Show Notes: selfhosted.show/5

The post ZFS Isn't the Only Option | Self-Hosted 5 first appeared on Jupiter Broadcasting.

The OpenZFS summit just wrapped up and Allan shares the exciting new features coming to the file system, researchers warn about flaws in NTP & of course we’ve got some critical patches.

Plus a great batch of questions, a rockin’ round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OpenZFS Dev Summit

• Earlier this week the OpenZFS Developers Summit was held, as well as the 10th Anniversary party for the open sourcing of ZFS
• The first day consisted of networking and presentations
• Videos:
  • Opening Keynote and OpenZFS Success Stories
  • OpenZFS Internals
  • Masked ZFS Send, and ZFS Send Compression
  • Live Migration of NFS shares with Zmotion
  • The birth of ZFS, with Jeff Bonwick
  • Declustered RAID
  • Eager Zero, improving performance on AWS and VMWare
  • Compressed ARC
  • Discontiguous Caching with ABD
  • Dedup Ceiling, Persistent L2ARC, and ZFS native TRIM/UNMAP
  • Sandboxing ZFS on Linux
  • Metadata Allocation Classes, and Ztour
  • Writeback Caching
  • Story Time / Q and A with Matt and Jeff
• The second day was a hackathon at Github’s offices. People worked on a number of different projects, and Nexenta provided prizes to the projects voted to be the best prototypes
• Hackathon Presentations
• During the hackathon, I worked on a new feature of ZFS to make it easier to tell what command line features the current version of ZFS supports, so my replication script can determine if a new feature is supported or not

Researchers warn about flaws in NTP

• NTP is one of the oldest protocols still in use on the Internet. The Network Time Protocol is used to keep a computer’s clock in sync. It is very important for many applications, including cryptography (if your clock is wrong, certificates cannot be verified, expired certificates may be accepted, one-time-passwords may not be valid yet or already expired, etc)
• “The importance of NTP was highlighted in a 2012 incident in which two servers run by the U.S. Navy rolled back their clocks 12 years, deciding it was the year 2000. Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems”
• Researchers from Boston University announced yesterday that it’s possible for an attacker to cause an organization’s servers to stopping checking the time altogether
• “This research was first disclosed on August 20, 2015 and made public on October 21, 2015.”
• “NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet, that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years, according to a summary of the research”
• Post by researchers
• PDF: Full research paper
• The researchers outline 4 different attacks against NTP:
  • Attack 1 (Denial of Service by Spoofed Kiss-o’-Death)
  • Attack 2 (Denial of Service by Priming the Pump)
  • Attack 3 (Timeshifting by Reboot)
  • Attack 4 (Timeshifting by Fragmentation)
• It is recommended you upgrade your version of NTP to ntp-4.2.8p4
• “With the virtual currency bitcoin, an inaccurate clock could cause the bitcoin client software to reject what is a legitimate transaction”
• The paper goes on to describe the amount of error that needs to be induced to cause a problem:
  • TLS Certificate: years. Make a valid certificate invalid by setting the time past its expiration date, or make an expired certificate valid by turning the clock back
  • HSTS: a year. This is a header sent by websites that says “This site will always use a secure connection”, for sanity’s sakes, this header has an expiration date set some time in the future, usually a year. If you forward the clock past then, you can trick a browsers into accepting an insecure connection.
  • DNSSEC: months.
  • DNS Caches: days.
  • Routing (if security is even enabled): days
  • Bitcoin: hours
  • API Authenticate: minutes
  • Kerberos: minutes
• Alternatives:
  • Ntimed
  • OpenNTPd
    • Interesting feature: It can validate the ‘sanity’ of the time returned by the NTP server by comparing it against the time in an HTTPS header from a set of websites you select, like Google.com etc. It doesn’t set the time based on that (too inaccurate), but if the value from the time server is more than a few seconds off from that, ignore that time server as it might be malicious
  • tlsdate
  • NTPSec (a fork of regular NTP being improved)
• Additional Coverage: ArsTechnica

Adobe and Oracle release critical patches

• Adobe has issued a patch to fix a zero-day vulnerability in its Flash Player software
• All users should upgrade to Flash 19.0.0.226
• If you are worried, consider switching Flash to Click-to-Play mode
• Oracle has also released its quarterly patch update for Java, addressing at least 25 security vulnerabilities
• “According to Oracle, all but one of those flaws may be remotely exploitable without authentication”
• All users are strongly encouraged to upgrade to Java 8 Update 65
• Again, consider using click-to-play mode, to avoid allowing unexpected execution of Java
• “The latest versions of Java let users disable Java content in web browsers through the Java Control Panel.”
• “Alternatively, consider a dual-browser approach, unplugging Java from the browser you use for everyday surfing, and leaving it plugged in to a second browser that you only use for sites that require Java”

Feedback:

• Bandwidth vs the speed of light

• Unison and an encrypted remote-mounted filesystem

• ZFS pool configuration

• Chinese woman made platform shoes for penetration testing

Round up:

• Android 6.0 re-implements mandatory storage encryption for new devices
• A tale of software maintenance, or lack there of
• Apple’s claim of unbreakable iMessage encryption ‘basically lies’
• To follow up last weeks news that Zerodium/VUPEN will pay $1 – $3 million for an iOS 9 jailbreak, if they can keep it private, PANGU released their Jailbreak for 9.0 – 9.0.2 to the public
• Apple tells US Court that “accessing data stored on a locked iPhone would be “impossible” with devices using its latest operating system (iOS8 at the time)”
• Yahoo mail app for mobile is getting rid of passwords, and using push notifications for authentication
• Remote code exec hijack hole found in Huawei 4G USB modems
• Don’t be fooled by fake online reviews, part 2
• Teen Who Hacked CIA Director’s Email Tells How He Did It
• Cisco TALOS offers expert assistance to any hosting provider to finds they are hosting malicious content or actors
• Tim Berners-Lee warns Facebook against creating a walled garden, “don’t you dare make a phone that can only go to facebook.com.”
• Google switches to BoringSSL, but they don’t recommend that you do
• Battery Tests Find No iPhone 6s Chipgate Problems – Consumer Reports
• XVWA (Xtreme Vulnerable Web Application) is a PHP/MySQL application purposely built with one of each different type of classic vulnerability, to help security enthusiasts learn about application security

The post A Rip in NTP | TechSNAP 237 first appeared on Jupiter Broadcasting.

Amazon has a new TLS implementation & the details look great, we’ll share them with you. The technology that powers the NSA’s XKEYSCORE you could have deployed yourself.

Some fantastic questions, a big round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Amazon releases s2n, a new TLS implementation

• s2n (signal2noise) is a brand new implementation of the TLS protocol in only ~6000 lines of code
• It has been fully audited, and will be re-audited once per year, paid for by Amazon
• It does not replace OpenSSL, as it only implements the TLS protocol (libssl) not the crypto primitives and algorithms (libcrypto). s2n can be built against any of the various libcrypto implementations, including: OpenSSL, LibreSSL, BoringSSL, and the Apple Common Crypto framework
• The API appears to be very easy to use, and prevent many common errors
• The client side of the library is not ready for use yet
• Features:
  • “s2n encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.”
  • “s2n uses operating system features to protect data from being swapped to disk or appearing in core dumps.”
  • “s2n avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.”
  • “s2n is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.”
  • “The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n provides every thread with two separate random number generators. One for “public” randomly generated data that may appear in the clear, and one for “private” data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. “
• One of the main features is that, instead of having to specify which set of crypto algorithms you want to prefer, in what order, as we have discussed doing before for OpenSSL (in apache/nginx, etc), to can either use ‘default’, which will change with the times, or a specific snapshot date, that corresponds to what was the best practise at that time
• Github Page
• Additional Coverage – ThreatPost
• It will be interesting to see how this compares with the new TLS API offered by LibreSSL, and which direction various applications choose to go.

How the NSA’s XKEYSCORE works

• “The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.”
• “XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.”
• “The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.”
• “In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.”
• You might expect some kind of highly specialized system to be required to do all of this, but that is not the case:
• “XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.”
• The security of the system is also not as good as than you might imagine:
• “Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.”
• “When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.”
• “There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.”
• The system is not well designed, and could likely have been done better with existing open source tools, or commercial software designed to classify web traffic
• “When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.”
• Your traffic is analyzed and will probably match a number of classifiers. The most specific classifier is added as a tag to your traffic. Eventually (3-5 days), your actual traffic is deleted to make room for newer traffic, but the metadata (those tags) are kept for 30-45 days
• “This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.””
• “One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.”
• “To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).”
• “Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.”
• All of this information is based on the Snowden leaks, and is from any years ago
• “If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.”
• Part 2 of Article

[SoHo Routers full of fail]

Home Routers that still support RIPv1 used in DDoS reflection attacks

• RIPv1 is a routing protocol released in 1988 that was deprecated in 1996
• It uses UDP and so an attacker can send a message to a home router with RIP enabled from a spoofed IP address, and that router will send the response to the victim, flooding their internet connection
• ““Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sourc­es, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.”
• “Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.”
• Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Home Routers used to host Malware

• Home routers were found to be hosting the Dyre malware
• Symantec Research Paper of Dyre
• Affected routers include MikroTik and Ubiquiti’s AirOS, which are higher end routers geared towards “power user” and small businesses
• “We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
• “Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.”

Feedback:

• ZFS with 4K drives?

• ZFS Replication Between FreeNAS and Linux

• Splitting a pool

• DNS Transfer Email Downtime Followup

• FreeBSD Mastery: ZFS — Not just about ZFS

Round Up:

• Hacked OPM and Background Check Contractors Lacked Logs, DHS Says
• How Facebook stores 900 million new photos per day, using Blu-Ray disks Video
• Software developers are failing to implement crypto correctly, data reveals
• Windows 10 will share all of your WiFi passwords with your Outlook (and optionally Facebook) Contacts. Access points can opt out by adding ‘_optout’ to the SSID
• Cisco to buy security firm OpenDNS for $635 million
• Your F5 BIG-IP load balancer is not affected by the Redhat 4.x/5.x bug that might make it reboot during the leap second We are sorry your BIG-IP rebooted during the leap second
• DYN reports possible routing hiccup caused by leap second Turns out it was just someone accidently routing all traffic to Amazon AWS via their AS
• Someone is cutting fiber optic cables in California
• IKEA presents how they patched 3500 RHEL servers for the shellshock vulnerability in only 2.5 hours
• Scaling the Address Resolution Protocol for Large Data Centers (SARP)
• SSLv3 now officially deprecated
• Cisco UCDM (Unified Communications Domain Manager) has a default static password for a root account

The post Ripping me a new Protocol | TechSNAP 221 first appeared on Jupiter Broadcasting.

The sad state of SMTP encryption, a new huge round of flaws has been found in consumer routers & the reviews of Intel’s new Broadwell desktop processors are in!

Plus some great questions, a huge round-up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

The sad state of SMTP (email) encryption

• This article talks about the problems with the way email transport encryption is done
• When clients submit mail to a mail server, and when mail servers talk to each other to exchange those emails, they have the option of encrypting that communication to prevent snooping
• This “opportunistic” encryption happens if the server you are connecting to (as a client, or as another server), advertises the STARTTLS option during the opening exchange
• If that keyword is there, then your client can optionally send the STARTTLS command, and switch further communications to be encrypted
• The first problem with this is that it happens over plain text, which has no protection against modification
• Some cisco firewalls, and most bad guys, will simply modify the message from the server before it gets to you, to remove the STARTTLS keyword, so you client will assume the server just doesn’t speak TLS.
• Do we maybe need something like HSTS for SMTP?
• When submitting email from my client machine, I always use a special port that is ALWAYS SSL.
• But this is only the beginning of the problem
• SSL/TLS are designed to provide 3 guarantees:
  • Authenticity: You are talking to who you think you are talking to (not someone pretending to be them). This is provided by verifying that the presented SSL Certificate is issued by a trusted CA
  • Integrity: The message was not modified or tampered with by someone during transit. This is provided by the MAC (Message Authentication Code), a hash that is used to ensure the message has not been modified
  • Privacy: The contents of the message are encrypted so no one else can read them. This is provided by symmetric encryption using a session key negotiated with the other side using asymmetric cryptography based on the SSL Certificate.
• Mail servers rarely actually check authenticity, because many mail servers use self-signed certificates.
• Many domains are hosted on one server, so the certificate is not likely to match the name of the email domain
• The certificate check is done against the hostname in the MX record, but most people prefer to use a ‘vanity’ name here, mail.mydomain.com, which won’t match in2-smtp.messagingengine.com or whatever the mail server ends up being called
• But, even if we did enforce this, and reject mail sent by servers with self-signed certificates, without DNSSEC, someone could just spoof the MX records, and instead of my email being sent over an encrypted channel to your server, which I have verified, I would be given an incorrect MX record, telling me to deliver mail to mx1.evilguy.com, which has a perfectly vaild SSL certificate for that domain
• In the end, the better solution looks like it will be DNSSEC + DANE (publish the fingerprint of the correct SSL certificate as a DNS entry, alongside your MX record)
• With this setup, you still get all 3 protections of SSL, without needing to trust the Certificate Authorities, who do not have the best record at this point
• Don’t think MitM is a big deal? The ongoing problem of BGP hijacking suggests otherwise. A lot of internet traffic is getting misdirected. If it eventually makes it to its destination, people are much less likely to notice.

Researchers find 60 flaws in 22 common consumer network devices

• A group of security researchers doing their IT Security Master’s Thesis at Universidad Europea de Madrid in Spain have published their research
• They found serious flaws in 22 different SOHO network devices, including those from D-Link, Belkin, Linksys, Huawei, Netgear, and Zyxel
• Most of the devices they surveyed were ones distributed by ISPs in Spain, so these vulnerabilities have a very large impact, since almost every Internet user in Spain has one of these 22 devices
• They found 11 unique types of vulnerability, for a total of 60 flaws across the 22 devices
• Persistent Cross Site Scripting (XSS)
  • Unauthenticated Cross Site Scripting
  • Cross Site Request Forgery (CSRF)
  • Denial of Service (DoS)
  • Privilege Escalation
  • Information Disclosure
  • Backdoor
  • Bypass Authentication using SMB Symlinks
  • USB Device Bypass Authentication
  • Bypass Authentication
  • Universal Plug and Play related vulnerabilities
• All of this makes me glad my router runs FreeBSD.
• Luckily, there are finally some consumer network devices like these that can run a real OS, like the TP-LINK WDR3600, which has a 560mhz MIPS CPU and can run FreeBSD 11 or Linux distros such as DD-WRT
• Additional Coverage – ITWorld

CareFirst Blue Cross hit by security breach affecting 1.1 million customers

• “CareFirst BlueCross BlueShield last week said it had been hit with a data breach that compromised the personal information on approximately 1.1 million customers. There are indications that the same attack methods may have been used in this intrusion as with breaches at Anthem and Premera, incidents that collectively involved data on more than 90 million Americans.”
• It would be interesting to know if there are common bits of infrastructure or software in use at these providers that made these compromises possible, or if security was just generally lax enough that the attackers were able to compromise the three insurance providers separately
• “According to a statement CareFirst issued Wednesday, attackers gained access to names, birth dates, email addresses and insurance identification numbers. The company said the database did not include Social Security or credit card numbers, passwords or medical information. Nevertheless, CareFirst is offering credit monitoring and identity theft protection for two years.”
• “There are clues implicating the same state-sponsored actors from China thought to be involved in the Anthem and Premera attacks.”
• “As Krebs noted in this Feb. 9, 2015 story, Anthem was breached not long after a malware campaign was erected that mimicked Anthem’s domain names at the time of the breach. Prior to its official name change at the end of 2014, Anthem was known as Wellpoint. Security researchers at cybersecurity firm ThreatConnect Inc. had uncovered a series of subdomains for we11point[dot]com (note the “L’s” in the domain were replaced by the numeral “1”) — including myhr.we11point[dot]com and hrsolutions.we11point[dot]com. ThreatConnect also found that the domains were registered in April 2014 (approximately the time that the Anthem breach began), and that the domains were used in conjunction with malware designed to mimic a software tool that many organizations commonly use to allow employees remote access to internal networks.”
• “On Feb. 27, 2015, ThreatConnect published more information tying the same threat actors and modus operandi to a domain called “prennera[dot]com” (notice the use of the double “n” there to mimic the letter “m”)
• So it seems that the compromises may have just been a combination of spear phishing and malware, to trick employees into divulging their credentials to sites they thought were legitimate
• Such targeted attacks on teleworkers are a disturbing new trend
• The same Chinese bulk registrant also bought careflrst[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).
• “Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.”
• Anthem has broken the trend, and is offering “AllClear ID” credit and identity theft monitoring, rather than Experian

First review of Intel’s new Broadwell desktop processors

• The long awaited new line of desktop processors has landed
• Problems with the new 14nm fabrication process resulted in the entire broadwell line being delayed, significantly in the case of the desktop chip
• The two new models are the Core i7 5775c, and Core i5 5765c with a 65W TDP
• These Broadwell chips are a lower TDP than the top-end Haswell cousins, actually being closer to the lower clocked i7-4790S than the top end i7-4770K
• Overall, speeds are not quite as fast as the current generation Haswell flagship processors
• These new processors use Intel’s Iris Pro 6200 Integrated GPU, with performance numbers that now outpace rival AMD’s offerings, although at a higher price point
• Broadwell will soon be replaced by Skylake, later this year, so you might want to wait to make your next big purchase
• Broadwell also features: “128MB of eDRAM that acts almost like an L4 cache. This helps alleviate memory bandwidth pressure by providing a large(ish) pool near the CPU but with lower latency and much greater bandwidth than main memory. The eDRAM has the greatest effect in graphics, but we also saw some moderate increases in our non-3D regular benchmark suite”
• In the end, it is a bit unexpected for the desktop range to include only 2 processors, and in the middle TDP, with no offerings at the lower end (35W) or higher end (88W)
• Some of the benchmarks suggest the eDRAM may help with video encoding

Feedback:

• FreeNAS question

• iSCSI Question

• ZFS mirrored vdevs, raidz1, or raidz2

Round Up:

• PayPal Draws Consumer Ire Over Robo-Texting Right
• Comparison of SSD firmware reliability of different brands after using thousands of drives for five years
• Facebook announces you’ll be able to give them your PGP key, and they will encrypt all emails they send you. Separately, you can also publish your PGP key on your profile page
• New study finds fake answers to security questions may be more predictable than the real answers
• Everything moving to the cloud may be hurting consumer PC sales, but is bolstering server and storage sales
• Red Hat CEO publishes book on running an open source organization
• Creator of sleeper ransomware appologizes and released decryption keys – possibly due to unwanted attention from either law enforcement or Eastern European organized cybercrime syndicates
• A year later, another text message that can permanently crash all iOS devices
• Feds crack a million dollar coupon counterfeiting site
• Hacked emails claim to reveal Russian operation to steal US military thermal Imaging tech
• Interesting course, learn to hack software by hacking the hardware it runs on
• Why powerpoint presentations should be banned
• Writing more robush shell scripts
• Researchers find that Firefox’s optional tracking protection feature makes news sites load 44% faster and use 39% less data
• Putting your Mac to sleep may make it vulnerable to an EFI rootkit
• Android factory reset fails to delete all sensitive data
• Turns out, powering off your SSD will not cause it to lose all of your data after all. Data was based on SSDs at the end of their live, not at the beginning

The post An Encryptioner's Conscience | TechSNAP 217 first appeared on Jupiter Broadcasting.

Using encryption is a good thing, but its just the start, we’ll explain. Plus how one developer totally owned the Uber app.

Then it’s a great batch of your questions & our answers!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

OPSEC (Operational Security) for Activists and Journalists

• Using encryption is a good thing, but if you need to hide from advanced adversaries, like foreign governments you are protecting against or reporting on, you need more than just encryption to make sure you don’t get “disappeared”
• The FBI has identified people even when they were using tor
• “The only protection against communication systems is to avoid their use.” —Cryptome [32], Communications Privacy Folly, June 13, 2012
• Anti-forensics [33] is all about reducing both the quantity and quality of information that adversaries acquire. In other words, if spies succeed in breaching your computer then give them as little useful information as possible. One way to achieve this is through compartmentalization, a technique honed to a fine edge by intelligence outfits like the KGB.
• Especially important secret government messages are still passed by courier, even the government doesn’t trust crypto 100%
• “Avoid patterns (geographic, chronological, etc.). Arbitrarily relocate to new spots during the course of a phone call. Stay in motion. Phone calls should be as short as possible so that the amount of data collected by surveillance equipment [44] during the call’s duration is minimized. This will make it more difficult for spies to make accurate predictions.”
• “Carrying additional mobile devices (e.g. surface tablet, second cell phone) creates the risk that the peripheral hardware may undermine anonymity through correlation. Finally, pay for items using cash when operational. Credit card transactions are like a big red flag”
• “If spies somehow captures a secure cell phone and are able to siphon data off of it, one potential countermeasure is to flood the device with false information. Skillful application of this technique can lead spies on a goose chase. When Edward Snowden was fleeing Hong Kong he intentionally bought a plane ticket to India with his own credit card in an effort to throw pursuers off his track.”
• “In summary, expect security tools to fail, compartmentalize to contain damage and apply the Grugq’s core tenets of anti-forensics. Don’t put blind faith in technology. Focus your resources on maintaining rigorous procedures. When things get dicey it’ll be your training and preparation that keep you secure.”

How I accessed employee settings on the Uber app

• While debugging an upcoming app, Nathan Mock an iOS Engineer, “accidentally” got a closer glimpse into Uber’s iOS app internals.
• Using Charles, a tool that allows you to monitor and analyze traffic between a client and the internet. You are able to self sign requests, effectively allowing you to view the requests in plain text. With the requests flowing in, he noticed a request made every 5 seconds.
• One particular request of interest is used by Uber to receive and communicate rider location, driver availability, application configurations settings and more to devices.
• Upon inspecting the response, he discovered the key isAdmin, which was set to false for his particular account. Charles allows you to define rewrite rules, so he rewrote the response changing, the value for isAdmin to true, curious to see the effects it would have on the app. He perused through the app with the new value applied… lo and behold, he stumbled upon the Employee Settings screen from the About screen
• Uber’s app is extremely dynamic. Their client’s architecture allows them to customize the app’s UI to certain geographical areas, riders, and even individual devices, allowing them to do things such as deliver kittens, deliver food, offer rides on helicopters, and of course, change prices…all without re-submitting the binary for approval to the app store. This is common practice for many client-server applications, a neat way to target certain features/functionality to a limited subset of users without the burden/time constraints of submitting an app for review.
• If a malicious developer wanted to get a forbidden feature or functionality past the review team, it is possible to hide the feature behind a “switch”, turning it off during the review process only to enable it after approved, all server side. If their purpose is to control the feature set of apps that get into the store, it can be bypassed through this type of client-server configuration architecture. Apple certainly has the power to take an app down once they make the discovery but before they make that discovery, it is out in the wild.
• As you can see, your traffic is not 100% safe and anyone can inspect your requests and responses (even with HTTPS), so it’s a good idea to always utilize defensive programming. A malicious third party could use this flaw to exploit the app in ways unforeseen. Even though Uber utilized HTTPS, there are still inherent flaws with the protocol that allows one to access certain screens meant for employees only.
• Uber recently suffered a data breach that leaked information about 50,000 drivers
• The breach apparently occurred on May 13 2014, was not discovered until September 17 2014, and was not announced until February 27 2015.
• “Uber says it will offer a free one-year membership of Experian’s ProtectMyID Alert”
• It turns out, Uber might have accidently stored sensitive database keys on a public github page, is sueing Github to get the IP address of those who accessed the information

Feedback:

• iSCSI Question

• What software is used for the video link on Techsnap (between Allan and Chris)

• Freebsd 10.1 on aging iMac G4

Round Up:

• Iran implicated in hack on US Casino
• How NGINX plans to support HTTP/2 and why it won’t be happening very soon
• This guys light bulb performed DDoS on his entire Smart House
• Intel announces new socketed i7 with Iris Pro graphics, and new i7 NUC
• MySQL 5.7 will include an HTTP server built in, to provide JSON API to access data
• Skylight – looking inside a new SMR (Shingled Magnetic Recording) drive while it is running
• The IT department is dead, Long live the IT department
• War Story: Building a ZFS Foot Cannon
• New Pharming attack targets home routers

The post An Uber Mess | TechSNAP 205 first appeared on Jupiter Broadcasting.

Lenovo PCs ship with man-in-the-middle adware that breaks HTTPS connections, we’ll break down how this is possible, the danger that still exists & more.

Plus the story of a billion dollar cyber heist anyone could pull off, the Equation group, your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

APT Attack robs banks

• A staggering APT attack has been conducted against over 100 banks in 30 countries, and has reportedly managed to steal as much as 1 billion USD.
• “In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.”
• While investigating, Kaspersky Labs found no malware on the ATM, just a strange VPN connection
• Later, they were called into the bank’s headquarters, after the bank’s security officer got an alert about a connection from their domain controller to China
• Kaspersky Video
• “In order to infiltrate the bank’s intranet, the attackers used spear phishing emails, luring users to open them, infecting machines with malware. A backdoor was installed onto the victim’s PC based on the Carberp malicious code, which, in turn gave the name to the campaign — Carbanak.”
• “After obtaining control over the compromised machine, cybecriminals used it as an entry point; they probed the bank’s intranet and infected other PCs to find out which of them could be used to access critical financial systems.”
• “That done, the criminals studied the financial tools used by the banks, using keyloggers and stealth screenshot capabilities.”
• “Then, to wrap up the scheme, the hackers withdrew funds, defining the most convenient methods on a case-by-case basis, whether using a SWIFT transfer or creating faux bank accounts with cash withdrawn by ‘mules’ or via a remote command to an ATM.”
• On average, it took from two to four months to drain each victim bank, starting from the Day 1 of infection to cash withdrawal.
• The oldest code that could be found related to these attacks was from August 2013
• Additional Coverage – NY Times
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Report PDF
• This attack is related to the malware installed directly on ATMs that we have reported on before

Lenovo spyware installs own Root CA

• It has been discovered that Lenovo has been shipping devices preinstalled with an advertising application called SuperFish
• This “Visual Discovery” advertising system injects picture ads for items related to search terms into your google search results, and other websites
• While this is bad enough, and upsets many people, the bigger problem is how they do it
• In order to snoop upon the search terms you are using, SuperFish must intercept your encrypted communications with Google and others
• In order to do this, the SuperFish software installs its own SSL Root Certificate Authority into the trusted certificate store
• This makes your machine trust every certificate signed by SuperFish
• The proxy that SuperFish installs, intercepts all of your web traffic, when it sees you trying to make a secure connection, which it would not be able to snoop on, what it does is create (on the fly), a new certificate for the site you are trying to visit (google.com, bankofamerica.com, whatever), and signs it with its private key
• Now your browser trusts the authenticity of this fake certificate, so it does not issue a warning, and you are completely unaware that SuperFish is intercepting all of your communications
• There are a number of security problems with this, including, does SuperFish sign a ‘valid’ certificate even for invalid certificates, like self signed certificates, meaning that an attack could trick you into going to a website, and seeing it as authentic when it is not, because SuperFish has signed a fresh certificate for it
• Worse, because of the way SuperFish works, rather than relying on the SuperFish backend infrastructure to generate these bogus certificates, instead SuperFish ships the private key for their fake Root CA with their software
• Researchers at Errata Security were able to crack the password used to encrypt the private key in only 3 hours
• The password was: komodia
• He found it fairly easily, first using procdump to defeat the self-encryption used by SuperFish (procdump wrote out the binary as it was in memory after it had decrypted it self)
• Next, he ran the standard unix tool ‘strings’ on the resulting file, and found the encrypted SSL private key
• After failed attempts to brute force it, or run a dictionary attack against it, he went back to his ‘strings’ file
• After filtering it down to only include short all lowercase words, he used it as a dictionary, and found the password
• Now, anyone can download the SuperFish software, extract the certificate and private key, and start signing bogus certificates for any website they wish, and every Lenovo or other machine that has the SuperFish software installed, will happily accept it as genuine
• SuperFish CEO Adi Pinhas tells Ars that “Superfish has not been active on Lenovo laptops since December. We standby this Lenovo statement
• While Lenovo and SuperFish disabled the server side component of SuperFish, which will prevent it from showing the ads, it seems that even uninstalling the SuperFish software, does not remove the trusted root certificate, leaving the users vulnerable to Man-In-the-Middle attacks
• It is unclear what the certificate pinning feature in Google’s Chrome browser did not prevent this from working
• Given that this same technique is popular in corporate security software, and there are also open source application proxies that can do it (OpenBSD’s relayd for one), it may be that Google had to relax their requirements to be compatible with corporate networks
• Lenovo Forums
• Additional Coverage – ThreatPost
• Additional Coverage – TheNextWeb
• Additional Coverage – TechSpot
• Additional Coverage – ZDNet

The Equation Group — Part of the NSA?

• Researchers at Kaspersky Lab have uncovered a cyberespionage group that has been operating for at least 15 years and has worked with and supported the attackers behind Stuxnet, Flame and other highly sophisticated operations.
• Known as the Equation Group, used two of the zero days contained in Stuxnet before that worm employed them and have used a number of other infection methods +
• Beginning in 2001, and possibly as early as 1996, the Equation Group began conducting highly targeted and complex exploitation and espionage operations against victims in countries around the world. The group’s toolkit includes components for infection, a self-propagating worm that gathers data from air-gapped targets, a full-featured bootkit that maintains control of a compromised machine and a “validator” module that determines whether infected PCs are interesting enough to install the full attack platform on.
• An unusual if not truly novel way of bypassing code-signing restrictions in modern versions of Windows, which require that all third-party software interfacing with the operating system kernel be digitally signed by a recognized certificate authority. To circumvent this restriction, Equation Group malware exploited a known vulnerability in an already signed driver for CloneCD to achieve kernel-level code execution.
• The trump card for the Equation Group attackers is their ability to inject an infected machine’s hard drive firmware. This module, known only by a cryptic name – “nls_933w.dll”, essentially allows the attackers to reprogram the HDD or SSD firmware with a custom payload of their own creation.
• One of the Equation Group’s malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
• Additional Coverage – Ars Technica
• Additional Coverage – ZDNet
• Additional Coverage – Digital Munitition

Feedback:

• ZFS expansion on iSCSI or LUN on FreeBSD

• Towers and Bread Racks posing as a Data Center.. I’ve got that beat!!

• FreeBSD as Xen Dom0 host?
  • FreeBSD Xen Dom0

• Exclude a specific device from my VPN

• Vizio TV Broadcasting SSID

Round-Up:

• French government has its own malware capable of eavesdropping on Skype, MSN, Yahoo Messanger and the like
• HTTP/2 is Done
• Even your car wash is on Facebook
• m0n0wall – End of the m0n0wall project
• TrueCrypt 7.1a audit stirs back to life
• UK parliament calls for Internet to be classified as a public utility
• Vint Cerf: we need to do a better job of recording the history of what we do on computers
• The Great SIM Heist: How Spies Stole the Keys to the Encryption Castle
• After Microsoft spat, Google will allow 14 days of flexibility beyond the 90 day disclosure window
• Payment Processor Stripe Now Allows Any Business to Accept Bitcoin
• Flaw in netgear wi-fi routers exposes admin password and WLAN settings
• Russian man extradited to US while visiting NL, charged with Heartland and Dow Jones hacks
• BadUSB in SCADA/ICS gear too
• AOL Email went down for many hours starting at 4am this morning

The post SuperFishy Mistake | TechSNAP 202 first appeared on Jupiter Broadcasting.

A 0-day exploit is attacking Microsoft Windows boxes all over the web, thanks to a weaponized power power presentation. No, I’m not kidding. The details are fascinating.

Old ATMs become more and more of a target & it’s not because of Windows XP, and great big batch of your questions, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Become a supporter on Patreon:

— Show Notes: —

Older ATMs being targeted more and more often by Malware attacks

• Krebs describes the growing trend in ATM “Jackpotting”
• Formerly, the most common attack against ATMs was skimming, installing small physical devices to read the card data and capture the PIN of victims who use the ATM, and then creating fake cards to empty the victims’ accounts
• The new trend, installing Malware on the computer that operates ATM, allows the attackers to drain all of the cash out of the ATM, without requiring compromised accounts with large balances
• The fraud is harder to detect because money does not go missing from bank accounts in real time, the theft may not be discovered until the ATM is emptied and stops dispensing cash
• Some of the malware is even smart enough to interfere with the ATM’s reports back to the bank about the level of cash available, that might tip the bank off to the fact that the ATM is infected
• “Last month, media outlets in Malaysia reported that organized crime gangs had stolen the equivalent of about USD $1 million with the help of malware they’d installed on at least 18 ATMs across the country. Several stories about the Malaysian attack mention that the ATMs involved were all made by ATM giant NCR.”
• In an Interview with Owen Wild, NCR’s “global marketing director, security compliance solutions”, Krebs learned:
• More than half of the ATM install base is using a model that was discontinued 7 years ago (Windows XP Based?)
• Most of the attacks involve physically assaulting the ATM, removing the top of front casing to access the standard PC inside, and then infecting the machine via CD or USB stick
• “What we’re finding is these types of attacks are occurring on standalone, unattended types of units where there is much easier access to the top of the box than you would normally find in the wall-mounted or attended models.”
• When asked about Windows XP: “Right now, that’s not a major factor. It is certainly something that has to be considered by ATM operators in making their migration move to newer systems. Microsoft discontinued updates and security patching on Windows XP, with very expensive exceptions. Where it becomes an issue for ATM operators is that maintaining Payment Card Industry (credit and debit card security standards) compliance requires that the ATM operator be running an operating system that receives ongoing security updates. So, while many ATM operators certainly have compliance issues, to this point we have not seen the operating system come into play.”
• It would seem that installing malware on the machine would affect newer versions of Windows almost as easily, so Windows XP might not actually be that big of a factor in these cases
• “Most of these attacks come down to two different ways of jackpotting the ATM. The first is what we call “black box” attacks, where some form of electronic device is hooked up to the ATM — basically bypassing the infrastructure in the processing of the ATM and sending an unauthorized cash dispense code to the ATM. That was the first wave of attacks we saw that started very slowly in 2012, went quiet for a while and then became active again in 2013.”

Sandworm Team – not a worm, but still a big deal

• “Microsoft has announced the discovery of a zero-day vulnerability affecting all supported versions of Microsoft Windows and Windows Server 2008 and 2012. Reports are also coming in that this specific vulnerability has been exploited and used in attacks against the North Atlantic Treaty Organization (NATO) and several European industries and sectors.”
• This particular vulnerability has allegedly been in use since August 2013, “mainly through weaponized PowerPoint documents.”
• The vulnerability exploits a flaw in the Microsoft OLE functionality
• It allows a PowerPoint or other office document to have an embedded file, or to embed and external untrusted resource
• This can cause remote code execution, allowing the attacker to run any code they wish as the user who is opening the document
• In the case of at least on attack, the embedded file was a .inf that then installed malware on the system
• Many users still run with administrative rights, giving the malware full control of the target system
• iSight Partners says: “We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities. We are tracking active campaigns by at least five distinct intrusions teams”, “As part of our normal cyber threat intelligence operations, iSIGHT Partners is tracking a growing drum beat of cyber espionage activity out of Russia”
• “For example, we recently disclosed the activities of one of those teams (dubbed Tsar team) surrounding the use of mobile malware. This team has previously launched campaigns targeting the United States and European intelligence communities, militaries, defense contractors, news organizations, NGOs and multilateral organizations. It has also targeted jihadists and rebels in Chechnya”
• Trend Micro also found this same flaw being used against SCADA systems: “These attacks target Microsoft Windows PCs running the GE Intelligent Platform’s CIMPLICITY HMI solution suite with a spear phishing email.”, which downloads the Black Energy malware
• Researcher Post
• Technical Analysis by HP Security Research
• Additional Coverage – ZDNet
• Microsoft Security Bulletin

Delivering malicious Android apps hidden in image files

• Researchers have discovered a way to deliver Android malware by embedding the encrypted form in an image file
• The attack was demonstrated at Black Hat Europe last week in Amsterdam
• The tool encrypts a malicious .APK in such a way that it appears to be a .JPG or .PNG image file
• Then, they developed a simple wrapper .APK that includes that image file, and the ability to decrypt it
• Thus, the malicious app remains hidden from reverse engineering, anti-virus, and the Google Bouncer, so can be listed in the Google Play Store
• “In their testing, Android did show a permission request when the legitimate wrapper file tried to install the malicious APK, but the researchers say that this can be prevented by using DexClassLoader”
• Work was inspired by a previous exploit, Android/Gamex.A!tr that hid its payload in a .zip file named logos.png, with the added twist that the .zip was valid and innocuous, but if XOR’s with a key (18), it was also a valid .zip file containing a malware payload
• It turns out that .zip files do not require the header to be at the beginning of the file, so by simply concatenating a .png and a .zip file, the file will look like a valid .png, but can also be extracted as a valid .zip file
• PDF: Slides
• Example Code, Create a .PNG, .JPG, .FLV, or .PDF
• PDF: Paper

Feedback:

• Embed Browser For Steam

• Cheap NAS/Media Server

• Patch & System Management .:. Especially with all these recent bugs!

• Central Firewall Management

• But is it really your job to point out other peoples security issues?

• ZFS lag

• Windows Explorer and SMB Traffic – Ask the Performance Team – Site Home – TechNet Blogs

Round Up:

• Disney rendered its new animated film on a 55,000-core supercomputer
• Cisco finally fixed telnet bug from 2011 in Web Security Appliance, Email Security Appliance and Content Security Management Appliance
• Google’s 2-Step Verification Now Supports FIDO “Universal 2nd Factor” Open Standard
• Ironic: Publisher of Brian Krebs’ book discloses credit card breach in online shopping cart
• Hungary plans new tax on Internet traffic, public calls for rally
• MongoDB Advisory: Using MongoDB on Linux on top of VMWare may cause namespace files to be improperly zeroed, resulting in left over data that when read later is interpreted as a corrupt namespace, rather than the expected empty space. Patch resolves issue by manually zeroing the file rather than using the kernel facility to zero the entire file
• T-Mobile to upgrade US Cellular network 2G encryption from A5/1 to A5/3 to make surveillance harder. Made similar changes in Germany last year after NSA revelations
• Week old Flash vulnerability already included in 2 major Exploit kits, being deployed on legitimate infected sites throughout the Internet
• Kickstarter Freezes Anonabox Privacy Router Project for Misleading Funders
• Samsung acknowledges flaw in EVO 840 SSDs, issues Firmware update and “Data Migration Software” that re-writes data on the SSD to ‘refresh’ it, making reads faster again
• South Korea to rebuilt national ID system after a series of data breaches since 2004 have left 80% of the country exposed to identity theft. Many similar mistakes to US ID system, overuse across different sectors made the single ID number a ‘master key’ to a persons Identity, Inability to get a new ID number left victims with no recourse, and the ID numbers are based on date of birth and sex. Also, the government required the use of Microsoft ActiveX to provide digital signatures when interacting with banks and the government online

The post Weaponized PowerPoint | TechSNAP 185 first appeared on Jupiter Broadcasting.

This week Allan is at BSDCam in the UK, so we’ll be back with a regular episode next week. For now though, here’s an interview with Josh Paetzel about some crazy experiences he’s had with ZFS.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Interview – Josh Paetzel – josh@ixsystems.com / @bsdunix4ever

Crazy ZFS stories, network protocols, server hardware

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post ZFS War Stories | BSD Now 45 first appeared on Jupiter Broadcasting.

A tutorial on pkgng, we talk with the developers of OpenSMTPD about running a mail server OpenBSD-style, answer YOUR questions and, of course, discuss all the latest news.

All that and more on BSD Now! The place to B… SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

pfSense 2.1-RELEASE is out

• Now based on FreeBSD 8.3
• Lots of IPv6 features added
• Security updates, bug fixes, driver updates
• PBI package support
• Way too many updates to list, see the full list

New kernel based iSCSI stack comes to FreeBSD

• Brief explanation of iSCSI
• This work replaces the older userland iscsi target daemon and improves the in-kernel iscsi initiator
• Target layer consists of:
• ctld(8), a userspace daemon responsible for handling configuration, listening for incoming connections, etc, then handing off connections to the kernel after the iSCSI Login phase
• iSCSI frontend to CAM Target Layer, which handles Full Feature phase.
• The work is being sponsored by FreeBSD Foundation
• Commit here

MTier creates openup utility for OpenBSD

• MTier provides a number of things for the OpenBSD community
• For example, regularly updated (for security) stable packages from their custom repo
• openup is a utility to easily check for security updates in both base and packages
• It uses the regular pkg tools, nothing custom-made
• Can be run from cron, but only emails the admin instead of automatically updating

OpenSSH in FreeBSD -CURRENT supports DNSSEC

• OpenSSH in base is now compiled with DNSSEC support
• In this case the default setting for ‘VerifyHostKeyDNS’ is yes
• OpenSSH will silently trust DNSSEC-signed SSHFP records
• It is the secteam’s opinion that this is better than teaching users to blindly hit “yes” each time they encounter a new key

Interview – Gilles Chehade & Eric Faurot – gilles@openbsd.org / @poolpOrg & eric@openbsd.org

OpenSMTPD

• Q: Could you tell us a little bit about yourselves and how you got involved with OpenBSD?
• Q: What exactly is OpenSMTPD and why was it created?
• Q: How big is your team of developers? Who’s doing what?
• Q: How compatible is it with things like dovecot, spamassassin, etc?
• Q: Are there any advantages over the other mail servers like Postfix or Exim?
• Q: If someone wanted to switch from them, is it an easy replacement?
• Q: The config syntax is very nice and easy to grasp. Was inspired from PF’s at all?
• Q: What made you decide to develop a portable version, a la OpenSSH?
• Q: Tell us some cool, upcoming features in a future release
• Q: Anything else you’d like to mention about the project?
• Q: Where can people find more info and help with development if they want?

Tutorial

Using pkgng for binary package management

• Live demo
• pkgng is the replacement for the old pkg_add tools
• Much more modern, supports an array of features that the old system didn’t
• Works on DragonflyBSD as well

News Roundup

New progress with Newcons

• Newcons is a replacement console driver for FreeBSD
• Supports unicode, better graphics modes and bigger fonts
• Progress is being made, but it’s not finished yet

relayd gets PFS support

• relayd is a load balancer for OpenBSD which does protocol layers 3, 4, and 7
• Currently being ported to FreeBSD. There is a WIP port
• Works by negotiating ECDHE (Elliptic curve Diffie-Hellman) between the remote site and relayd to enable TLS/SSL Perfect Forward Secrecy, even when the client does not support it

OpenZFS Launches

• Slides from LinuxCon
• Will feature ‘Office Hours’ (Ask an Expert)
• Goal is to reduce the differences between various open source implementations of ZFS, both user facing and pure lines of code

FreeBSD 10-CURRENT becomes 10.0-ALPHA

• Glen Barber tagged the -CURRENT branch as 10.0-ALPHA
• In preparation for 10.0-RELEASE, ALPHA2 as of 9/18
• Everyone was rushing to get their big commits in before 10-STABLE, which will be branched soon
• 10 is gonna be HUGE

September issue of BSD Mag

• BSD Mag is a monthly online magazine about the BSDs
• This month’s issue has some content written by Kris
• Topics include MidnightBSD live cds, server maintenance, turning a Mac Mini into a wireless access point with OpenBSD, server monitoring, FreeBSD programming, PEFS encryption and a brief introduction to ZFS

The FreeBSD IRC channel is official

• For many years, the FreeBSD freenode channel has been “unofficial” with a double-hash prefix
• Finally it has freenode’s blessing and looks like a normal channel!
• The old one will forward to the new one, so your IRC clients don’t need updating

OpenSSH 6.3 released

• After a big delay, Damien Miller announced the release of 6.3
• Mostly a bugfix release, with a few new features
• Of note, SFTP now supports resuming failed downloads via -a

Feedback/Questions

• A couple people wrote in to tell us not only OpenBSD have 64bit time. We misspoke.
• James writes in: https://slexy.org/view/s2wBbbSWGz
• Elias writes in: https://slexy.org/view/s2LMDF3PYx
• Gabor writes in: https://slexy.org/view/s2aCodo65X
• Possibly the coolest feedback we’ve gotten thus far: Baptiste Daroussin, leader of the FreeBSD ports management team and author of poudriere and pkgng, has put up the BSD Now poudriere tutorial on the official documentation!
• We always want more feedback, especially tutorial ideas and show topics you want to see

• Big thanks to TJ for writing most of the show notes and the tutorials, as well as handling most of your feedback
• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post MX with TTX | BSD Now 3 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Radeon KMS commited

• Committed by Jean-Sebastien Pedron
• Brings kernel mode setting to -CURRENT, will be in 10.0-RELEASE (ETA 12/2013)
• 10-STABLE is expected to be branched in October, to begin the process of stabilizing development
• Initial testing shows it works well
• May be merged to 9.X, but due to changes to the VM subsystem this will require a lot of work, and is currently not a priority for the Radeon KMS developer
• Still suffers from the syscons / KMS switcher issues, same as Intel video
• More info: https://wiki.freebsd.org/AMD_GPU

VeriSign Embraces FreeBSD

• “BSD is quite literally at the very core foundation of what makes the Internet work”
• Using BSD and Linux together provides reliability and diversity
• Verisign gives back to the community, runs vBSDCon
• “You get comfortable with something because it works well for your particular purposes and can find a good community that you can interact with. That all rang true for us with FreeBSD.”

fetch/libfetch get a makeover

• Adds support for SSL certificate verification
• Requires root ca bundle (security/root_ca_nss)
• Still missing TLS SNI support (Server Name Indication, allows name based virtual hosts over SSL)

FreeBSD Foundation Semi-Annual Newsletter

• The FreeBSD Foundation took the 20th anniversary of FreeBSD as an opportunity to look at where the project is, and where it might want to go
• The foundation sets out some basic goals that the project should strive towards:
  • Unify User Experience
    • “ensure that knowledge gained mastering one task translates to the next”
    • “if we do pay attention to consistency, not only will FreeBSD be easier to use, it will be easier to learn”
  • Design for Human and Programmatic Use
    • 200 machines used to be considered a large deployment, with high density servers, blades, virtualization and the cloud, that is not so anymore
    • “the tools we provide for status reporting, configuration, and control of FreeBSD just do not scale or fail to provide the desired user experience”
    • “The FreeBSD of tomorrow needs to give programmability and human interaction equal weighting as requirements”
  • Embrace New Ways to Document FreeBSD
    • More ‘Getting Started’ sections in documentation
    • Link to external How-Tos and other documentation
    • “upgrade the cross-referencing and search tools built into FreeBSD, so FreeBSD, not an Internet search engine, is the best place to learn about FreeBSD”
• Spring Fundraising Campaign, April 17 – May 31, raised a total of $219,806 from 12 organizations and 365 individual donors. In the same period last year we raised a total of $23,422 from 2 organizations and 53 individuals
• Funds donated to the FreeBSD Foundation have been used on these projects recently:
• Capsicum security-component framework
• Transparent superpages support of the FreeBSD/ARM architecture
• Expanded and faster IPv6
• Native in-kernel iSCSI stack
• Five New TCP Congestion Control Algorithms
• Direct mapped I/O to avoid extra memory copies
• Unified Extensible Firmware Interface (UEFI) boot environment
• Porting FreeBSD to the Genesi Efika MX SmartBook laptop (ARM-based)
• NAND Flash filesystem and storage stack
• Funds were also used to sponsor a number of BSD focused conferences: BSDCan, EuroBSDCon, AsiaBSDCon, BSDDay, NYCBSDCon, vBSDCon, plus Vendor summits and Developer summits
• It is important that the foundation receive donations from individuals, to maintain their tax exempt status in the USA. Even a donation of $5 helps make it clear that the FreeBSD Foundation is backed by a large community, not only a few vendors
• Donate Today

The place to B…SD

Ohio Linuxfest, Sept. 13-15, 2013

• Very BSD friendly
• Kirk McKusick giving the keynote
• BSD Certification on the 15th, all other stuff on the 14th
• Multiple BSD talks

LinuxCon, Sept. 16-18, 2013

• Dru Lavigne and Kris Moore will be manning a FreeBSD booth
• Number of talks of interest to BSD users, including ZFS coop

EuroBSDCon, Sept. 26-29, 2013

• Tutorials on the 26 & 27th (plus private FreeBSD DevSummit)
• 43 talks spread over 3 tracks on the 28 & 29th
• Keynote by Theo de Raadt
• Hosted in the picturesque St. Julians Area, Malta (Hilton Conference Centre)

Interview – Peter Hessler – phessler@openbsd.org / @phessler

Using BGP to distribute spam blacklists and whitelists

• Q: Tell us about yourself and your previous contributions to OpenBSD
• Q: What is BGP spamd
• Q: What made you start the project?
• Q: Why use BGP? What are the pros/cons versus the standard DNS distribution model?
• Q: (How) can others make use of the project?
• Q: How can other contribute to the project?
• Q: What else are you working on?

Tutorial

Using stunnel to hide your traffic from Deep Packet Inspection

• Live demo between two hosts
• Tunnel any insecure traffic over SSL/TLS
• Allows you to bypass Intrusion Detection Systems

News Roundup

NetBSD 6.1.1 released

• First security/bug fix update of the NetBSD 6.1 release branch
• Fixes 4 security vulnerabilities
• Adds 4 new sysctls to avoid IPv6 DoS attacks
• Misc. other updates

Sudo Mastery

• MWL is a well-known author of many BSD books
• Also does SSH, networking, DNSSEC, etc.
• Next book is about sudo, which comes from OpenBSD (did you know that?)
• Available for preorder now at a discounted price

Documentation Infrastructure Enhancements

• Gábor Kövesdán has completed a funded project to improve the infrastructure behind the documentation project
• Will upgrade documentation from DocBook 4.2 to DocBook 4.5 and at the same time migrate to proper XML tools.
• DSSSL is an old and dead standard, which will not evolve any more.
• DocBook 5.0 tree added

FreeBSD FIBs get new features

• FIBs (as discussed earlier in the interview) are Forward Information Bases (technical term for a routing table)
• The FreeBSD kernel can be compiled to allow you to maintain multiple FIBs, creating separate routing tables for different processes or jails
• In r254943 ps(1) is extended to support a new column ‘fib’, to display which routing table a process is using

FreeNAS 9.1.0 and 9.1.1 released

• Many improvements in nearly all areas, big upgrade
• Based on FreeBSD 9-STABLE, lots of new ZFS features
• Cherry picked some features from 10-CURRENT
• New volume manager and easy to use plugin management system
• 9.1.1 released shortly thereafter to fix a few UI and plugin bugs

BSD licensed “patch” becomes default

• bsdpatch has become mature, does what GNU patch can do, but has a much better license
• Approved by portmgr@ for use in ports
• Added WITH_GNU_PATCH build option for people who still need it

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post BGP & BSD | BSD Now 1 first appeared on Jupiter Broadcasting.

We’ve got a bunch of options to protect your privacy online, things to consider before you self host.

Plus: With a little planning ahead, you can protect yourself from compelled disclosure, we’ll share the details. Then your questions our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! 35% off your ENTIRE first order just use our code 35off3 until the end of the month!
Ang Goes Android Catch episode 143 where Angela takes the Android challenge!

Support the Show: