
OpenBGPD is part of the OpenBSD base system, but there’s also an unofficial port to FreeBSD and a “work in progress” pkgsrc version

Mounting removable media with autofs

The FreeBSD foundation has a new article in the “FreeBSD from the trenches” series, this time about the sponsored autofs tool
It’s written by one of the autofs developers, and he details his work on creating and using the utility
“The purpose of autofs(5) is to mount filesystems on access, in a way that’s transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes.”
He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
It ends with a real-world example of something we’re all probably familiar with: plugging in USB drives and watching the magic happen
There’s also some more advanced bonus material on GEOM classes and all the more technical details

The Tor Browser on BSD

The Tor Project has provided a “browser bundle” for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
Just tunneling your browser through a transparent Tor proxy is not safe enough – many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
It has, however, only been released for Windows, OS X and Linux – no BSD version
“[…] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves.”
Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
If you’ve got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved)

OpenSSH 6.8 released

Continuing their “tick tock” pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 – it’s a major upgrade, focused on new features (we like those better of course)
Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default – a big step up from the previously hex-encoded MD5 fingerprints
Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
You can now require multiple, different public keys to be verified for a user to authenticate (useful if you’re extra paranoid or don’t have 100% confidence in any single key type)
The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers

NetBSD at AsiaBSDCon

The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you’d expect
It covers their BoF session, the six NetBSD-related presentations and finally their “work in progress” session
There was a grand total of 34 different NetBSD gadgets on display at the event

Interview – Lawrence Teo – lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
HardenedBSD has introduced a similar mechanism into their “secadm” utility
You can list binaries in the config file that you want to be protected from changes, then specify whether those can’t be run at all, or if they just print a warning
They’re looking for some more extensive testing of this new feature

More s2k15 hackathon reports

A couple more Australian hackathon reports have poured in since the last time
The first comes from Jonathan Gray, who’s done a lot of graphics-related work in OpenBSD recently
He worked on getting some newer “Southern Islands” and “Graphics Core Next” AMD GPUs working, as well as some OpenGL and DRM-related things
Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
Ted Unangst also sent in a report to detail what he hacked on at the event
With a strong focus on improving SMP scalability, he tackled the virtual memory layer
His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
All the trip reports are much more detailed than our short summaries, so give them a read if you’re interested in all the technicalities

DragonFly 4.0.4 and IPFW3

DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed “new xorg” and “with kms” variables and a few LAGG fixes
There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it’s technically the third revision)

NetBSD gets Raspberry Pi 2 support

NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
There are -current snapshots available for download, and multiprocessor support is also on the way
The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
The usual Hacker News discussion on the subject
If anyone has one of these little boards, let us know – maybe write up a blog post about your experience with BSD on it

OpenIKED as a VPN gateway

In our first discussion segment, we talked about a few different ways to tunnel your traffic
While we’ve done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven’t talked a whole lot about OpenBSD’s IPSEC suite
This article should help fill that gap – it walks you through the complete IKED setup
From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide’s got it all

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you’re in or around the Troy, New York area, our listener Brian is giving a presentation about ports on OpenBSD at the Rensselaer Polytechnic Institute this Friday at 4:00PM
If anyone else in the audience is doing something similar or organizing any kind of BSD event, let us know and we’ll be glad to mention it
Look forward to seeing the AsiaBSDCon interviews in upcoming episodes

The post Puffy in a Box | BSD Now 81 first appeared on Jupiter Broadcasting.

Common *Sense Approach | BSD Now 72

chris — Thu, 15 Jan 2015 12:55:22 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be talking to Jos Schellevis about OPNsense, a new firewall project that was forked from pfSense. We’ll learn some of the backstory and see what they’ve got planned for the future. We’ve also got all this week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Be your own VPN provider with OpenBSD

We’ve covered how to build a BSD-based gateway that tunnels all your traffic through a VPN in the past – but what if you don’t trust any VPN company?
It’s easy for anyone to say “of course we don’t run a modified version of OpenVPN that logs all your traffic… what are you talking about?”
The VPN provider might also be slow to apply security patches, putting you and the rest of the users at risk
With this guide, you’ll be able to cut out the middleman and create your own VPN, using OpenBSD
It covers topics such as protecting your server, securing DNS lookups, configuring the firewall properly, general security practices and of course actually setting up the VPN

FreeBSD vs Gentoo comparison

People coming over from Linux will sometimes compare FreeBSD to Gentoo, mostly because of the ports-like portage system for installing software
This article takes that notion and goes much more in-depth, with lots more comparisons between the two systems
The author mentions that the installers are very different, ports and portage have many subtle differences and a few other things
If you’re a curious Gentoo user considering FreeBSD, this might be a good article to check out to learn a bit more

Kernel W^X in OpenBSD

W^X, “Write XOR Execute,” is a security feature of OpenBSD with a rather strange-looking name
It’s meant to be an exploit mitigation technique, disallowing pages in the address space of a process to be both writable and executable at the same time
This helps prevent some types of buffer overflows: code injected into it won’t execute, but will crash the program (quite obviously the lesser of the two evils)
Through some recent work, OpenBSD’s kernel now has no part of the address space without this feature – whereas it was only enabled in the userland previously
Doing this incorrectly in the kernel could lead to far worse consequences, and is a lot harder to debug, so this is a pretty huge accomplishment that’s been in the works for a while
More technical details can be found in some recent CVS commits

Building an IPFW-based router

We’ve covered building routers with PF many times before, but what about IPFW?
A certain host of a certain podcast decided it was finally time to replace his disappointing consumer router with something FreeBSD-based
In this blog post, Kris details his experience building and configuring a new router for his home, using IPFW as the firewall
He covers in-kernel NAT and NATD, installing a DHCP server from packages and even touches on NAT reflection a bit
If you’re an IPFW fan and are thinking about putting together a new router, give this post a read

Interview – Jos Schellevis – project@opnsense.org / @opnsense

The birth of OPNsense

News Roundup

On profiling HTTP

Adrian Chadd, who we’ve had on the show before, has been doing some more ultra-high performance testing
Faced with the problem of how to generate a massive amount of HTTP traffic, he looked into the current state of benchmarking tools
According to him, it’s “not very pretty”
He decided to work on a new tool to benchmark huge amounts of web traffic, and the rest of this post describes the whole process
You can check out his new code on Github right now

Using divert(4) to reduce attacks

We talked about using divert(4) with PF last week, and this post is a good follow-up to that introduction (though unrelated to that series)
It talks about how you can use divert, combined with some blacklists, to reduce attacks on whatever public services you’re running
PF has good built-in rate limiting for abusive IPs that hit rapidly, but when they attack slowly over a longer period of time, that won’t work
The Composite Blocking List is a public DNS blocklist, operated alongside Spamhaus, that contains many IPs known to be malicious
Consider setting this up to reduce the attack spam in your logs if you run public services

ChaCha20 patchset for GELI

A user has posted a patch to the freebsd-hackers list that adds ChaCha support to GELI, the disk encryption system
There are also some benchmarks that look pretty good in terms of performance
Currently, GELI defaults to AES in XTS mode with a few tweakable options (but also supports Blowfish, Camellia and Triple DES)
There’s some discussion going on about whether a stream cipher is suitable or not for disk encryption though, so this might not be a match made in heaven just yet

PCBSD update system enhancements

The PCBSD update utility has gotten an update itself, now supporting automatic upgrades
You can choose what parts of your system you want to let it automatically handle (packages, security updates)
There’s also a new graphical frontend available for it
The update system uses ZFS + Boot Environments for safe updating and bypasses some dubious pkgng functionality

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Common *Sense Approach | BSD Now 72 first appeared on Jupiter Broadcasting.

Don’t Buy a Router | BSD Now 60

chris — Thu, 23 Oct 2014 10:33:30 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show we’re joined by Olivier Cochard-Labbé, the creator of both FreeNAS and the BSD Router Project! We’ll be discussing what the BSD Router Project is, what it’s for and where it’s going. All this week’s headlines and answers to viewer-submitted questions, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSD Devroom CFP

This year’s FOSDEM conference (Belgium, Jan 31st – Feb 1st) is having a dedicated BSD devroom
They’ve issued a call for papers on anything BSD-related, and we always love more presentations
If you’re in the Belgium area or plan on going, submit a talk about something cool you’re doing
There’s also a mailing list and some more information in the original post

Bhyve SVM code merge

The bhyve_svm code has been in the “projects” tree of FreeBSD, but is now ready for -CURRENT
This changeset will finally allow bhyve to run on AMD CPUs, where it was previously limited to Intel only
All the supported operating systems and utilities should work on both now
One thing to note: bhyve doesn’t support PCI passthrough on AMD just yet
There may still be some issues though

NetBSD at Open Source Conference Tokyo

The Japanese NetBSD users group held a booth at another recent open source conference
As always, they were running NetBSD on everything you can imagine
One of the users reports back to the mailing list on their experience, providing lots of pictures and links
Here’s an interesting screenshot of NetBSD running various other BSDs in Xen

More BSD switchers every day

A decade-long Linux user is considering making the switch, and asks Reddit about the BSD community
Tired of the pointless bickering he sees in his current community, he asks if the same problems exist over here and what he should expect
So far, he’s found that BSD people seem to act more level-headed about things, and are much more practical, whereas some FSF/GNU/GPL people make open source a religion
There’s also another semi-related thread about another Linux user wanting to switch to BSD because of systemd and GNU people
There are some extremely well written and thought-out comments in the replies (in both threads), be sure to give them all a read
Maybe the OPs should’ve just watched this show

Interview – Olivier Cochard-Labbé – olivier@cochard.me / @ocochardlabbe

The BSD Router Project

News Roundup

FreeBSD -CURRENT on a T420

Thinkpads are quite popular with BSD developers and users
Most of the hardware seems to be supported across the BSDs (especially wifi)
This article walks through installing FreeBSD -CURRENT on a Thinkpad T420 with UEFI
If you’ve got a Thinkpad, or especially this specific one, have a look at some of the steps involved
PR/194359 tracks this issue
Includes a URL to modified snapshots with a patch for the Auto (ZFS) mode in the installer to solve the GPT on some Lenovos issue

FreeNAS on a Supermicro 5018A-MHN4

More and more people are migrating their NAS devices to BSD-based solutions
In this post, the author goes through setting up FreeNAS on some of his new hardware
His new rack-mounted FreeNAS machine has a low power Atom with eight cores and 64GB of RAM – quite a lot for its small form factor
The rest of the post details all of the hardware he chose and goes through the build process (with lots of cool pictures)

Hardening procfs and linprocfs

There was an exploit published recently for SFTP in OpenSSH, but it mostly just affected Linux
There exists a native procfs in FreeBSD, which was the target point of that exploit, but it’s not used very often
The Linux emulation layer also supports its own linprocfs, which was affected as well
The HardenedBSD guys weigh in on how to best solve the problem, and now support an additional protection layer from writing to memory with procfs
If you want to learn more about ASLR and HardenedBSD, be sure to check out our interview with Shawn too

pfSense monitoring with bandwidthd

A lot of people run pfSense on their home network, and it’s really useful to monitor the bandwidth usage
This article will walk you through setting up bandwidthd to do exactly that
bandwidthd monitors based on the IP address, rather than per-interface
It can also build some cool HTML graphs, and we love those pfSense graphs
Have a look at our bandwidth monitoring and testing tutorial for some more ideas

Feedback/Questions

Mailing List Gold

More old bugs
The Right Font (see also)

All the tutorials are posted in their entirety at bsdnow.tv
Send your BSD-related questions, comments, show ideas or stories you want mentioned on the show to feedback@bsdnow.tv – don’t hesitate to ask us if you need help with something
OpenBSD is now 19 years old as of a few days ago, and also just passed the 300,000 commit mark – happy late birthday and congrats
PCBSD will be at the Ohio Linuxfest (Columbus, Ohio on October 24–26) this year, so stop by and say hi if you’re there
If you’re in or around New York’s Capital District, our friend bcallah is giving a talk about OpenBSD on October 24th at the Rensselaer Polytechnic Institute
The FreeBSD graphics team has a new blog with some interesting content if you’re interested in that
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Don't Buy a Router | BSD Now 60 first appeared on Jupiter Broadcasting.

The Friendly Sandbox | BSD Now 39

chris — Thu, 29 May 2014 13:26:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show we\’ll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2014 talks and reports

The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
Karl Lehenbauer\’s keynote (he\’s on next week\’s episode)
Mariusz Zaborski and Pawel Jakub Dawidek,
Capsicum and Casper (relevant to today\’s interview)
Luigi Rizzo,
In-kernel OpenvSwitch on FreeBSD
Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
Warner Losh, NAND Flash and FreeBSD
Simon Gerraty, FreeBSD bmake and Meta Mode
Bob Beck, LibreSSL – The First 30 Days
Henning Brauer, OpenBGPD Turns 10 Years Old
Arun Thomas, BSD ARM Kernel Internals
Peter Hessler, Using BGP for Realtime Spam Lists
Pedro Giffuni, Features and Status of FreeBSD\’s Ext2 Implementation
Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
Daichi Goto, Shellscripts and Commands
Benno Rice, Keeping Current
Sean Bruno, MIPS Router Hacking
John-Mark Gurney, Optimizing GELI Performance
Patrick Kelsey, Userspace Networking with libuinet
Massimiliano Stucchi, IPv6 Transitioning Mechanisms
Roger Pau Monné, Taking the Red Pill
Shawn Webb, Introducing ASLR in FreeBSD
There\’s also a trip report from Peter Hessler and one from Julio Merino
The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that\’s a recurring trend)

Defend your network and privacy with a VPN and OpenBSD

After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems – this could also be used with Tor (but it would be very slow)
It also includes a few general privacy tips, recommended browser extensions, etc
The intro to the article is especially great, so give the whole thing a read
He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you\’re watching!

You should try FreeBSD

In this blog post, the author talks a bit about how some Linux people aren\’t familiar with the BSDs and how we can take steps to change that
He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
Possibly the most useful part is how to address the question \”my server already works, why bother switching?\”
\”Stackoverflow’s answers assume I have apt-get installed\” ← lol
It includes mention of the great documentation, stability, ports, improved security and much more
A takeaway quote for would-be Linux switchers: \”I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before\”

OpenBSD and the little Mauritian contributor

This is a story about a guy from Mauritius named Logan, one of OpenBSD\’s newest developers
Back in 2010, he started sending in patched for OpenBSD\’s \”mg\” editor, among other small things, and eventually added file transfer resume support for SFTP
The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back

Interview – Jon Anderson – jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read

LibreSSL porting update

Since the last LibreSSL post we covered, a couple unofficial \”portable\” versions have died off
Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly – stop doing that!
This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good

BSDMag May 2014 issue is out

The usual monthly release from BSDMag, covering a variety of subjects
This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
It\’s a free PDF, go grab it

BSDTalk episode 241

A new episode of BSDTalk is out, this time with Bob Beck
He talks about the OpenBSD foundation\’s recent activities, his own work in the project, some stories about the hardware in Theo\’s basement and a lot more
The interview itself isn\’t about LibreSSL at all, but they do touch on it a bit too
Really interesting stuff, covers a lot of different topics in a short amount of time

Feedback/Questions

We got a number of replies about last week\’s VPN question, so thanks to everyone who sent in an email about it – the vpnc package seems to be what we were looking for
Tim writes in
AJ writes in
Peter writes in
Thomas writes in
Martin writes in

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We\’re looking for new tutorial ideas, so if there\’s something specific you\’d like to learn about, let us know
FreeBSD core team elections are in progress – nominations ended today. There are 21 candidates, and voting is open for the next month. We\’ll let you know how it goes in a future episode.
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Friendly Sandbox | BSD Now 39 first appeared on Jupiter Broadcasting.

A Sixth pfSense | BSD 25

chris — Thu, 20 Feb 2014 21:25:32 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We sit down for an interview with Chris Buechler, from the pfSense project, to learn just how easy it can be to deploy a BSD firewall. We\’ll also be showing you a walkthrough of the pfSense interface so you can get an idea of just how convenient and powerful it is. Answers to your questions and the latest headlines, here on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

EuroBSDCon and AsiaBSDCon

This year, EuroBSDCon will be in September in Sofia, Bulgaria
They\’ve got a call for papers up now, so everyone can submit the talks they want to present
There will also be a tutorial section of the conference
AsiaBSDCon will be next month, in March!
All the info about the registration, tutorials, hotels, timetable and location have been posted
Check the link for all the details on the talks – if you plan on going to Tokyo next month, hang out with Allan and Kris and lots of BSD developers!

FreeBSD 10 on Ubiquiti EdgeRouter Lite

The Ubiquiti EdgeRouter Lite is a router that costs less than $100 and has a MIPS CPU
This article goes through the process of installing and configuring FreeBSD on it to use as a home router
Lots of good pictures of the hardware and specific details needed to get you set up
It also includes the scripts to create your own images if you don\’t want to use the ones rolled by someone else
For such a cheap price, might be a really fun weekend project to replace your shitty consumer router
Of course if you\’re more of an OpenBSD guy, you can always see our tutorial for that too

Signed pkgsrc package guide

We got a request on IRC for more pkgsrc stuff on the show, and a listener provided a nice write-up
It shows you how to set up signed packages with pkgsrc, which works on quite a few OSes (not just NetBSD)
He goes through the process of signing packages with a public key and how to verify the packages when you install them
The author also happens to be an EdgeBSD developer

Big batch of OpenBSD hackathon reports

Five trip reports from the OpenBSD hackathon in New Zealand! In the first one, jmatthew details his work on fiber channel controller drivers, some octeon USB work and ARM fixes for AHCI
In the second, ketennis gets into his work with running interrupt handlers without holding the kernel lock, some SPARC64 improvements and a few other things
In the third, jsg updated libdrm and mesa and did various work on xenocara
In the fourth, dlg came with the intention to improve SMP support, but got distracted and did SCSI stuff instead – but he talks a little bit about the struggle OpenBSD has with SMP and some of the work he\’s done
In the fifth, claudio talks about some stuff he did for routing tables and misc. other things

This episode was brought to you by

Interview – Chris Buechler – cmb@pfsense.com / @cbuechler

pfSense

Tutorial

pfSense walkthrough

News Roundup

FreeBSD challenge continues

Our buddy from the Linux foundation continues his switching to BSD journey
In day 13, he covers some tips for new users, mentions trying things out in a VM first
In day 14, he starts setting up XFCE and X11, feels like he\’s starting over as a new Linux user learning the ropes again – concludes that ports are the way to go
In day 15, he finishes up his XFCE configuration and details different versions of ports with different names, as well as learns how to apply his first patch
In day 16, he dives into the world of FreeBSD jails!

BSD books in 2014

BSD books are some of the highest quality technical writings available, and MWL has written a good number of them
In this post, he details some of his plans for 2014
In includes at least one OpenBSD book, at least one FreeBSD book and…
Very strong possibility of Absolute FreeBSD 3rd edition (watch our interview with him)
Check the link for all the details

How to build FreeBSD/EC2 images

Our friend Colin Percival details how to build EC2 images in a new blog post
Most people just use the images he makes on their instances, but some people will want to make their own from scratch
You build a regular disk image and then turn it into an AMI
It requires a couple ports be installed on your system, but the whole process is pretty straightforward

PCBSD weekly digest

This time around we discuss how you can become a developer
Kris also details the length of supported releases
Expect lots of new features in 10.1

Feedback/Questions

Sean writes in: https://slexy.org/view/s216xJoCVG
Jake writes in: https://slexy.org/view/s2gLrR3VVf
Niclas writes in: https://slexy.org/view/s21gfG3Iho
Steffan writes in: https://slexy.org/view/s2JNyw5BCn
Antonio writes in: https://slexy.org/view/s2kg3zoRfm
Chris writes in: https://slexy.org/view/s2ZwSIfRjm

Our email backlog is pretty much caught up. Now\’s a great time to send us something – questions, stories, ideas, requests for something you want to see, anything
All the tutorials are posted in their entirety at bsdnow.tv
The OpenBSD router tutorial got a couple improvements and fixes
Just because our tutorial contest is over doesn\’t mean you can\’t submit any, we would love if more listeners wrote up a tutorial on interesting things they\’re doing with BSD
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
The BSD Now shirt design has been finalized, we have the files and are working out the printing details… expect them to be available in early-to-mid March!

The post A Sixth pfSense | BSD 25 first appeared on Jupiter Broadcasting.

7 Year Malware | TechSNAP 150

chris — Thu, 20 Feb 2014 17:57:45 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The Mask, an advanced persistent threat is revealed, a slew of various home router models are actively being exploited, we’ll share the important details.

Plus some routing basics explained, and much much more.

On this week’s TechSNAP

Thanks to:

Direct Download:

RSS Feeds:

— Show Notes: —

Kaspersky discovered “The Mask” APT

We got some hints about Careto (also know as “The Mask” or “The Masked APT”) a few weeks ago, and speculation suggested that the unusual native language of the attackers was Korean
In an even bigger surprise, it turns out the attackers are Spanish speaking
the Spanish-speaking attackers targeted government institutions, energy, oil & gas companies and other high-profile victims via a cross-platform malware toolkit
Full Research PDF
The APT has been going on since 2007 or earlier
“More than 380 unique victims in 31 countries have been observed to date”
“What makes “The Mask” special is the complexity of the toolset used by the
attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32 and 64 bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS)”
“The Mask also uses a customized attack against older versions of Kaspersky Lab products to hide in the system, putting them above Duqu in terms of sophistication and making it one of the most advanced threats at the moment. This and several other factors make us believe this could be a nation state sponsored campaign”
“When active in a victim system, The Mask can intercept network traffic, keystrokes, Skype conversations, PGP keys, analyse WiFi traffic, fetch all information from Nokia devices, screen captures and monitor all file operations”
“The malware collects a large list of documents from the infected system, including encryption keys, VPN configurations, SSH keys and RDP files. There are also several extensions being monitored that we have not been able to identify and could be related to custom military/government level encryption tools”
“Overall, we have found exploits for Java, Flash SWF (CVE-2012-0773), as well as malicious plugins for Chrome and Firefox, on Windows, Linux and OS X. The names of the subdirectories give some information about the kind of attack they launch, for instance we can find /jupd where JavaUpdate.jar downloads and executes javaupdt.exe”
“CVE-2012-0773 has an interesting history. It was originally discovered by French
company VUPEN and used to win the “pwn2own” contest in 2012. This was the first
known exploit to escape the Chrome sandbox. VUPEN refused to share the exploit
with the contest organizers, claiming that it plans to sell it to its customers”
“A Google engineer offered Bekrar (of VUPEN) $60,000 on top of the $60,000 he had already won for the Pwn2Own contest if he would hand over the sandbox exploit and the details so Google could fix the vulnerability. Bekrar declined and joked that he might consider the offer if Google bumped it up to $1 million, but he later told WIRED he wouldn’t hand it over for even $1 million.”
This suggests that the threat actor may be a government
However, Chaouki Bekrar denies the VUPEN exploit was used
“Several attacks against browsers supporting Java have been observed.
Unfortunately, we weren’t able to retrieve all the components from these attacks, as
they were no longer available on the server at the time of checking”
Also exploits CVE-2011-3544 against Java
Additional Coverage

Linksys Router Malware

Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.
Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher.
A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.
Compromised routers remain infected until they are rebooted. Once the devices are restarted, they appear to return to their normal state. People who are wondering if their device is infected should check for heavy outbound scanning on port 80 and 8080, and inbound connection attempts to miscellaneous ports below 1024.
The attack begins with a remote call to the Home Network Administration Protocol (HNAP), an interface that allows ISPs and others to remotely manage home and office routers. The remote function is exposed by a built-in Web server that listens for commands sent over the Internet.
Typically, it requires the remote user to enter a valid administrative password before executing commands, although previous bugs in HNAP implementations have left routers vulnerable to attack.
After using HNAP to identify vulnerable routers, the worm exploits an authentication bypass vulnerability in a CGI script.
Infected devices are highly selective about the IP ranges they will scan when searching for other vulnerable routers. The sample Ullrich obtained listed just 627 blocks of /21 and /24 subnets.
The discovery comes a week after researchers in Poland reported an ongoing attack used to steal online banking credentials, in part by modifying home routers\’ DNS settings.
The phony domain name resolvers listed in the router settings redirected victims\’ computers, tablets, and smartphones to fraudulent websites masquerading as an authentic bank service; the sites would then steal the victims\’ login credentials.
The objective behind this ongoing attack remains unclear. Given that the only observable behavior is to temporarily infect a highly select range of devices, one possible motivation is to test how viable a self-replicating worm can be in targeting routers.
Two days after this article was published, Linksys representatives issued the following statement:

Linksys is aware of the malware called “The Moon” that has affected select older Linksys E-Series routers and select older Wireless-N access points and routers. The exploit to bypass the admin authentication used by the worm only works when the Remote Management Access feature is enabled. Linksys ships these products with the Remote Management Access feature turned off by default. Customers who have not enabled the Remote Management Access feature are not susceptible to this specific malware.
+ Additional Coverage Internet Storm Center
+ These are not the only routers that have problems
+ Home Routers pose the biggest threat to consumer security
+ An old backdoor from 2005 was found in brand new Cisco home “Gigabit Security Routers”
+ As the covered last year, 40-50 million routers have uPnP flaw
+ Yesterday, researchers found a stack overflow bug in Linksys WRT120N routers
+ The new protocol that proposes to make “security” easier on the next generation of home routers may cause more harm than good
+ Asus Routers are also vulnerable including the RT-AC66R, RT-AC66U, RT-N66R, RT-N66U, RT-AC56U, RT-N56R, RT-N56U, RT-N14U, RT-N16, and RT-N16R

Feedback:

Round Up:

The post 7 Year Malware | TechSNAP 150 first appeared on Jupiter Broadcasting.

The Gateway Drug | BSD Now 11

chris — Fri, 15 Nov 2013 10:35:21 +0000

We sit down to chat with Justin Sherrill of the DragonflyBSD project about their new 3.6 release. Later on, we\’ll be showing you a huge tutorial that\’s been baking for over a month – how to build an OpenBSD router that\’ll destroy any consumer router on the market! There\’s lots of news to get caught up on as well, so sit back and enjoy some BSD Now – the place to B.. SD.

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

OpenSSH 6.4 released

Security fixes in OpenSSH don\’t happen very often
6.4 fixes a memory corruption problem, no new features
If exploited, this vulnerability might permit code execution with the privileges of the authenticated user and may therefore allow bypassing restricted shell/command configurations.
Disabling AES-GCM in the server configuration is a workaround
Only affects 6.2 and 6.3 if compiled against a newer OpenSSL (so FreeBSD 9\’s base OpenSSL is unaffected, for example)
Full details here

Getting to know your portmgr-lurkers

Next entry in portmgr interview series
This time they chat with Mathieu Arnold, one of the portmgr-lurkers we mentioned previously
Lots of questions ranging from why he uses BSD to what he had for breakfast
Another one was since released, with Antoine Brodin aka antoine@

FUSE in OpenBSD

As we glossed over last week, FUSE was recently added to OpenBSD
Now the guys from the OpenBSD Journal have tracked down more information
This version is released under an ISC license
Should be in OpenBSD 5.5, released a little less than 6 months from now
Will finally enable things like SSHFS to work in OpenBSD

Automated submission of kernel panic reports

New tool from Colin Percival
Saves information about kernel panics and emails it to FreeBSD
Lets you review before sending so you can edit out any private info
Automatically encrypted before being sent
FreeBSD never kernel panics so this won\’t get much use

Interview – Justin Sherrill – justin@shiningsilence.com / @dragonflybsd

DragonflyBSD 3.6 and the Dragonfly Digest

Tutorial

Building an OpenBSD Router

Replace your crappy consumer router with a custom-built one
Uses the pf firewall and other built-in OpenBSD utilities
Very secure, built entirely on top of open source software
Puts YOU in control of your network

News Roundup

BSD router project 1.5 released

Nice timing for our router tutorial; TBRP is a FreeBSD distribution for installing on a router
It\’s an alternative to pfSense, but not nearly as well known or popular
New version is based on 9.2-RELEASE, includes lots of general updates and bugfixes
Fits on a 256MB Compact Flash/USB drive

Curve25519 now default key exchange

We mentioned in an earlier episode about a patch for curve25519
Now it\’s become the default for key exchange
Will probably make its way into OpenSSH 6.5, would\’ve been in 6.4 if we didn\’t have that security vulnerability
It\’s interesting to see all these big changes in cryptography in OpenBSD lately

FreeBSD kernel selection in boot menu

Adds a kernel selection menu to the beastie menu
List of kernels is taken from \’kernels\’ in loader.conf as a space or comma separated list of names to display (up to 9)
From our good buddy Devin Teske

PCBSD weekly digest

PCDM has officially replaced GDM as the default login manager
New ISO build scripts (we got a sneak preview last week)
Lots of bug fixes
Second set of 10-STABLE ISOs available with new artwork and much more

Theo de Raadt speaking at MUUG

Theo will be speaking at Manitoba UNIX User Group in Winnipeg
On Friday, Nov 15, 2013 at 5:30PM (see show notes for the address)
If you\’re watching the show live you have time to make plans, if you\’re watching the downloaded version it might be happening right now!
No agenda, but expect some OpenBSD discussion
We\’ll let you know if there is a recorded version.

Feedback/Questions

Dave writes in: https://slexy.org/view/s21YXhiLRB
James writes in: https://slexy.org/view/s215EjcgdM
Allen writes in (lol): https://slexy.org/view/s21mCP2ecL
Chess writes in: https://slexy.org/view/s207ePFrna
Frank writes in: https://slexy.org/view/s20iVFXJve

The very extensive written version of today\’s tutorial, with lots of extras we didn\’t mention, is posted on bsdnow.tv, as always – give it a read! There are sections about setting up the router to tunnel all (or specific parts of) your traffic through a VPN or Tor, how to make the router automatically check for updates and email them to you, and much more.
Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post The Gateway Drug | BSD Now 11 first appeared on Jupiter Broadcasting.