jails – Jupiter Broadcasting

To enter, go find the 4 episodes we did in December of 2017. In the opening, find the 4 letters in the bookshelf behind me. They spell different words in each of the 4 episodes. Send us these words in order to feedback@bsdnow.tv with the subject “bsdnow256” until August 8th, 2018 18:00 UTC and we’ll randomly draw the winner on the live show. We’ll then contact you to ship the item.
Only one item to win. All decisions are final. Better luck next time.

##Headlines
###Battle of the Schedulers: FreeBSD ULE vs. Linux CFS

Introduction
This paper analyzes the impact on application performance of the design and implementation choices made in two widely used open-source schedulers: ULE, the default FreeBSD scheduler, and CFS, the default Linux scheduler. We compare ULE and CFS in otherwise identical circumstances. We have ported ULE to Linux, and use it to schedule all threads that are normally scheduled by CFS. We compare the performance of a large suite of applications on the modified kernel running ULE and on the standard Linux kernel running CFS. The observed performance differences are solely the result of scheduling decisions, and do not reflect differences in other subsystems between FreeBSD and Linux. There is no overall winner. On many workloads the two schedulers perform similarly, but for some workloads there are significant and even surprising differences. ULE may cause starvation, even when executing a single application with identical threads, but this starvation may actually lead to better application performance for some workloads. The more complex load balancing mechanism of CFS reacts more quickly to workload changes, but ULE achieves better load balance in the long run.
Operating system kernel schedulers are responsible for maintaining high utilization of hardware resources (CPU cores, memory, I/O devices) while providing fast response time to latency-sensitive applications. They have to react to workload changes, and handle large numbers of cores and threads with minimal overhead [12]. This paper provides a comparison between the default schedulers of two of the most widely deployed open-source operating systems: the Completely Fair Scheduler (CFS) used in Linux, and the ULE scheduler used in FreeBSD. Our goal is not to declare an overall winner.
In fact, we find that for some workloads ULE is better and for others CFS is better. Instead, our goal is to illustrate how differences in the design and the implementation of the two schedulers are reflected in application performance under different workloads. ULE and CFS are both designed to schedule large numbers of threads on large multicore machines. Scalability considerations have led both schedulers to adopt per-core run-queues. On a context switch, a core accesses only its local run-queue to find the next thread to run. Periodically and at select times, e.g., when a thread wakes up, both ULE and CFS perform load balancing, i.e., they try to balance the amount of work waiting in the run-queues of different cores.
ULE and CFS, however, differ greatly in their design and implementation choices. FreeBSD ULE is a simple scheduler (2,950 lines of code in FreeBSD 11.1), while Linux CFS is much more complex (17,900 lines of code in the latest LTS Linux kernel, Linux 4.9). FreeBSD run-queues are FIFO. For load balancing, FreeBSD strives to even out the number of threads per core. In Linux, a core decides which thread to run next based on prior execution time, priority, and perceived cache behavior of the threads in its runqueue. Instead of evening out the number of threads between cores, Linux strives to even out the average amount of pending work.

Performance analysis
We now analyze the impact of the per-core scheduling on the performance of 37 applications. We define “performance” as follows: for database workloads and NAS applications, we compare the number of operations per second, and for the other applications we compare “execution time”. The higher the “performance”, the better a scheduler performs. Figure 5 presents the performance difference between CFS and ULE on a single core, with percentages above 0 meaning that the application executes faster with ULE than CFS.
Overall, the scheduler has little influence on most workloads. Indeed, most applications use threads that all perform the same work, thus both CFS and ULE endup scheduling all of the threads in a round-robin fashion. The average performance difference is 1.5%, in favor of ULE. Still, scimark is 36% slower on ULE than CFS, and apache is 40% faster on ULE than CFS. Scimark is a single-threaded Java application. It launches one compute thread, and the Java runtime executes other Java system threads in the background (for the garbage collector, I/O, etc.).
When the application is executed with ULE, the compute thread can be delayed, because Java system threads are considered interactive and get priority over the computation thread. The apache workload consists of two applications: the main server (httpd) running 100 threads, and ab, a single-threaded load injector.
The performance difference between ULE and CFS is explained by different choices regarding thread preemption. In ULE, full preemption is disabled, while CFS preempts the running thread when the thread that has just been woken up has a vruntime that is much smaller than the vruntime of the currently executing thread (1ms difference in practice). In CFS, ab is preempted 2 million times during the benchmark, while it never preempted with ULE.
This behavior is explained as follows: ab starts by sending 100 requests to the httpd server, and then waits for the server to answer. When ab is woken up, it checks which requests have been processed and sends new requests to the server. Since ab is single-threaded, all requests sent to the server are sent sequentially. In ULE, ab is able to send as many new requests as it has received responses. In CFS, every request sent by ab wakes up a httpd thread, which preempts ab.

Conclusion
Scheduling threads on a multicore machine is hard. In this paper, we perform a fair comparison of the design choices of two widely used schedulers: the ULE scheduler from FreeBSD and CFS from Linux. We show that they behave differently even on simple workloads, and that no scheduler performs better than the other on all workloads.

###OpenBSD 6.3 on Tuxedo InfinityBook

Disclaimer:
I came across the Tuxedo Computers InfinityBook last year at the Open! Conference where Tuxedo had a small booth. Previously they came to my attention since they’re a member of the OSB Alliance on whose board I’m a member. Furthermore Tuxedo Computers are a sponsor of the OSBAR which I’m part of the organizational team.

OpenBSD on the Tuxedo InfinityBook
I’ve asked the guys over at Tuxedo Computers whether they would be interested to have some tests with *BSD done and that I could test drive one of their machines and give feedback on what works and what does not – and possibly look into it.+

Within a few weeks they shipped me a machine and last week the InfinityBook Pro 14” arrived. Awesome. Thanks already to the folks at Tuxedo Computers. The machine arrived accompanied by lot’s of swag

The InfinityBook is a very nice machine and allows a wide range of configuration. The configuration that was shipped to me:

Intel Core i7-8550U
1x 16GB RAM 2400Mhz Crucial Ballistix Sport LT
250 GB Samsung 860 EVO (M.2 SATAIII)

I used a USB-stick to boot install63.fs and re-installed the machine with OpenBSD. Full dmesg.

The installation went flawlessly, the needed intel firmware is being installed after installation automatically via fw_update(1).

Out of the box the graphics works and once installed the machine presents the login.

Video
When X starts the display is turned off for some reason. You will need to hit fn+f12 (the key with the moon on it) then the display will go on. Aside from that little nit, X works just fine and presents one the expected resolution.

External video is working just fine as well. Either via hdmi output or via the mini displayport connector.

The buttons for adjusting brightness (fn+f8 and fn+f9) are not working. Instead one has to use wsconsctl(8) to adjust the brightness.

Networking
The infinityBook has built-in ethernet, driven by re(4) And for the wireless interface the iwm(4) driver is being used. Both work as expected.

ACPI
Neither suspend nor hibernate work. Reporting of battery status is bogus as well. Some of the keyboard function keys work:

LCD on/off works (fn+f2)
Keyboard backlight dimming works (fn+f4)
Volume (fn+f5 / fn+f6) works

Sound
The azalia chipset is being used for audio processing. Works as expected, volume can be controlled via buttons (fn+f5, fn+f6) or via mixerctl.

Touchpad
Can be controlled via wsconsctl(8).
So far I must say, that the InfinityBook makes a nice machine – and I’m enjoying working with it.

iXsystems
iXsystems – Its all NAS

###How ZFS makes things like ‘zfs diff’ report filenames efficiently

As a copy on write (file)system, ZFS can use the transaction group (txg) numbers that are embedded in ZFS block pointers to efficiently find the differences between two txgs; this is used in, for example, ZFS bookmarks. However, as I noted at the end of my entry on block pointers, this doesn’t give us a filesystem level difference; instead, it essentially gives us a list of inodes (okay, dnodes) that changed.
In theory, turning an inode or dnode number into the path to a file is an expensive operation; you basically have to search the entire filesystem until you find it. In practice, if you’ve ever run ‘zfs diff’, you’ve likely noticed that it runs pretty fast. Nor is this the only place that ZFS quickly turns dnode numbers into full paths, as it comes up in ‘zpool status’ reports about permanent errors. At one level, zfs diff and zpool status do this so rapidly because they ask the ZFS code in the kernel to do it for them. At another level, the question is how the kernel’s ZFS code can be so fast.
The interesting and surprising answer is that ZFS cheats, in a way that makes things very fast when it works and almost always works in normal filesystems and with normal usage patterns. The cheat is that ZFS dnodes record their parent’s object number.
If you’re familiar with the twists and turns of Unix filesystems, you’re now wondering how ZFS deals with hardlinks, which can cause a file to be in several directories at once and so have several parents (and then it can be removed from some of the directories). The answer is that ZFS doesn’t; a dnode only ever tracks a single parent, and ZFS accepts that this parent information can be inaccurate. I’ll quote the comment in zfs_obj_to_pobj:
When a link is removed [the file’s] parent pointer is not changed and will be invalid. There are two cases where a link is removed but the file stays around, when it goes to the delete queue and when there are additional links.
Before I get into the details, I want to say that I appreciate the brute force elegance of this cheat. The practical reality is that most Unix files today don’t have extra hardlinks, and when they do most hardlinks are done in ways that won’t break ZFS’s parent stuff. The result is that ZFS has picked an efficient implementation that works almost all of the time; in my opinion, the great benefit we get from having it around are more than worth the infrequent cases where it fails or malfunctions. Both zfs diff and having filenames show up in zpool status permanent error reports are very useful (and there may be other cases where this gets used).
The current details are that any time you hardlink a file to somewhere or rename it, ZFS updates the file’s parent to point to the new directory. Often this will wind up with a correct parent even after all of the dust settles; for example, a common pattern is to write a file to an initial location, hardlink it to its final destination, and then remove the initial location version. In this case, the parent will be correct and you’ll get the right name.

##News Roundup
###What is FreeBSD? Why Should You Choose It Over Linux?

Not too long ago I wondered if and in what situations FreeBSD could be faster than Linux and we received a good amount of informative feedback. So far, Linux rules the desktop space and FreeBSD rules the server space.

In the meantime, though, what exactly is FreeBSD? And at what times should you choose it over a GNU/Linux installation? Let’s tackle these questions.

FreeBSD is a free and open source derivative of BSD (Berkeley Software Distribution) with a focus on speed, stability, security, and consistency, among other features. It has been developed and maintained by a large community ever since its initial release many years ago on November 1, 1993.

BSD is the version of UNIX® that was developed at the University of California in Berkeley. And being a free and open source version, “Free” being a prefix to BSD is a no-brainer.

What’s FreeBSD Good For?

FreeBSD offers a plethora of advanced features and even boasts some not available in some commercial Operating Systems. It makes an excellent Internet and Intranet server thanks to its robust network services that allow it to maximize memory and work with heavy loads to deliver and maintain good response times for thousands of simultaneous user processes.

FreeBSD runs a huge number of applications with ease. At the moment, it has over 32,000 ported applications and libraries with support for desktop, server, and embedded environments. with that being said, let me also add that FreeBSD is excellent for working with advanced embedded platforms. Mail and web appliances, timer servers, routers, MIPS hardware platforms, etc. You name it!

FreeBSD is available to install in several ways and there are directions to follow for any method you want to use; be it via CD-ROM, over a network using NFS or FTP, or DVD.

FreeBSD is easy to contribute to and all you have to do is to locate the section of the FreeBSD code base to modify and carefully do a neat job. Potential contributors are also free to improve on its artwork and documentation, among other project aspects.

FreeBSD is backed by the FreeBSD Foundation, a non-profit organization that you can contribute to financially and all direct contributions are tax deductible.

FreeBSD’s license allows users to incorporate the use of proprietary software which is ideal for companies interested in generating revenues. Netflix, for example, could cite this as one of the reasons for using FreeBSD servers.

Why Should You Choose It over Linux?

From what I’ve gathered about both FreeBSD and Linux, FreeBSD has a better performance on servers than Linux does. Yes, its packaged applications are configured to offer better a performance than Linux and it is usually running fewer services by default, there really isn’t a way to certify which is faster because the answer is dependent on the running hardware and applications and how the system is tuned.

FreeBSD is reportedly more secure than Linux because of the way the whole project is developed and maintained.

Unlike with Linux, the FreeBSD project is controlled by a large community of developers around the world who fall into any of these categories; core team, contributors, and committers.

FreeBSD is much easier to learn and use because there aren’t a thousand and one distros to choose from with different package managers, DEs, etc.

FreeBSD is more convenient to contribute to because it is the entire OS that is preserved and not just the kernel and a repo as is the case with Linux. You can easily access all of its versions since they are sorted by release numbers.

Apart from the many documentations and guides that you can find online, FreeBSD has a single official documentation wherein you can find the solution to virtually any issue you will come across. So, you’re sure to find it resourceful.

FreeBSD has close to no software issues compared to Linux because it has Java, is capable of running Windows programs using Wine, and can run .NET programs using Mono.

FreeBSD’s ports/packages system allows you to compile software with specific configurations, thereby avoiding conflicting dependency and version issues.

Both the FreeBSD and GNU/Linux project are always receiving updates. The platform you decide to go with is largely dependent on what you want to use it for, your technical know-how, willingness to learn new stuff, and ultimately your preference.
What is your take on the topic? For what reasons would you choose FreeBSD over Linux if you would? Let us know what you think about both platforms in the comments section below.

###PS4 5.05 BPF Double Free Kernel Exploit Writeup

Introduction
Welcome to the 5.0x kernel exploit write-up. A few months ago, a kernel vulnerability was discovered by qwertyoruiopz and an exploit was released for BPF which involved crafting an out-of-bounds (OOB) write via use-after-free (UAF) due to the lack of proper locking. It was a fun bug, and a very trivial exploit. Sony then removed the write functionality from BPF, so that exploit was patched. However, the core issue still remained (being the lack of locking). A very similar race condition still exists in BPF past 4.55, which we will go into detail below on. The full source of the exploit can be found here.
This bug is no longer accessible however past 5.05 firmware, because the BPF driver has finally been blocked from unprivileged processes – WebKit can no longer open it. Sony also introduced a new security mitigation in 5.0x firmwares to prevent the stack pointer from pointing into user space, however we’ll go more in detail on this a bit further down.

Assumptions
Some assumptions are made of the reader’s knowledge for the writeup. The avid reader should have a basic understanding of how memory allocators work – more specifically, how malloc() and free() allocate and deallocate memory respectively. They should also be aware that devices can be issued commands concurrently, as in, one command could be received while another one is being processed via threading. An understanding of C, x86, and exploitation basics is also very helpful, though not necessarily required.

Background
This section contains some helpful information to those newer to exploitation, or are unfamiliar with device drivers, or various exploit techniques such as heap spraying and race conditions. Feel free to skip to the “A Tale of Two Free()’s” section if you’re already familiar with this material.

What Are Drivers?
There are a few ways that applications can directly communicate with the operating system. One of which is system calls, which there are over 600 of in the PS4 kernel, ~500 of which are FreeBSD – the rest are Sony-implemented. Another method is through something called “Device Drivers”. Drivers are typically used to bridge the gap between software and hardware devices (usb drives, keyboard/mouse, webcams, etc) – though they can also be used just for software purposes.
There are a few operations that a userland application can perform on a driver (if it has sufficient permissions) to interface with it after opening it. In some instances, one can read from it, write to it, or in some cases, issue more complex commands to it via the ioctl() system call. The handlers for these commands are implemented in kernel space – this is important, because any bugs that could be exploited in an ioctl handler can be used as a privilege escalation straight to ring0 – typically the most privileged state.
Drivers are often the more weaker points of an operating system for attackers, because sometimes these drivers are written by developers who don’t understand how the kernel works, or the drivers are older and thus not wise to newer attack methods.

The BPF Device Driver
If we take a look around inside of WebKit’s sandbox, we’ll find a /dev directory. While this may seem like the root device driver path, it’s a lie. Many of the drivers that the PS4 has are not exposed to this directory, but rather only ones that are needed for WebKit’s operation (for the most part). For some reason though, BPF (aka. the “Berkely Packet Filter”) device is not only exposed to WebKit’s sandbox – it also has the privileges to open the device as R/W. This is very odd, because on most systems this driver is root-only (and for good reason). If you want to read more into this, refer to my previous write-up with 4.55FW.

What Are Packet Filters?
Below is an excerpt from the 4.55 bpfwrite writeup.
Since the bug is directly in the filter system, it is important to know the basics of what packet filters are. Filters are essentially sets of pseudo-instructions that are parsed by bpf_filter() (which are ran when packets are received). While the pseudo-instruction set is fairly minimal, it allows you to do things like perform basic arithmetic operations and copy values around inside it’s buffer. Breaking down the BPF VM in it’s entirety is far beyond the scope of this write-up, just know that the code produced by it is ran in kernel mode – this is why read/write access to /dev/bpf should be privileged.

Race Conditions
Race conditions occur when two processes/threads try to access a shared resource at the same time without mutual exclusion. The problem was ultimately solved by introducing concepts such as the “mutex” or “lock”. The idea is when one thread/process tries to access a resource, it will first acquire a lock, access it, then unlock it once it’s finished. If another thread/process tries to access it while the other has the lock, it will wait until the other thread is finished. This works fairly well – when it’s used properly.
Locking is hard to get right, especially when you try to implement fine-grained locking for performance. One single instruction or line of code outside the locking window could introduce a race condition. Not all race conditions are exploitable, but some are (such as this one) – and they can give an attacker very powerful bugs to work with.

Heap Spraying
The process of heap spraying is fairly simple – allocate a bunch of memory and fill it with controlled data in a loop and pray your allocation doesn’t get stolen from underneath you. It’s a very useful technique when exploiting something such as a use-after-free(), as you can use it to get controlled data into your target object’s backing memory.
By extension, it’s useful to do this for a double free() as well, because once we have a stale reference, we can use a heap spray to control the data. Since the object will be marked “free” – the allocator will eventually provide us with control over this memory, even though something else is still using it. That is, unless, something else has already stolen the pointer from you and corrupts it – then you’ll likely get a system crash, and that’s no fun. This is one factor that adds to the variance of exploits, and typically, the smaller the object, the more likely this is to happen.

Follow the link to read more of the article
DigitalOcean
https://do.co/bsdnow

###OpenBSD gains Wi-Fi “auto-join”

In a change which is bound to be welcomed widely, -current has gained “auto-join” for Wi-Fi networks. Peter Hessler (phessler@) has been working on this for quite some time and he wrote about it in his p2k18 hackathon report. He has committed the work from the g2k18 hackathon in Ljubljana:

CVSROOT: /cvs
Module name: src
Changes by: phessler@cvs.openbsd.org 2018/07/11 14:18:09

Modified files:
sbin/ifconfig : ifconfig.8 ifconfig.c
sys/net80211 : ieee80211_ioctl.c ieee80211_ioctl.h
ieee80211_node.c ieee80211_node.h
ieee80211_var.h

Log message:
Introduce ‘auto-join’ to the wifi 802.11 stack.

This allows a system to remember which ESSIDs it wants to connect to, any
relevant security configuration, and switch to it when the network we are
currently connected to is no longer available.
Works when connecting and switching between WPA2/WPA1/WEP/clear encryptions.

example hostname.if:
join home wpakey password
join work wpakey mekmitasdigoat
join open-lounge
join cafe wpakey cafe2018
join “wepnetwork” nwkey “12345”
dhcp
inet6 autoconf
up

OK stsp@ reyk@
and enthusiasm from every hackroom I’ve been in for the last 3 years
The usage should be clear from the commit message, but basically you ‘join’ all the networks you want to auto-join as you would previously use ‘nwid’ to connect to one specific network. Then the kernel will join the network that’s actually in range and do the rest automagically for you. When you move out of range of that network you lose connectivity until you come in range of the original (where things will continue to work as you’ve been used to) or one of the other networks (where you will associate and then get a new lease).

Thanks to Peter for working on this feature – something many a Wi-Fi using OpenBSD user will be able to benefit from.

###FreeBSD Jails the hard way
There are many great options for managing FreeBSD Jails. iocage, warden and ez-jail aim to streamline the process and make it quick an easy to get going. But sometimes the tools built right into the OS are overlooked.

This post goes over what is involved in creating and managing jails using only the tools built into FreeBSD.

For this guide, I’m going to be putting my jails in /usr/local/jails.

I’ll start with a very simple, isolated jail. Then I’ll go over how to use ZFS snapshots, and lastly nullfs mounts to share the FreeBSD base files with multiple jails.

I’ll also show some examples of how to use the templating power of jail.conf to apply similar settings to all your jails.

Full Jail
Make a directory for the jail, or a zfs dataset if you prefer.
Download the FreeBSD base files, and any other parts of FreeBSD you want. In this example I’ll include the 32 bit libraries as well.
Update your FreeBSD base install.
Verify your download. We’re downloading these archives over FTP after all, we should confirm that this download is valid and not tampered with. The freebsd-update IDS command verifies the installation using a PGP key which is in your base system, which was presumably installed with an ISO that you verified using the FreeBSD signed checksums. Admittedly this step is a bit of paranoia, but I think it’s prudent.
Make sure you jail has the right timezone and dns servers and a hostname in rc.conf.
Edit jail.conf with the details about your jail.
Start and login to your jail.
11 commands and a config file, but this is the most tedious way to make a jail. With a little bit of templating it can be even easier. So I’ll start by making a template. Making a template is basically the same as steps 1, 2 and 3 above, but with a different destination folder, I’ll condense them here.

Creating a template
Create a template or a ZFS dataset. If you’d like to use the zfs clone method of deploying templates, you’ll need to create a zfs dataset instead of a folder.
Update your template with freebsd-update.
Verify your install
And that’s it, now you have a fully up to date jail template. If you’ve made this template with zfs, you can easily deploy it using zfs snapshots.

Deploying a template with ZFS snapshots
Create a snapshot. My last freebsd-update to my template brought it to patch level 17, so I’ll call my snapshot p10.
Clone the snapshot to a new jail.
Configure the jail hostname.
Add the jail definition to jail.conf, make sure you have the global jail settings from jail.conf listed in the fulljail example.
Start the jail.
The downside with the zfs approach is that each jail is now a fully independent, and if you need to update your jails, you have to update them all individually. By sharing a template using nullfs mounts you can have only one copy of the base system that only needs to be updated once.

Follow the link to see the rest of the article about
Thin jails using NullFS mounts
Simplifying jail.conf
Hopefully this has helped you understand the process of how to create and manage FreeBSD jails without tools that abstract away all the details. Those tools are often quite useful, but there is always benefit in learning to do things the hard way. And in this case, the hard way doesn’t seem to be that hard after all.

##Beastie Bits

Meetup in Zurich #4, July edition (July 19) – Which you likely missed, but now you know to look for the August edition!
The next two BSD-PL User group meetings in Warsaw have been scheduled for July 30th and Aug 9th @ 1830 CEST – Submit your topic proposals now
Linux Geek Books – Humble Bundle
Extend loader(8) geli support to all architectures and all disk-like devices
Upgrading from a bootpool to a single encrypted pool – skip the gptzfsboot part, and manually update your EFI partition with loader.efi
The pkgsrc 2018Q2 for Illumos is available with 18500+ binary packages
NetBSD ARM64 Images Available with SMP for RPi3 / NanoPi / Pine64 Boards
Recently released CDE 2.3.0 running on Tribblix (Illumos)
An Interview With Tech & Science Fiction Author Michael W Lucas
A reminder : MeetBSD CFP
EuroBSDCon talk acceptances have gone out, and once the tutorials are confirmed, registration will open. That will likely have happened by time you see this episode, so go register! See you in Romania
Tarsnap

##Feedback/Questions

Wilyarti – Adblocked on FreeBSD Continued…
Andrew – A Question and a Story
Matthew – Thanks
Brian – PCI-E Controller
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Because Computers | BSD Now 2^8 first appeared on Jupiter Broadcasting.

SSL Strippers | TechSNAP 344

chris — Tue, 07 Nov 2017 23:55:54 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

How not to avoid browser security warning

Verbal passwords

Obscurity is a Valid Security Layer

Feedback

Round Up:

The post SSL Strippers | TechSNAP 344 first appeared on Jupiter Broadcasting.

Cloudy with a chance of ABI | TechSNAP 342

chris — Tue, 24 Oct 2017 21:10:20 +0000

RSS Feeds:

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Exclusive: Microsoft responded quietly after detecting secret database hack in 2013

Microsoft Corp’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.
The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews. Microsoft declined to discuss the incident.

How I Socially Engineer Myself Into High Security Facilities

A few months ago, a client had hired me to test two of their facilities. A manufacturing plant, plus data center and office building nearby.
I scour profiles of employees who work at these facilities, and cross-reference them to other social media sites.
This is not an advanced investigation. I’m not a private investigator and I don’t have the resources of the NSA. But I can do a lot of damage with simple methods.
X could have saved the company a lot of heartache by simply verifying that I was who I claimed to be.
I’ve been doing this job for a couple years now, and almost every job is a variant of this story. Very rarely do I go through an entire assessment without some sort of social engineering.

Crippling crypto weakness opens millions of smartcards to cloning

Yubico not aware of any security breaches due to this issue

Millions of smartcards in use by banks and large corporations for more than a decade have been found to be vulnerable to a crippling cryptographic attack. That vulnerability allows hackers to bypass a wide range of protections, including data encryption and two-factor authentication.

At this time, we are not aware of any security breaches due to this issue. We are committed to always improving how we protect our customers and continuously invest in making our products even more secure.

Feedback

Workaround for the WPA2 exploit – from Jonathan
SNAPs for… Windows?
Server Layout for Linux System with LXC – There is an interesting project kind of related to this idea called CloudABI – CloudABI for FreeBSD
IT Land before time COMPUTERS THAT NEVER WERE Software Emulator for the Cardboard Illustrative Aid to Computationn

Round Up:

The post Cloudy with a chance of ABI | TechSNAP 342 first appeared on Jupiter Broadcasting.

Tales of FileSystems | TechSNAP 315

chris — Tue, 18 Apr 2017 20:55:39 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Apple’s New File System: Who Cares?

ZFS, jails, FreeBSD

FreeBSD Jails
Origins of FreeBSD Jail and why imperfect virtualization is good
Jails are like little virtual machines (jails) running on a bigger machine (the jail host)
From the jail host (often just referred to as the host), you can see into the jails, see everything that’s running, monitor, etc.
Stuff in the jail cannot see outside the jail and have no interactions with the host
You can configure the host so that the jail can access stuff on the host (e.g. a tape drive) but that requires explicit action by the sysadmin.
Simplified concept of a FreeBSD Jail: create a directory, install FreeBSD in there, chroot, done.

Feedback

Round Up:

Privacy is Dead | TechSNAP 312

chris — Wed, 29 Mar 2017 00:27:34 +0000

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Internet privacy

Alleged vDOS Owners Poised to Stand Trial

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.
On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.
According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.
Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

ZFS is what you want, even though you may not know – Dan talks about why he likes ZFS

The following is an ugly generalization and must not be read in isolation
Listen to the podcast for the following to make sense
Makes sysadmin life easier
treats the disks as a bucket source for filesystem
different file system attributes for different purposes, all on the same set of disks
Interesting things you didn’t know you could do with ZFS

Feedback

The following were referenced during the above Feedback segments:

Round Up:

The post Privacy is Dead | TechSNAP 312 first appeared on Jupiter Broadcasting.

May Contain ZFS | BSD Now 102

chris — Thu, 13 Aug 2015 10:05:32 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
In part two of the series, he talks about the GPIO and how you can configure it
Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
“It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
This guide also covers PPP and IPv6, in case you have those requirements
In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
If you’re using an older configuration file, the “without-password” option still works, so no change is required
You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
Various bug fixes and documentation improvements are also included
Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
Renato Westphal sent in a report of his very first hackathon
He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
Unlike with iocage, ZFS isn’t actually a requirement for this method
If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

Stacked in Our Favor | BSD Now 93

chris — Thu, 11 Jun 2015 10:09:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’re at BSDCan this week, but fear not! We’ve got a great interview with Sepherosa Ziehau, a DragonFly developer, about their network stack. After that, we’ll be discussing different methods of containment and privilege separation. Assuming no polar bears eat us, we’ll be back next week with more BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Sepherosa Ziehau – sephe@dragonflybsd.org

Features of DragonFlyBSD’s network stack

Discussion

Comparing containment methods and privilege separation

chroot, jails, systrace, capsicum, filesystem permissions, separating users

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We’ll be back from BSDCan next week, hopefully with some interesting interviews

The post Stacked in Our Favor | BSD Now 93 first appeared on Jupiter Broadcasting.

Gift from the Sun | BSD Now 62

chris — Thu, 06 Nov 2014 10:57:28 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’re away at MeetBSD this week, but we’ve still got a great show for you. We’ll be joined by Pawel Dawidek, who’s done quite a lot of things in FreeBSD over the years, including the initial ZFS port. We’ll get to hear how that came about, what he’s up to now and a whole lot more. We’ll be back next week with a normal episode of BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Pawel Jakub Dawidek – pjd@freebsd.org

Porting ZFS, GEOM, GELI, Capsicum, various topics

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – if you write any blog posts about BSD, send ’em our way
Usually, you can watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
We’ll be back with a regular episode next week, and maybe even some new interviews

The post Gift from the Sun | BSD Now 62 first appeared on Jupiter Broadcasting.

Beastly Infrastructure | BSD Now 56

chris — Thu, 25 Sep 2014 10:52:48 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week we’re on the other side of the Atlantic, attending EuroBSDCon. For now, we’ve got an awesome interview with Peter Wemm about the FreeBSD web cluster and infrastructure. It’s an inside look that you probably won’t hear about anywhere else! We’ll also get to a couple of your emails today, and be back next week with all the usual goodies, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Peter Wemm – peter@freebsd.org / @karinjiri

The FreeBSD web cluster and infrastructure

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
We’ll be back next week from EuroBSDCon, hopefully with some great interviews, come and say hi to us!

The post Beastly Infrastructure | BSD Now 56 first appeared on Jupiter Broadcasting.

The Promised WLAN | BSD Now 55

chris — Thu, 18 Sep 2014 10:26:43 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week, we’ll be talking with Adrian Chadd about all things wireless, his experience with FreeBSD on various laptop hardware and a whole lot more. As usual, we’ve got the latest news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD 10.1-BETA1 is out

The first maintenance update in the 10.x series of FreeBSD is on its way
Since we can’t see a changelog yet, the 10-STABLE release notes offer a glimpse at some of the new features and fixes that will be included in 10.1
The vt driver was merged from -CURRENT, lots of drivers were updated, lots of bugs were fixed and bhyve also got many improvements from 11
Initial UEFI support, multithreaded softupdates for UFS and many more things were added
You can check the release schedule for the planned release dates
Details for the various forms of release media can be found in the announcement

Remote headless OpenBSD installation

A lot of server providers only offer a limited number of operating systems to be easily installed on their boxes
Sometimes you’ll get lucky and they’ll offer FreeBSD, but it’s much harder to find ones that natively support other BSDs
This article shows how you can use a Linux-based rescue system, a RAM disk and QEMU to install OpenBSD on the bare metal of a server, headlessly and remotely
It required a few specific steps you’ll want to take note of, but is extremely useful for those pesky hosting providers

Building a firewall appliance with pfSense

In this article, we learn how to easily set up a gateway and wireless access point with pfSense on a Netgate ALIX2C3 APU
After the author’s modem died, he decided to look into a more do-it-yourself option with pf and a tiny router board
The hardware he used has gigabit ports and a BSD-compatible wireless card, as well as enough CPU power for a modest workload and a few services (OpenVPN, etc.)
There’s a lot of great pictures of the hardware and detailed screenshots, definitely worth a look

Receive Side Scaling – UDP testing

Adrian Chadd has been working on RSS (Receive Side Scaling) in FreeBSD, and gives an update on the progress
He’s using some quad core boxes with 10 gigabit ethernet for the tests
The post gives lots of stats and results from his network benchmark, as well as some interesting workarounds he had to do
He also provides some system configuration options, sysctl knobs, etc. (if you want to try it out)
And speaking of Adrian Chadd…

Interview – Adrian Chadd – adrian@freebsd.org / @erikarn

BSD on laptops, wifi, drivers, various topics

News Roundup

Sendmail removed from OpenBSD

Mail server admins around the world are rejoicing, because sendmail is finally gone from OpenBSD
With OpenSMTPD being a part of the base system, sendmail became largely redundant and unneeded
If you’ve ever compared a “sendmail.cf” file to an “smtpd.conf” file… the different is as clear as night and day
5.6 will serve as a transitional release, including both sendmail and OpenSMTPD, but 5.7 will be the first release without it
If you still need it for some reason, sendmail will live in ports from now on
Hopefully FreeBSD will follow suit sometime in the future as well, possibly including DragonFly’s mail transfer agent in base (instead of an entire mail server)

pfSense backups with pfmb

We’ve mentioned the need for a tool to back up pfSense configs a number of times on the show
This script, hosted on github, does pretty much exactly that
It can connect to one (or more!) pfSense installations and back up the configuration
You can roll back or replace failed hardware very easily with its restore function
Everything is done over SSH, so it should be pretty secure

The Design and Implementation of the FreeBSD Operating System

We mentioned when the pre orders were up, but now “The Design and Implementation of the FreeBSD Operating System, 2nd edition” seems to be shipping out
If you’re interested in FreeBSD development, or learning about the operating system internals, this is a great book to buy
We’ve even had all three authors on the show before!

OpenBSD’s systemd replacement updates

We mentioned last week that the news of OpenBSD creating systemd wrappers was getting mainstream attention
One of the developers writes in to Undeadly, detailing what’s going on and what the overall status is
He also clears up any confusion about “porting systemd to BSD” (that’s not what’s going on) or his code ever ending up in base (it won’t)
The top comment as of right now is a Linux user asking if his systemd wrappers can be ported back to Linux… poor guy

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you!
Last week we mentioned that Ken was looking for help to port Lumina to other BSDs, and now it’s been done for OpenBSD and DragonFly – so now you can try it out there too
Antoine Jacoutot sent a screenshot of Lumina on OpenBSD
We’ll be at EuroBSDCon soon, so there will be a prerecorded episode next week
When we’re not in Europe, you can usually watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Promised WLAN | BSD Now 55 first appeared on Jupiter Broadcasting.

AirPorts & Packages | BSD Now 40

chris — Thu, 05 Jun 2014 13:12:25 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

On this week\’s episode, we\’ll be giving you an introductory guide on OpenBSD\’s ports and package system.

There\’s also a pretty fly interview with Karl Lehenbauer, about how they use FreeBSD at FlightAware.

Lots of interesting news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2014 talks and reports, part 2

More presentations and trip reports are still being uploaded
Ingo Schwarze, New Trends in mandoc
Vsevolod Stakhov, The Architecture of the New Solver in pkg
Julio Merino, The FreeBSD Test Suite
Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
There\’s also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks!

Beyond security, getting to know OpenBSD\’s real purpose

Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a \”webcast\” last week, and the audio and slides are finally up
It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a \”pressure cooker for ideas,\” briefly touches on GPL vs BSDL, their \”do it right or don\’t do it at all\” attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
Here\’s a direct link to the slides
Great presentation if you\’d like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too

FreeBSD vs Linux, a comprehensive comparison

Another blog post covering something people seem to be obsessed with – FreeBSD vs Linux
This one was worth mentioning because it\’s very thorough in regards to how things are done behind the scenes, not just the usual technical differences
It highlights the concept of a \”core team\” and their role vs \”contributors\” and \”committers\” (similar to a presentation Kirk McKusick did not long ago)
While a lot of things will be the same on both platforms, you might still be asking \”which one is right for me?\” – this article weighs in with some points for both sides and different use cases
Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don\’t hate us for linking it

Expand FreeNAS with plugins

One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
With these plugins, you can greatly expand the feature set of your NAS via third party programs
This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
It then goes into more detail about each of them, how to actually install plugins and then how to set them up

Interview – Karl Lehenbauer – karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

Ports and packages in OpenBSD

News Roundup

Code review culture meets FreeBSD

In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
This article describes Phabricator, an open source code review system that we briefly mentioned last week
Instructions for using it are on the wiki
While not approved by the core team yet for anything official, it\’s in a testing phase and developers are encouraged to try it out and get their patches reviewed
Just look at that fancy interface!!

Michael Lucas\’ next tech books

Sneaky MWL somehow finds his way into both our headlines and the news roundup
He gives us an update on the next BSD books that he\’s planning to release
The plan is to release three (or so) books based on different aspects of FreeBSD\’s storage system(s) – GEOM, UFS, ZFS, etc.
This has the advantage of only requiring you to buy the one(s) you\’re specifically interested in
\”When will they be released? When I\’m done writing them. How much will they cost? Dunno.\”
It\’s not Absolute FreeBSD 3rd edition…

CARP failover and high availability on FreeBSD

If you\’re running a cluster or a group of servers, you should have some sort of failover in place
But the question comes up, \”how do you load balance the load balancers!?\”
This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
Also mentions DNS-based load balancing as another option

PCBSD weekly digest

This time in PCBSD land, we\’re getting ready for the 10.0.2 release (ISOs here)
AppCafe got a good number of fixes, and now shows 10 random highlighted applications
EasyPBI added a \”bulk\” mode to create PBIs of an entire FreeBSD port category
Lumina, the new desktop environment, is still being worked on and got some bug fixes too

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you\’d like to see, let us know
Just a reminder, if you\’re using vnd (vnconfig) on OpenBSD for encryption, it\’s being retired for 5.7 – start planning to migrate your data to softraid
There were also some security advisories for FreeBSD recently, make sure you\’re all patched up
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post AirPorts & Packages | BSD Now 40 first appeared on Jupiter Broadcasting.

The Friendly Sandbox | BSD Now 39

chris — Thu, 29 May 2014 13:26:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show we\’ll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2014 talks and reports

The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
Karl Lehenbauer\’s keynote (he\’s on next week\’s episode)
Mariusz Zaborski and Pawel Jakub Dawidek,
Capsicum and Casper (relevant to today\’s interview)
Luigi Rizzo,
In-kernel OpenvSwitch on FreeBSD
Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
Warner Losh, NAND Flash and FreeBSD
Simon Gerraty, FreeBSD bmake and Meta Mode
Bob Beck, LibreSSL – The First 30 Days
Henning Brauer, OpenBGPD Turns 10 Years Old
Arun Thomas, BSD ARM Kernel Internals
Peter Hessler, Using BGP for Realtime Spam Lists
Pedro Giffuni, Features and Status of FreeBSD\’s Ext2 Implementation
Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
Daichi Goto, Shellscripts and Commands
Benno Rice, Keeping Current
Sean Bruno, MIPS Router Hacking
John-Mark Gurney, Optimizing GELI Performance
Patrick Kelsey, Userspace Networking with libuinet
Massimiliano Stucchi, IPv6 Transitioning Mechanisms
Roger Pau Monné, Taking the Red Pill
Shawn Webb, Introducing ASLR in FreeBSD
There\’s also a trip report from Peter Hessler and one from Julio Merino
The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that\’s a recurring trend)

Defend your network and privacy with a VPN and OpenBSD

After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems – this could also be used with Tor (but it would be very slow)
It also includes a few general privacy tips, recommended browser extensions, etc
The intro to the article is especially great, so give the whole thing a read
He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you\’re watching!

You should try FreeBSD

In this blog post, the author talks a bit about how some Linux people aren\’t familiar with the BSDs and how we can take steps to change that
He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
Possibly the most useful part is how to address the question \”my server already works, why bother switching?\”
\”Stackoverflow’s answers assume I have apt-get installed\” ← lol
It includes mention of the great documentation, stability, ports, improved security and much more
A takeaway quote for would-be Linux switchers: \”I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before\”

OpenBSD and the little Mauritian contributor

This is a story about a guy from Mauritius named Logan, one of OpenBSD\’s newest developers
Back in 2010, he started sending in patched for OpenBSD\’s \”mg\” editor, among other small things, and eventually added file transfer resume support for SFTP
The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back

Interview – Jon Anderson – jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read

LibreSSL porting update

Since the last LibreSSL post we covered, a couple unofficial \”portable\” versions have died off
Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly – stop doing that!
This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good

BSDMag May 2014 issue is out

The usual monthly release from BSDMag, covering a variety of subjects
This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
It\’s a free PDF, go grab it

BSDTalk episode 241

A new episode of BSDTalk is out, this time with Bob Beck
He talks about the OpenBSD foundation\’s recent activities, his own work in the project, some stories about the hardware in Theo\’s basement and a lot more
The interview itself isn\’t about LibreSSL at all, but they do touch on it a bit too
Really interesting stuff, covers a lot of different topics in a short amount of time

Feedback/Questions

We got a number of replies about last week\’s VPN question, so thanks to everyone who sent in an email about it – the vpnc package seems to be what we were looking for
Tim writes in
AJ writes in
Peter writes in
Thomas writes in
Martin writes in

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We\’re looking for new tutorial ideas, so if there\’s something specific you\’d like to learn about, let us know
FreeBSD core team elections are in progress – nominations ended today. There are 21 candidates, and voting is open for the next month. We\’ll let you know how it goes in a future episode.
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Friendly Sandbox | BSD Now 39 first appeared on Jupiter Broadcasting.

It’s Gonna Get NASty | BSD Now 34

chris — Wed, 23 Apr 2014 09:58:48 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week, Allan\’s at a conference so we\’ve got a short episode for you. We sat down with John Hixson to discuss FreeNAS development and all their future plans. The show will be back next week with a normal episode.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – John Hixson – john@ixsystems.com / @bsdwhore

FreeNAS development

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post It's Gonna Get NASty | BSD Now 34 first appeared on Jupiter Broadcasting.

BSD Now vs. BSDTalk | BSD Now 27

chris — Thu, 06 Mar 2014 23:41:07 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The long-awaited meetup is finally happening on today\’s show. We\’re going to be interviewing the original BSD podcaster, Will Backman, to discuss what he\’s been up to and what the future of BSD advocacy looks like. After that, we\’ll be showing you how to track (and even cross-compile!) the -CURRENT branch of NetBSD. We\’ve got answers to user-submitted questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD and OpenBSD in GSOC2014

The Google Summer of Code is a way to encourage students to write code for open source projects and make some money
Both FreeBSD and OpenBSD were accepted, and we\’d love for anyone listening to check out their GSOC pages
The FreeBSD wiki has a list of things that they\’d be interested in someone helping out with
OpenBSD\’s want list was also posted
DragonflyBSD and NetBSD were sadly not accepted this year

Yes, you too can be an evil network overlord

A new blog post about monitoring your network using only free tools
OpenBSD is a great fit, and has all the stuff you need in the base system or via packages
It talks about the pflow pseudo-interface, its capabilities and relation to NetFlow (also goes well with pf)
There\’s also details about flowd and nfsen, more great tools to make network monitoring easy
If you\’re listening, Peter… stop ignoring our emails and come on the show! We know you\’re watching!

BSDMag\’s February issue is out

The theme is \”configuring basic services on OpenBSD 5.4\”
There\’s also an interview with Peter Hansteen
Topics also include locking down SSH, a GIMP lesson, user/group management, and…
Linux and Solaris articles? Why??

Changes in bcrypt

Not specific to any OS, but the OpenBSD team is updating their bcrypt implementation
There is a bug in bcrypt when hashing long passwords – other OSes need to update theirs too! (FreeBSD already has)
\”The length is stored in an unsigned char type, which will overflow and wrap at 256. Although we consider the existence of affected hashes very rare, in order to differentiate hashes generated before and after the fix, we are introducing a new minor \’b\’.\”
As long as you upgrade your OpenBSD system in order (without skipping versions) you should be ok going forward
Lots of specifics in the email, check the full post

This episode was brought to you by

Interview – Will Backman – bitgeist@yahoo.com / @bsdtalk

The BSDTalk podcast, BSD advocacy, various topics

Tutorial

Tracking and cross-compiling -CURRENT (NetBSD)

News Roundup

X11 no longer needs root

Xorg has long since required root privileges to run the main server
With recent work from the OpenBSD team, now everything (even KMS) can run as a regular user
Now you can set the \”machdep.allowaperture\” sysctl to 0 and still use a GUI

OpenSSH 6.6 CFT

Shortly after the huge 6.5 release, we get a routine bugfix update
Test it out on as many systems as you can
Check the mailing list for the full bug list

Creating an OpenBSD USB drive

Since OpenBSD doesn\’t distribute any official USB images, here are some instructions on how to do it
Step by step guide on how you can make your very own
However, there\’s some recent emails that suggest official USB images may be coming soon… oh wait

PCBSD weekly digest

New PBI updates that allow separate ports from /usr/local
You need to rebuild pbi-manager if you want to try it out
Updates and changes to Life Preserver, App Cafe, PCDM

Feedback/Questions

espressowar writes in: https://slexy.org/view/s2JpJ5EaZp
Antonio writes in: https://slexy.org/view/s2QpPevJ3J
Christian writes in: https://slexy.org/view/s2EZLxDfWh
Adam writes in: https://slexy.org/view/s21gEBZbmG
Alex writes in: https://slexy.org/view/s2RnCO1p9c

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We especially want to hear some tutorial ideas that you guys would like to see, so let us know
Also, if you\’re a NetBSD or DragonflyBSD guy listening, we want to talk to you! We\’d love more interviews related to those, whether you\’re a developer or not
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post BSD Now vs. BSDTalk | BSD Now 27 first appeared on Jupiter Broadcasting.

The Cluster & The Cloud | BSD Now 24

chris — Tue, 11 Feb 2014 21:47:41 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on BSD Now… a wrap-up from NYCBSDCon! We\’ll also be talking to Luke Marsden, CEO of HybridCluster, about how they use BSD at large. Following that, our tutorial will show you how to securely share files with SFTP in a chroot. The latest news and answers to your questions, of course it\’s BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD 10 as a firewall

Back in 2012, the author of this site wrote an article stating you should avoid FreeBSD 9 for a firewall and use OpenBSD instead
Now, with the release of 10.0, he\’s apparently changed his mind and switched back over
It mentions the SMP version of pf, general performance advantages and more modern features
The author is a regular listener of BSD Now, hi Joe!

Network Noise Reduction Using Free Tools

Really long blog post, based on a BSDCan presentation, about fighting spam with OpenBSD
Peter Hansteen, author of the book of PF, goes through how he uses OpenBSD\’s spamd and other security features to combat spam and malware
He goes through his experiences with content filtering and disappointment with a certain proprietary vendor
Not totally BSD-specific, lots of people can enjoy the article – lots of virus history as well

FreeBSD ASLR patches submitted

So far, FreeBSD hasn\’t had Address Space Layout Randomization
ASLR is a nice security feature, see wikipedia for more information
With a giant patch from Shawn Webb, it might be integrated into a future version (after a vicious review from the security team of course)
We might have Shawn on the show to talk about it, but he\’s also giving a presentation at BSDCan about his work with ASLR

Old-style pkg_ tools retired

At last the old pkg_add tools are being retired in FreeBSD
pkgng is a huge improvement, and now portmgr@ thinks it\’s time to cut the cord on the legacy toolset
Ports aren\’t going away, and probably never will, but for binary package fans and new users that are used to things like apt, pkgng is the way to go
All pkg_ tools will be considered unsupported on September 1, 2014 – even on older branches

This episode was brought to you by

Interview – Luke Marsden – luke@hybridcluster.com / @lmarsden

BSD at HybridCluster

Tutorial

Filesharing with chrooted SFTP

News Roundup

FreeBSD on OpenStack

OpenStack is a cloud computing project
It consists of \”a series of interrelated projects that control pools of processing, storage, and networking resources throughout a datacenter, able to be managed or provisioned through a web-based dashboard, command-line tools, or a RESTful API.\”
Until now, there wasn\’t a good way to run a full BSD instance on OpenStack
With a project in the vein of Colin Percival\’s AWS startup scripts, now that\’s no longer the case!

FOSDEM BSD videos

This year\’s FOSDEM had seven BSD presentations
The videos are slowly being uploaded for your viewing pleasure
Not all of the BSD ones are up yet, but by the time you\’re watching this they might be!
Check this directory for most of \’em
The BSD dev room was full, lots of interest in what\’s going on from the other communities

The FreeBSD challenge finally returns!

Due to prodding from a certain guy of a certain podcast, the \”FreeBSD Challenge\” series has finally resumed
Our friend from the Linux foundation picks up with day 11 and day 12 on his switching from Linux journey
This time he outlines the upgrade process of going from 9 to 10, using freebsd-update
There\’s also some notes about different options for upgrading ports and some extra tips

PCBSD weekly digest

After the big 10.0 release, the PCBSD crew is focusing on bug fixes for a while
During their \”fine tuning phase\” users are encouraged to submit any and all bugs via the trac system
Warden got some fixes and the package manager got some updates as well
Huge size reduction in PBI format

Feedback/Questions

After today\’s questions, our email backlog will be just about caught up. Now\’s a great time to send us something – questions, stories, ideas, requests, anything you want
Derrick writes in: https://slexy.org/view/s21nbJKYmb
Sean writes in: https://slexy.org/view/s2yhziVsBP
Patrick writes in: https://slexy.org/view/s20PuccWbo
Peter writes in: https://slexy.org/view/s22PL0SbUO
Sean writes in: https://slexy.org/view/s20dkbjuOK

All the tutorials are posted in their entirety at bsdnow.tv
Last week\’s NTP tutorial got a small update if you\’re running a LAN-only server, as well as a couple links on how to turn it into a stratum 1 server with a GPS device
The SSH tutorial also got some updates
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
Lastly, the BSD Now t-shirt is close to being ready… stay tuned!

The post The Cluster & The Cloud | BSD Now 24 first appeared on Jupiter Broadcasting.

The Installfest | BSD 19

chris — Fri, 10 Jan 2014 08:37:03 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We\’ve got some special treats for you this week on the show. It\’s the long-awaited \”installfest\” segment, where we go through the installer of each of the different BSDs. Of course we also have your feedback and the latest news as well… and… we even have our very first viewer contest! There\’s a lot to get to today on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD\’s new testing infrastructure

A new test suite was added to FreeBSD, with 3 powerful machines available
Both -CURRENT and stable/10 have got the test suite build infrastructure in place
Designed to help developers test and improve major scalability across huge amounts of CPUs and RAM
More details available here
Could the iXsystems monster server be involved…?

OpenBSD gets signify

At long last, OpenBSD gets support for signed releases!
For \”the world\’s most secure OS\” it was very easy to MITM kernel patches, updates, installer isos, everything
A commit to the -current tree reveals a new \”signify\” tool is currently being kicked around
More details in a blog post from the guy who committed it
Quote: \”yeah, briefly, the plan is to sign sets and packages. that\’s still work in progress.\”

Faces of FreeBSD

This time they interview Isabell Long, a 19 year old female that\’s involved with FreeBSD
She\’s a volunteer staff member on the freenode IRC network
In 2011, she participated in the Google Code-In contest and became involved with documentation
\”The new committer mentoring process proved very useful and that, plus the accepting community of FreeBSD, are reasons why I stay involved.\”

pkgsrc-2013Q4 branched

The quarterly pkgsrc branch from NetBSD is out
13472 total packages for NetBSD-current/amd64 + 13049 binary packages built with clang!
Lots of numbers and stats in the announcement
pkgsrc works on quite a few different OSes, not just NetBSD
See our interview with Amitai Schlair for a bit about pkgsrc

OpenBSD on Google\’s Compute Engine

Google Compute Engine is a \”cloud computing\” platform similar to EC2
Unfortunately, they only offer poor choices for the OS (Debian and CentOS)
Recently it\’s been announced that there is a custom OS option
It\’s using a WIP virtio-scsi driver, lots of things still need more work
Lots of technical and networking details about the struggles to get OpenBSD working on it

This episode was brought to you by

The Installfest

We\’ll be showing you the installer of each of the main BSDs. As of the date this episode airs, we\’re using:
+ FreeBSD 10.0
+ OpenBSD 5.4
+ NetBSD 6.1.2
+ DragonflyBSD 3.6
+ PCBSD 10.0

News Roundup

Building an OpenBSD wireless access point

A neat write up we found around the internet about making an OpenBSD wifi router
Goes through the process of PXE booting, installing base, using a serial console, setting up networking and wireless
Even includes a puffy sticker on the Soekris box at the end, how cute

FreeBSD 4.X jails on 10.0

Blog entry from our buddy Michael Lucas
For whatever reason (an \”in-house application\”), he needed to run a FreeBSD 4 jail in FreeBSD 10
Talks about the options he had: porting software, virtualizing, dealing with slow old hardware
He goes through the whole process of making an ancient jail
It\’s \”an acceptable trade-off, if it means I don’t have to touch actual PHP code.\”

Unscrewed: a story about OpenBSD

Pretty long blog post about how a network admin used OpenBSD to save the day
To set the tone, \”It was 5am, and the network was down\”
Great war story about replacing expensive routers and networking equipment with cheaper hardware and BSD
Mentions a lot of the built in tools and how OpenBSD is great for routers and high security applications

PCBSD weekly digest

10.0-RC3 is out and ready to be tested
New detection of ATI Hybrid Graphics, they\’re working on nVidia next
Fixed an issue with detecting disk drives that take a LONG time to probe
Re-classifying Linux jails as unsupported / experimental (and all 4 people that use them wept)

Feedback/Questions

Daniel writes in: https://slexy.org/view/s2uns1hMml
Erik writes in: https://slexy.org/view/s2MeJNCCiu
SW writes in: https://slexy.org/view/s21fBXkP2K
Bostjan writes in: https://slexy.org/view/s20N9bfkum
Samuel writes in: https://slexy.org/view/s20FU9wUO5

Contest

We\’re going to be having our first viewer contest!
We\’ll be giving away a handmade FreeBSD pillow – yes you heard right
All you need to do is write a tutorial for the show
Submit your BSD tutorial write-ups to feedback@bsdnow.tv
If you want to email us your idea first, I can tell you if I already have a tutorial for that topic prewritten for the show in the backlog
Check bsdnow.tv/contest for all the rules, details, instructions and a picture of the pillow.

All the tutorials are posted in their entirety at bsdnow.tv
The OpenBSD router tutorial has gotten some improvements. It now includes an option to encrypt all your DNS lookups, as well as some cool utilities you can use for bandwidth monitoring, performance improvements and other fun router stuff
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
BSD Now got some unintended publicity at the 30th Chaos Communication Congress (1:28:16 – 1:31:00 in the video)

The post The Installfest | BSD 19 first appeared on Jupiter Broadcasting.

jails – Jupiter Broadcasting

Linux Action News 229

Core File Tales | BSD Now 346

Bots Building Jails | BSD Now 317

Booking Jails | BSD Now 293

Because Computers | BSD Now 2^8

SSL Strippers | TechSNAP 344

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Feedback

Round Up:

Cloudy with a chance of ABI | TechSNAP 342

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Feedback

Round Up:

Tales of FileSystems | TechSNAP 315

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

ZFS, jails, FreeBSD

Feedback

Round Up:

Other links:

Privacy is Dead | TechSNAP 312

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

ZFS is what you want, even though you may not know – Dan talks about why he likes ZFS

Feedback

Round Up:

May Contain ZFS | BSD Now 102

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

News Roundup

Feedback/Questions

Stacked in Our Favor | BSD Now 93

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Sepherosa Ziehau – sephe@dragonflybsd.org

Discussion

Comparing containment methods and privilege separation

Feedback/Questions

Gift from the Sun | BSD Now 62

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Pawel Jakub Dawidek – pjd@freebsd.org

Beastly Infrastructure | BSD Now 56

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Peter Wemm – peter@freebsd.org / @karinjiri

Feedback/Questions

The Promised WLAN | BSD Now 55

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Interview – Adrian Chadd – adrian@freebsd.org / @erikarn

News Roundup

Feedback/Questions

AirPorts & Packages | BSD Now 40

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Interview – Karl Lehenbauer – karl@flightaware.com / @flightaware

Tutorial

News Roundup

Feedback/Questions

The Friendly Sandbox | BSD Now 39

Direct Download:

RSS Feeds: