Show Notes: linuxunplugged.com/410

The post Ye Olde Linux Distro | LINUX Unplugged 410 first appeared on Jupiter Broadcasting.

Show Notes: selfhosted.show/39

The post We run Arch BTW | Self-Hosted 39 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/389

The post Harder Butter Faster Stronger | LINUX Unplugged 389 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/379

The post Favorite Linux Tweaks | LINUX Unplugged 379 first appeared on Jupiter Broadcasting.

##Headlines
###DragonflyBSD: Towards a HAMMER1 master/slave encrypted setup with LUKS

I just wanted to share my experience with setting up DragonFly master/slave HAMMER1 PFS’s on top of LUKS
So after a long time using an Synology for my NFS needs, I decided it was time to rethink my setup a little since I had several issues with it :

• You cannot run NFS on top of encrypted partitions easily
• I suspect I am having some some data corruption (bitrot) on the ext4 filesystem
• the NIC was stcuk to 100 Mbps instead of 1 Gbps even after swapping cables, switches, you name it
• It’s proprietary

I have been playing with DragonFly in the past and knew about HAMMER, now I just had the perfect excuse to actually use it in production After setting up the OS, creating the LUKS partition and HAMMER FS was easy :

kdload dm
cryptsetup luksFormat /dev/serno/<id1>
cryptsetup luksOpen /dev/serno/<id1> fort_knox
newfs_hammer -L hammer1_secure_master /dev/mapper/fort_knox
cryptsetup luksFormat /dev/serno/<id2>
cryptsetup luksOpen /dev/serno/<id2> fort_knox_slave
newfs_hammer -L hammer1_secure_slave /dev/mapper/fort_knox_slave

• Mount the 2 drives :

mount /dev/mapper/fort_knox /fort_knox
mount /dev/mapper_fort_know_slave /fort_knox_slave

You can now put your data under /fort_knox
Now, off to setting up the replication, first get the shared-uuid of /fort_knox

hammer pfs-status /fort_knox

Create a PFS slave “linked” to the master

hammer pfs-slave /fort_knox_slave/pfs/slave shared-uuid=f9e7cc0d-eb59-10e3-a5b5-01e6e7cefc12

And then stream your data to the slave PFS !

hammer mirror-stream /fort_knox /fort_knox_slave/pfs/slave

After that, setting NFS is fairly trivial even though I had problem with the /etc/exports syntax which is different than Linux

There’s a few things I wish would be better though but nothing too problematic or without workarounds :

• Cannot unlock LUKS partitions at boot time afaik (Acceptable tradeoff for the added security LUKS gives me vs my old Synology setup) but this force me to run a script to unlock LUKS, mount hammer and start mirror-stream at each boot
• No S1/S3 sleep so I made a script to shutdown the system when there’s no network neighborgs to serve the NFS
• As my system isn’t online 24/7 for energy reasons, I guess will have to run hammer cleanup myself from time to time
• Some uncertainty because hey, it’s kind of exotic but exciting too

Overall, I am happy, HAMMER1 and PFS are looking really good, DragonFly is a neat Unix and the community is super friendly (Matthew Dillon actually provided me with a kernel patch to fix the broken ACPI on the PC holding this setup, many thanks!), the system is still a “work in progress” but it is already serving my files as I write this post.

Let’s see in 6 months how it goes in the longer run !

• Helpful resources : https://www.dragonflybsd.org/docs/how_to_implement_hammer_pseudo_file_system__40___pfs___41___slave_mirroring_from_pfs_master/

###BSDCan 2018 Recap

• As promised, here is our second part of our BSDCan report, covering the conference proper. The last tutorials/devsummit of that day lead directly into the conference, as people could pick up their registration packs at the Red Lion and have a drink with fellow BSD folks.
• Allan and I were there only briefly, as we wanted to get back to the “Newcomers orientation and mentorship” session lead by Michael W. Lucas. This session is intended for people that are new to BSDCan (maybe their first BSD conference ever?) and may have questions. Michael explained everything from the 6-2-1 rule (hours of sleep, meals per day, and number of showers that attendees should have at a minimum), to the partner and widowers program (lead by his wife Liz), to the sessions that people should not miss (opening, closing, and hallway track). Old-time BSDCan folks were asked to stand up so that people can recognize them and ask them any questions they might have during the conferences. The session was well attended. Afterwards, people went for dinner in groups, a big one lead by Michael Lucas to his favorite Shawarma place, followed by gelato (of course). This allowed newbies to mingle over dinner and ice cream, creating a welcoming atmosphere.
• The next day, after Dan Langille opened the conference, Benno Rice gave the keynote presentation about “The Tragedy of Systemd”.
• Benedict went to the following talks:

“Automating Network Infrastructures with Ansible on FreeBSD” in the DevSummit track. A good talk that connected well with his Ansible tutorial and even allowed some discussions among participants.
“All along the dwatch tower”: Devin delivered a well prepared talk. I first thought that the number of slides would not fit into the time slot, but she even managed to give a demo of her work, which was well received. The dwatch tool she wrote should make it easy for people to get started with DTrace without learning too much about the syntax at first. The visualizations were certainly nice to see, combining different tools together in a new way.
ZFS BoF, lead by Allan and Matthew Ahrens
SSH Key Management by Michael W. Lucas. Yet another great talk where I learned a lot. I did not get to the SSH CA chapter in the new SSH Mastery book, so this was a good way to wet my appetite for it and motivated me to look into creating one for the cluster that I’m managing.
The rest of the day was spent at the FreeBSD Foundation table, talking to various folks. Then, Allan and I had an interview with Kirk McKusick for National FreeBSD Day, then we had a core meeting, followed by a core dinner.

• Day 2:
  

  “Flexible Disk Use in OpenZFS”: Matthew Ahrens talking about the feature he is implementing to expand a RAID-Z with a single disk, as well as device removal.
  Allan’s talk about his efforts to implement ZSTD in OpenZFS as another compression algorithm. I liked his overview slides with the numbers comparing the algorithms for their effectiveness and his personal story about the sometimes rocky road to get the feature implemented.
  “zrepl – ZFS replication” by Christian Schwarz, was well prepared and even had a demo to show what his snapshot replication tool can do. We covered it on the show before and people can find it under sysutils/zrepl. Feedback and help is welcome.
  “The Evolution of FreeBSD Governance” by Kirk McKusick was yet another great talk by him covering the early days of FreeBSD until today, detailing some of the progress and challenges the project faced over the years in terms of leadership and governance. This is an ongoing process that everyone in the community should participate in to keep the project healthy and infused with fresh blood.
  Closing session and auction were funny and great as always.
  All in all, yet another amazing BSDCan. Thank you Dan Langille and your organizing team for making it happen! Well done.

Digital Ocean

###NomadBSD 1.1-RC1 Released

The first – and hopefully final – release candidate of NomadBSD 1.1 is available!

• Changes
• The base system has been upgraded to FreeBSD 11.2-RC3
• EFI booting has been fixed.
• Support for modern Intel GPUs has been added.
• Support for installing packages has been added.
• Improved setup menu.
• More software packages:
• benchmarks/bonnie++
• DSBDisplaySettings
• DSBExec
• DSBSu
• mail/thunderbird
• net/mosh
• ports-mgmt/octopkg
• print/qpdfview
• security/nmap
• sysutils/ddrescue
• sysutils/fusefs-hfsfuse
• sysutils/fusefs-sshfs
• sysutils/sleuthkit
• www/lynx
• x11-wm/compton
• x11/xev
• x11/xterm
• Many improvements and bugfixes
  The image and instructions can be found here.

##News Roundup
###LDAP client added to -current

CVSROOT:    /cvs
Module name:    src
Changes by: reyk@cvs.openbsd.org    2018/06/13 09:45:58

Log message:
    Import ldap(1), a simple ldap search client.
    We have an ldapd(8) server and ypldap in base, so it makes sense to
    have a simple LDAP client without depending on the OpenLDAP package.
    This tool can be used in an ssh(1) AuthorizedKeysCommand script.
    
    With feedback from many including millert@ schwarze@ gilles@ dlg@ jsing@
    
    OK deraadt@
    
    Status:
    
    Vendor Tag: reyk
    Release Tags:   ldap_20180613
    
    N src/usr.bin/ldap/Makefile
    N src/usr.bin/ldap/aldap.c
    N src/usr.bin/ldap/aldap.h
    N src/usr.bin/ldap/ber.c
    N src/usr.bin/ldap/ber.h
    N src/usr.bin/ldap/ldap.1
    N src/usr.bin/ldap/ldapclient.c
    N src/usr.bin/ldap/log.c
    N src/usr.bin/ldap/log.h
    
    No conflicts created by this import

###Intel® FPU Speculation Vulnerability Confirmed

• Earlier this month, Philip Guenther (guenther@) committed (to amd64 -current) a change from lazy to semi-eager FPU switching to mitigate against rumored FPU state leakage in Intel® CPUs.
• Theo de Raadt (deraadt@) discussed this in his BSDCan 2018 session.
• Using information disclosed in Theo’s talk, Colin Percival developed a proof-of-concept exploit in around 5 hours. This seems to have prompted an early end to an embargo (in which OpenBSD was not involved), and the official announcement of the vulnerability.
• FPU change in FreeBSD

Summary:

System software may utilize the Lazy FP state restore technique to delay the restoring of state until an instruction operating on that state is actually executed by the new process. Systems using Intel® Core-based microprocessors may potentially allow a local process to infer data utilizing Lazy FP state restore from another process through a speculative execution side channel.

Description:

System software may opt to utilize Lazy FP state restore instead of eager save and restore of the state upon a context switch. Lazy restored states are potentially vulnerable to exploits where one process may infer register values of other processes through a speculative execution side channel that infers their value.

    ·    CVSS - 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected Products:

Intel® Core-based microprocessors.

Recommendations:

If an XSAVE-enabled feature is disabled, then we recommend either its state component bitmap in the extended control register (XCR0) is set to 0 (e.g. XCR0[bit 2]=0 for AVX, XCR0[bits 7:5]=0 for AVX512) or the corresponding register states of the feature should be cleared prior to being disabled. Also for relevant states (e.g. x87, SSE, AVX, etc.), Intel recommends system software developers utilize Eager FP state restore in lieu of Lazy FP state restore.

Acknowledgements:

Intel would like to thank Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology GmbH (https://www.cyberus-technology.de/), Zdenek Sojka from SYSGO AG (https://sysgo.com), and Colin Percival for reporting this issue and working with us on coordinated disclosure.

iXsystems
iX Ad Spot
###iX Systems – BSDCan 2018 Recap

###FreeBSD gets pNFS support

Merge the pNFS server code from projects/pnfs-planb-server into head.

This code merge adds a pNFS service to the NFSv4.1 server. Although it is
a large commit it should not affect behaviour for a non-pNFS NFS server.
Some documentation on how this works can be found at:
Merge the pN https://people.freebsd.org/~rmacklem/pnfs-planb-setup.txt
and will hopefully be turned into a proper document soon.
This is a merge of the kernel code. Userland and man page changes will
come soon, once the dust settles on this merge.
It has passed a "make universe", so I hope it will not cause build problems.
It also adds NFSv4.1 server support for the "current stateid".

Here is a brief overview of the pNFS service:
A pNFS service separates the Read/Write operations from all the other NFSv4.1
Metadata operations. It is hoped that this separation allows a pNFS service
to be configured that exceeds the limits of a single NFS server for either
storage capacity and/or I/O bandwidth.
It is possible to configure mirroring within the data servers (DSs) so that
the data storage file for an MDS file will be mirrored on two or more of
the DSs.
When this is used, failure of a DS will not stop the pNFS service and a
failed DS can be recovered once repaired while the pNFS service continues
to operate.  Although two way mirroring would be the norm, it is possible
to set a mirroring level of up to four or the number of DSs, whichever is
less.
The Metadata server will always be a single point of failure,
just as a single NFS server is.

A Plan B pNFS service consists of a single MetaData Server (MDS) and K
Data Servers (DS), all of which are recent FreeBSD systems.
Clients will mount the MDS as they would a single NFS server.
When files are created, the MDS creates a file tree identical to what a
single NFS server creates, except that all the regular (VREG) files will
be empty. As such, if you look at the exported tree on the MDS directly
on the MDS server (not via an NFS mount), the files will all be of size 0.
Each of these files will also have two extended attributes in the system
attribute name space:
pnfsd.dsfile - This extended attrbute stores the information that
    the MDS needs to find the data storage file(s) on DS(s) for this file.
pnfsd.dsattr - This extended attribute stores the Size, AccessTime, ModifyTime
    and Change attributes for the file, so that the MDS doesn't need to
    acquire the attributes from the DS for every Getattr operation.
For each regular (VREG) file, the MDS creates a data storage file on one
(or more if mirroring is enabled) of the DSs in one of the "dsNN"
subdirectories.  The name of this file is the file handle
of the file on the MDS in hexadecimal so that the name is unique.
The DSs use subdirectories named "ds0" to "dsN" so that no one directory
gets too large. The value of "N" is set via the sysctl vfs.nfsd.dsdirsize
on the MDS, with the default being 20.
For production servers that will store a lot of files, this value should
probably be much larger.
It can be increased when the "nfsd" daemon is not running on the MDS,
once the "dsK" directories are created.

For pNFS aware NFSv4.1 clients, the FreeBSD server will return two pieces
of information to the client that allows it to do I/O directly to the DS.
DeviceInfo - This is relatively static information that defines what a DS
             is. The critical bits of information returned by the FreeBSD
             server is the IP address of the DS and, for the Flexible
             File layout, that NFSv4.1 is to be used and that it is
             "tightly coupled".
             There is a "deviceid" which identifies the DeviceInfo.
Layout     - This is per file and can be recalled by the server when it
             is no longer valid. For the FreeBSD server, there is support
             for two types of layout, call File and Flexible File layout.
             Both allow the client to do I/O on the DS via NFSv4.1 I/O
             operations. The Flexible File layout is a more recent variant
             that allows specification of mirrors, where the client is
             expected to do writes to all mirrors to maintain them in a
             consistent state. The Flexible File layout also allows the
             client to report I/O errors for a DS back to the MDS.
             The Flexible File layout supports two variants referred to as
             "tightly coupled" vs "loosely coupled". The FreeBSD server always
             uses the "tightly coupled" variant where the client uses the
             same credentials to do I/O on the DS as it would on the MDS.
             For the "loosely coupled" variant, the layout specifies a
             synthetic user/group that the client uses to do I/O on the DS.
             The FreeBSD server does not do striping and always returns
             layouts for the entire file. The critical information in a layout
             is Read vs Read/Writea and DeviceID(s) that identify which
             DS(s) the data is stored on.

At this time, the MDS generates File Layout layouts to NFSv4.1 clients
that know how to do pNFS for the non-mirrored DS case unless the sysctl
vfs.nfsd.default_flexfile is set non-zero, in which case Flexible File
layouts are generated.
The mirrored DS configuration always generates Flexible File layouts.
For NFS clients that do not support NFSv4.1 pNFS, all I/O operations
are done against the MDS which acts as a proxy for the appropriate DS(s).
When the MDS receives an I/O RPC, it will do the RPC on the DS as a proxy.
If the DS is on the same machine, the MDS/DS will do the RPC on the DS as
a proxy and so on, until the machine runs out of some resource, such as
session slots or mbufs.
As such, DSs must be separate systems from the MDS.

***

###[What does {some strange unix command name} stand for?](https://www.unixguide.net/unix/faq/1.3.shtml)

+ awk = "Aho Weinberger and Kernighan" 
+ grep = "Global Regular Expression Print" 
+ fgrep = "Fixed GREP". 
+ egrep = "Extended GREP" 
+ cat = "CATenate" 
+ gecos = "General Electric Comprehensive Operating Supervisor" 
+ nroff = "New ROFF" 
+ troff = "Typesetter new ROFF" 
+ tee = T 
+ bss = "Block Started by Symbol
+ biff = "BIFF" 
+ rc (as in ".cshrc" or "/etc/rc") = "RunCom" 
+ Don Libes' book "Life with Unix" contains lots more of these 
tidbits. 
***

##Beastie Bits
+ [RetroBSD: Unix for microcontrollers](https://retrobsd.org/wiki/doku.php)
+ [On the matter of OpenBSD breaking embargos (KRACK)](https://marc.info/?l=openbsd-tech&m=152910536208954&w=2)
+ [Theo's Basement Computer Paradise (1998)](https://zeus.theos.com/deraadt/hosts.html)
+ [Airport Extreme runs NetBSD](https://jcs.org/2018/06/12/airport_ssh)
+ [What UNIX shell could have been](https://rain-1.github.io/shell-2.html)

***
Tarsnap ad
***

##Feedback/Questions
+ We need more feedback and questions. Please email feedback@bsdnow.tv 
+ Also, many of you owe us BSDCan trip reports! We have shared what our experience at BSDCan was like, but we want to hear about yours. What can we do better next year? What was it like being there for the first time?
+ [Jason writes in](https://slexy.org/view/s205jU58X2)
    + https://www.wheelsystems.com/en/products/wheel-fudo-psm/
+ [June 19th was National FreeBSD Day](https://twitter.com/search?src=typd&q=%23FreeBSDDay)
***

- Send questions, comments, show ideas/topics, or stories you want mentioned on the show to [feedback@bsdnow.tv](mailto:feedback@bsdnow.tv)
***

The post Crypto HAMMER | BSD Now 251 first appeared on Jupiter Broadcasting.

What’s got Windows admins in a Panic? Total chaos my friends, we’ll tell you why. Extensive coverage of Apple’s new filesystem, Ransomware that might just impress you…

Your great questions, our answers, a packed round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Windows Admins in panic after Microsoft fix breaks Group Policies

• Group Policies are a powerful set of Windows registry settings that are downloaded and applied when a computer and/or user login to a domain controller.
• Group Policy Objects (GPOs) allow Administrators to control settings and access to Windows computers centrally. They allow things like disabling the run menu, hiding specific drives, controlling access to applications, and even application whitelisting
• On June 14th, Microsoft released MS16-072: Security update for Group Policy rated “Important for all supported releases of Microsoft Windows”
• “An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine.
  To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user. The security update addresses the vulnerability by enforcing Kerberos authentication for certain calls over LDAP.”
• later Microsoft released a knowledge base article about this issue: KB 3163622
• “MS16-072 changes the security context with which user group policies are retrieved. This by-design behavior change protects customers’ computers from a security vulnerability. Before MS16-072 is installed, user group policies were retrieved by using the user’s security context. After MS16-072 is installed, user group policies are retrieved by using the computer’s security context.”
• “Symptoms: All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.”
• “Cause: This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.”
• Resolution:
• To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:
• Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
• If you are using security filtering, add the Domain Computers group with read permission.
• This issue struck a large number of Windows administrators, some of them extremely hard
• GPOs are the main tool administrators have to enforce policies throughout the network
• One admin reported: “desktop images were configured such that the A, B, C and D drives that were hidden from users, but they are now showing up”
• This was likely done to keep users from accidentally saving files to the local computer, rather than the network where they can be accessed from other computers, and centrally backed up.
• “Other users report having printers and drive maps become inaccessible and security group settings no longer applying”

More coverage of APFS, in detail this time

• Building on the post from last week, Adam Leventhal breaks down his early analysis of APFS
• “APFS, the Apple File System, was itself started in 2014 with Dominic as its lead engineer. It’s a stand-alone, from-scratch implementation. I asked him about looking for inspiration in other modern file systems such as BSD’s HAMMER, Linux’s btrfs, or OpenZFS, all of which have features similar to what APFS intends to deliver. Dominic explained that while, as a self-described file system guy (he built the file system in BeOS), he was aware of them, but didn’t delve too deeply for fear, he said, of tainting himself.”
• “APFS first and foremost pays down the unsustainable technical debt that Apple has been carrying in HFS+. HFS was introduced in 1985 when the Mac 512K (of memory!) was Apple’s flagship. HFS+, a significant iteration, shipped in 1998 on the G3 PowerMacs with 4GB hard drives. Since then storage capacities have increased by factors of 1,000,000 and 1,000 respectively.”
• Compression: “in typical Apple fashion—neither confirmed nor denied while strongly implying that it’s definitely a feature we can expect in APFS”
• Encryption: “Encryption is clearly a core feature of APFS. This comes from diverse requirements from the various devices, for example multiple keys within file systems on the iPhone or per-user keys on laptops”
• Filesystems (and possibly individual files) will support 3 different flavours:
• Unencrypted
• Single-key for metadata and user data
• Multi-key with different choices for metadata, files, and even sections of a file (“extents”)
• “Multi-key encryption is particularly relevant for portables where all data might be encrypted, but unlocking your phone provides access to an additional key and therefore additional data. Unfortunately this doesn’t seem to be working in the first beta of macOS Sierra (specifying fileEncryption when creating a new volume with diskutil results in a file system that reports “Is Encrypted” as “No”).”
• “APFS (apparently) supports constant time cryptographic file system erase, called “effaceable” in the diskutil output. This presumably builds a secret key that cannot be extracted from APFS and encrypts the file system with it. A secure erase then need only delete the key rather than needing to scramble and re-scramble the full disk to ensure total eradication. Various iOS docs refer to this capability requiring some specialized hardware; it will be interesting to see what the option means on macOS. Either way, let’s not mention this to the FBI or NSA, agreed?”
• Snapshots: APFS will support snapshots, but likely not the same type of serialization that “zfs send” provides. “ZFS sends all changed data while Time Machine can have exclusion lists and the like.”
• “APFS right now is incompatible with Time Machine due to the lack of directory hard links, a fairly disgusting implementation that likely contributes to Time Machine’s questionable reliability. Hopefully APFS will create some efficient serialization for Time Machine backup.”
• “While Eric Tamura, APFS dev manager, demonstrated snapshots at WWDC, the required utilities aren’t included in the macOS Sierra beta.”
• Management: “APFS brings another new feature known as space sharing. A single APFS “container” that spans a device can have multiple “volumes” (file systems) within it. Apple contrasts this with the static allocation of disk space to support multiple HFS+ instances, which seems both specious and an uncommon use case. Both ZFS and btrfs have a similar concept of a shared pool of storage with nested file systems for administration and management.”
• Clones: “Apple’s sort-of-unique contribution to space efficiency is constant time cloning of files and directories.” “With APFS, if you copy a file within the same file system, no data is actually duplicated. Instead a constant amount of metadata is updated and the on-disk data is shared. Changes to either copy cause new space to be allocated (so-called “copy on write” or COW).”
• “As a quick aside, “files” in macOS are often really directories; it’s a convenient lie they tell to allow logically related collections of files to be treated as an indivisible unit. Right click an application and select “Show Package Contents” to see what I mean.”
• “Side note: Finder copy creates space-efficient clones, but cp from the command line does not.”
• Performance: “APFS claims to be optimized for flash” “SSDs mimic the block interface of conventional hard drives, but the underlying technology is completely different. In particular while magnetic media can read or write sectors arbitrarily, flash erases large chunks (blocks) and reads and writes smaller chunks (pages). The management is done by what’s called the flash translation layer (FTL), software that makes blocks and pages appear more like a hard drive. An FTL is very similar to a file system, creating a virtual mapping (a translation) between block addresses and locations within the media. Apple controls the full stack including the SSD, FTL, and file system; they could have built something differentiated, optimizing this components to work together. What APFS does, however, is simply write in patterns known to be more easily handled by NAND. It’s a file system with flash-aware characteristics rather than one written explicitly for the native flash interfaces, more or less what you’d expect in 2016.”
• “APFS includes TRIM support. TRIM is a command in the ATA protocol that allows a file system to indicate to an SSD (specifically, its FTL) that some space has been freed.”
• “APFS also focuses on latency; Apple’s number one goal is to avoid the beachball of doom. APFS addresses this with I/O QoS (quality of service) to prioritize accesses that are immediately visible to the user over background activity that doesn’t have the same time-constraints. This is inarguably a benefit to users and a sophisticated file system capability.”
• Redundancy: “APFS makes no claims with regard to data redundancy. As Apple’s Eric Tamura noted at WWDC, most Apple devices have a single storage device (i.e. one logical SSD) making RAID, for example, moot. Instead redundancy comes from lower layers such as Apple RAID (apparently a thing), hardware RAID controllers, SANs, or even the “single” storage devices themselves.”
• “Also, APFS removes the most common way of a user achieving local data redundancy: copying files. A copied file in APFS actually creates a lightweight clone with no duplicated data. Corruption of the underlying device would mean that both “copies” were damaged whereas with full copies localized data corruption would affect just one.”
• Crash Consistency: In order to maintain consistency of the file system after a crash, you need to be able to revert any incompleted operations. The problem is that a typical file system overwrites data in place, making this impossible
• “APFS claims to implement a “novel copy-on-write metadata scheme”; APFS lead developer Dominic Giampaolo emphasized the novelty of this approach without delving into the details. In conversation later, he made it clear that APFS does not employ the ZFS mechanism of copying all metadata above changed user data which allows for a single, atomic update of the file system structure.”
• So APFS does COW for metadata, but not for data. Meaning the filesystem will be consistent, but your data might not be
• “It’s surprising to see that APFS includes fsck_apfs—even after asking Dominic I’m not sure why it would be necessary.”
• Checksums: “Notably absent from the APFS intro talk was any mention of checksums. A checksum is a digest or summary of data used to detect (and correct) data errors. The story here is surprisingly nuanced. APFS checksums its own metadata but not user data. The justification for checksumming metadata is strong: there’s relatively not much of it (so the checksums don’t consume much storage) and losing metadata can cast a potentially huge shadow of data loss. If, for example, metadata for a top level directory is corrupted then potentially all data on the disk could be rendered inaccessible. ZFS duplicates metadata (and triple duplicates top-level metadata) for exactly this reason.”
• So ZFS can recover from corrupt metadata even in a single device configuration, because metadata is always stores as 2 complete copies, or 3 for important pool-wide metadata
• “Explicitly not checksumming user data is a little more interesting. The APFS engineers I talked to cited strong ECC protection within Apple storage devices. Both flash SSDs and magnetic media HDDs use redundant data to detect and correct errors. The engineers contend that Apple devices basically don’t return bogus data.”
• So Apple relies on the hardware to do the right thing, this is likely to backfire eventually
• “The Apple folks were quite interested in my experience with regard to bit rot (aging data silently losing integrity) and other device errors. I’ve seen many instances where devices raised no error but ZFS (correctly) detected corrupted data. Apple has some of the most stringent device qualification tests for its vendors; I trust that they really do procure the best components. Apple engineers I spoke with claimed that bit rot was not a problem for users of their devices, but if your software can’t detect errors then you have no idea how your devices really perform in the field. ZFS has found data corruption on multi-million dollar storage arrays; I would be surprised if it didn’t find errors coming from TLC (i.e. the cheapest) NAND chips in some of Apple’s devices. Recall the (fairly) recent brouhaha regarding storage problems in the high capacity iPhone 6. At least some of Apple’s devices have been imperfect.”
• Scrub: “As data ages you might occasionally want to check for bit rot. Likely fsck_apfs can accomplish this; as noted though there’s no data redundancy and no checksums for user data, so scrub would only help to find problems and likely wouldn’t help to correct them. And if it makes it any easier for Apple to reverse course, let’s say it’s for the el cheap-o drive I bought from Fry’s not for the gold-plated device I got from Apple.”
• Conclusions: “Any file system started in 2014 should of course consider huge devices, and SSDs–check and check. Copy-on-write (COW) snapshots are the norm; making the Duplicate command in the Finder faster wasn’t much of a detour. The use case is unclear, it’s a classic garbage can theory solution, a solution in search of a problem, but it doesn’t hurt and it makes for a fun demo. The beach ball of doom earned its nickname; APFS was naturally built to avoid it.”
• “There are some seemingly absent or ancillary design goals: performance, openness, and data integrity. Squeezing the most IOPS or throughput out of a device probably isn’t critical on watchOS, and it’s relevant only to a small percentage of macOS users. It will be interesting to see how APFS performs once it ships (measuring any earlier would only misinform the public and insult the APFS team).”
• “APFS development docs have a bullet on open source: “An open source implementation is not available at this time.” I don’t expect APFS to be open source at this time or any other, but prove me wrong, Apple. If APFS becomes world-class I’d love to see it in Linux and FreeBSD–maybe Microsoft would even jettison their ReFS experiment. My experience with OpenZFS has shown that open source accelerates that path to excellence. It’s a shame that APFS lacks checksums for user data and doesn’t provide for data redundancy. Data integrity should be job one for a file system, and I believe that that’s true for a watch or phone as much as it is for a server.”
• “At stability, APFS will be an improvement, for Apple users of all kinds, on every device. There are some clear wins and some missed opportunities. Now that APFS has been shared with the world the development team is probably listening. While Apple is clearly years past the decision to build from scratch rather than adopting existing modern technology, there’s time to raise the priority of data integrity and openness. I’m impressed by Apple’s goal of using APFS by default within 18 months. Regardless of how it goes, it will be an exciting transition.”
• I am not sure anyone has ever wanted an “Exciting” filesystem.

New Ransomware written entirely in javascript, RAA

• A new crypto ransomware has made an appearance on the Internet, and it is slightly unusual.
• The malware arrives as an attachment pretending to be a .doc file, but is actually .js
• For whatever reason, the default file association for .js on Windows is the Windows Scripting Host, so when opened, the javascript actually executes
• The javascript standard library does not include any encryption mechanisms, however the designers of the malware bundled CryptoJS, a framework that provides standard crypto primitives like AES256 in pure javascript
• The ransomware demands around $250 worth of bitcoin for the key to decrypt your files
• The ransomware also comes bundled with an embedded password stealing malware
• So even if you pay, the attackers have already stolen all of your saved passwords
• Once the ransomware is run, it generates a random .doc file and opens it. The object is to make the user think the file was corrupt, and avoid the user being suspicious
• “While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption”
• It also seems to purposely disables the Windows Volume Shadow Copy service. May also destroy actual shadow copies, code is too obfuscated to tell right now.
• “Finally, the ransomware will create a ransom note on the desktop called !!!README!!![id].rtf, with [ID] being the unique ID assigned to the victim. The text of this ransom note is in Russian”
• “When a JavaScript file, such as RAA, executes outside of the browser it requires an interpreter that can read the file and execute the JavaScript commands within it. As most people do not need to execute Javascript outside of a web browser, it is suggested that everyone disables the Windows Script Host so that these types of files are not allowed to execute. If you wish to disable the windows script host, which is enabled by default in Windows, you can add the following DWORD Registry entry to your computer and set the value to 0.”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
• You probably don’t need to execute javascript on your machine anyway. Push this out as a group policy… and hope it works

Feedback:

• Port Knocking and WordPress Security

• Port Knocking pfSense Followup

• Cloud Based Backups?

• securing the network with a Router behind an untrusted Router

Round Up:

• Defending Our Brand – Let’s Encrypt
• What’s worked in computer science, 1999 vs 2015
• Firm pays $950,000 penalty for using Wi-Fi signals to secretly track phone users
• The history of .com
• Apple’s official statement on why the iOS 10 kernel is not encrypted
• GitHub resets passwords for a number of users compromised by attackers using list of email addresses and passwords from other recent breaches
• Alicia Keys is done playing nice. Your phone is getting locked up at her shows now.
• After over a week of working around the clock, Lockheed Martin says it WILL be able to recover those 100,000 lost Air Force files, Internal review ordered to determine why backups were not usable.
• Hardware review sites find that MSI and others send reviewers pre-overclocked GPUs to get better scores than their competitors
• 1,127,818 different IP addresses being used to launch 744,361,093 login attempts using 220,758,340 different email addresses against a pair of financial institutions
• Buy and return a Wifi Security Camera. Then watch the video of who buys it next
• 0 to 0 day, breaking the shannon baseband firmware
• Senate rejects FBI bid for warrantless access to internet browsing histories

The post Game of File Systems | TechSNAP 272 first appeared on Jupiter Broadcasting.

A BGP hack reroutes the traffic of banks, Amazon and many others. We’ll explain how this can happen, and why we don’t see it more often.

Plus an Interview with Brendan Gregg author of a new book that focuses on Systems Performance in the Enterprise and the Cloud, plus a big batch of your questions, our answers, and much much more!

Thanks to:

GoDaddy.com Use our code tech249 to score .COM for $2.49! Get private registration FOR FREE with a .COM! code: free5
UnitySync Visit dirwiz.com/unitysync use code tech for an extended trial and a year of maintenance.

BGP hijack used to redirect traffic destin for online banking

• On 24 July 2013 a number of specific IP addresses were maliciously mis-routed to an ISP in the Netherlands
• This is especially unusual because most all BGP routes are /24 or larger (because routers only have so much RAM in which to hold the routing table for the entire Internet), and most of these were specific /32s (a single IP address).
• This might be considering a mistake or something, however the owners of the specific IP addresses suggest otherwise:
  • AMAZON-AES – Amazon.com, Inc.
  • AS-7743 – JPMorgan Chase & Co.
  • ASN-BBT-ASN – Branch Banking and Trust Company
  • BANK-OF-AMERICA Bank of America
  • CEGETEL-AS Societe Francaise du Radiotelephone S.A
  • FIRSTBANK – FIRSTBANK
  • HSBC-HK-AS HSBC HongKong
  • PFG-ASN-1 – The Principal Financial Group
  • PNCBANK – PNC Bank
  • REGIONS-ASN-1 – REGIONS FINANCIAL CORPORATION
• The ISP, NedZone.nl normally announced about 30 prefixes of various sizes between /18 and /24, but on the date in question, they were announcing 369, most all of which were smaller than /24 (usually the smallest that would be announced)
• It is most likely this was caused by a malicious customer, rather than NedZone or one of it’s Employees
• The attack appears to have been an attempt to run a MITM attack against online banking
• RIPE AS Dashabout for AS25459, showing list of prefixes announced in the last 30 days
• HE BGP Looking Glass AS25459 Prefixes

Digital Ocean Cloud ‘Droplets’ found to be reusing same SSH private keys

• While using Digital Ocean’s cloud server to write a comparison of Ansible and Salt, two different administration/orchestration tools, Joshua Lund discovered that many of his ‘Droplets’ had the same SSH fingerprint
• While rapidly creating and destroying Droplets, he ended up with the same ip address, and noticed that he did not receive an SSH fingerprint mismatch, warning him that this server is not the same as the one that resided at this IP address previously
• Upon further investigation he found that the SSH keys appeared to be part of the base image, rather than being generated on first boot
• While this was likely a simple oversight while creating the images, or an attempt to make the droplets boot faster by foregoing the SSH key generation, it is a significant security issue
• This means someone could replace your droplet with their own and have the same SSH private key (and therefore fingerprint), if you or one of your old users connected to your old IP which now belonged to someone else, they could capture your password or otherwise perform a MITM attack
• The issue was reported to Digital Ocean and they responded the same day
• The immediate fix did not resolve all instances of the issue, but within 7 days the issue had been resolved
• Digital Ocean then started working with their customers to have them replace their SSH host keys with unique ones
• 6 weeks later a public security advisory was issued
• If you do not install the OS your self, it may be a good idea to regenerate the SSH keys as part of the initial setup process
• Official Advisory
• On a future Episode of TechSNAP we’ll talk about SSHFP DNS records and maintaining a system wide ssh_known_hosts file

Interview with Brendan Gregg

[asa]0133390098[/asa]

Feedback:

• Starting out as a Sysadmin

• Question about a home webserver

• How do I double check my encryption?

• Backing up a live VM

• FreeNAS Crashing

• Hitting the sweet spot on a low power home server?

Directory Dive:

• Central User Management? Check out Zentyal

• LDAP + SMB4 + Windows = Win

• What graphical remote desktop software do you recommend?

Round Up:

• XKeyscore – NSA program allows analysts to search vast databases of emails, online chats and the browsing histories
• Feds tell Web firms to turn over user account passwords | Politics and Law – CNET News
• Canada’s hangup with foreign owned telcos
• Google gives AT&T the boot, will supply 7000 US Starbucks locations with WiFi starting next month
• College students misdirect an $80 million Yacht with GPS spoofing
• Russia proposes ban on foul language on the internet with a law named \”On the protection of children from information harmful to their health and development\”
• A look at LZ4 in ZFS

The post Grand Theft BGP | TechSNAP 121 first appeared on Jupiter Broadcasting.

We bust the FUD around the media’s overreaction to SSH Key mismanagement, plus the details on millions of WordPress databases exposed by a popular plugin.

Plus a rockin round-up and a batch of your questions, and our answers!

All that and more on this week’s TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? use go20off5 to save 20% on your entire order!

$4.99 SSL certificates, just use our code 499ssl2. Expires 12-31-12!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: