LibreSSL – Jupiter Broadcasting

It’s Alive: OpenBSD 6.5 | BSD Now 296

Wes Payne — Fri, 03 May 2019 17:04:39 +0000

Show Notes/Links: https://www.bsdnow.tv/296

The post It’s Alive: OpenBSD 6.5 | BSD Now 296 first appeared on Jupiter Broadcasting.

Nmap Level Up | BSD Now 277

Angela Fisher — Thu, 20 Dec 2018 07:28:07 +0000

##Headlines
###Open Source Confronts its midlife crisis

Midlife is tough: the idealism of youth has faded, as has inevitably some of its fitness and vigor. At the same time, the responsibilities of adulthood have grown. Making things more challenging, while you are navigating the turbulence of teenagers, your own parents are likely entering life’s twilight, needing help in new ways from their adult children. By midlife, in addition to the singular joys of life, you have also likely experienced its terrible sorrows: death, heartbreak, betrayal. Taken together, the fading of youth, the growth in responsibility and the endurance of misfortune can lead to cynicism or (worse) drastic and poorly thought-out choices. Add in a little fear of mortality and some existential dread, and you have the stuff of which midlife crises are made…
I raise this not because of my own adventures at midlife, but because it is clear to me that open source — now several decades old and fully adult — is going through its own midlife crisis. This has long been in the making: for years, I (and others) have been critical of service providers’ parasitic relationship with open source, as cloud service providers turn open source software into a service offering without giving back to the communities upon which they implicitly depend. At the same time, open source has been (rightfully) entirely unsympathetic to the proprietary software models that have been burned to the ground — but also seemingly oblivious as to the larger economic waves that have buoyed them.
So it seemed like only a matter of time before the companies built around open source software would have to confront their own crisis of confidence: open source business models are really tough, selling software-as-a-service is one of the most natural of them, the cloud service providers are really good at it — and their commercial appetites seem boundless. And, like a new cherry red two-seater sports car next to a minivan in a suburban driveway, some open source companies are dealing with this crisis exceptionally poorly: they are trying to restrict the way that their open source software can be used. These companies want it both ways: they want the advantages of open source — the community, the positivity, the energy, the adoption, the downloads — but they also want to enjoy the fruits of proprietary software companies in software lock-in and its monopolistic rents. If this were entirely transparent (that is, if some bits were merely being made explicitly proprietary), it would be fine: we could accept these companies as essentially proprietary software companies, albeit with an open source loss-leader. But instead, these companies are trying to license their way into this self-contradictory world: continuing to claim to be entirely open source, but perverting the license under which portions of that source are available. Most gallingly, they are doing this by hijacking open source nomenclature. Of these, the laughably named commons clause is the worst offender (it is plainly designed to be confused with the purely virtuous creative commons), but others (including CockroachDB’s Community License, MongoDB’s Server Side Public License, and Confluent’s Community License) are little better. And in particular, as it apparently needs to be said: no, “community” is not the opposite of “open source” — please stop sullying its good name by attaching it to licenses that are deliberately not open source! But even if they were more aptly named (e.g. “the restricted clause” or “the controlled use license” or — perhaps most honest of all — “the please-don’t-put-me-out-of-business-during-the-next-reInvent-keynote clause”), these licenses suffer from a serious problem: they are almost certainly asserting rights that the copyright holder doesn’t in fact have.
If I sell you a book that I wrote, I can restrict your right to read it aloud for an audience, or sell a translation, or write a sequel; these restrictions are rights afforded the copyright holder. I cannot, however, tell you that you can’t put the book on the same bookshelf as that of my rival, or that you can’t read the book while flying a particular airline I dislike, or that you aren’t allowed to read the book and also work for a company that competes with mine. (Lest you think that last example absurd, that’s almost verbatim the language in the new Confluent Community (sic) License.) I personally think that none of these licenses would withstand a court challenge, but I also don’t think it will come to that: because the vendors behind these licenses will surely fear that they wouldn’t survive litigation, they will deliberately avoid inviting such challenges. In some ways, this netherworld is even worse, as the license becomes a vessel for unverifiable fear of arbitrary liability.
let me put this to you as directly as possible: cloud services providers are emphatically not going to license your proprietary software. I mean, you knew that, right? The whole premise with your proprietary license is that you are finding that there is no way to compete with the operational dominance of the cloud services providers; did you really believe that those same dominant cloud services providers can’t simply reimplement your LDAP integration or whatever? The cloud services providers are currently reproprietarizing all of computing — they are making their own CPUs for crying out loud! — reimplementing the bits of your software that they need in the name of the service that their customers want (and will pay for!) won’t even move the needle in terms of their effort.
Worse than all of this (and the reason why this madness needs to stop): licenses that are vague with respect to permitted use are corporate toxin. Any company that has been through an acquisition can speak of the peril of the due diligence license audit: the acquiring entity is almost always deep pocketed and (not unrelatedly) risk averse; the last thing that any company wants is for a deal to go sideways because of concern over unbounded liability to some third-party knuckle-head. So companies that engage in license tomfoolery are doing worse than merely not solving their own problem: they are potentially poisoning the wellspring of their own community.
in the end, open source will survive its midlife questioning just as people in midlife get through theirs: by returning to its core values and by finding rejuvenation in its communities. Indeed, we can all find solace in the fact that while life is finite, our values and our communities survive us — and that our engagement with them is our most important legacy.

See the article for the rest

###Donald Knuth – The Yoda of Silicon Valley

For half a century, the Stanford computer scientist Donald Knuth, who bears a slight resemblance to Yoda — albeit standing 6-foot-4 and wearing glasses — has reigned as the spirit-guide of the algorithmic realm.
He is the author of “The Art of Computer Programming,” a continuing four-volume opus that is his life’s work. The first volume debuted in 1968, and the collected volumes (sold as a boxed set for about $250) were included by American Scientist in 2013 on its list of books that shaped the last century of science — alongside a special edition of “The Autobiography of Charles Darwin,” Tom Wolfe’s “The Right Stuff,” Rachel Carson’s “Silent Spring” and monographs by Albert Einstein, John von Neumann and Richard Feynman.
With more than one million copies in print, “The Art of Computer Programming” is the Bible of its field. “Like an actual bible, it is long and comprehensive; no other book is as comprehensive,” said Peter Norvig, a director of research at Google. After 652 pages, volume one closes with a blurb on the back cover from Bill Gates: “You should definitely send me a résumé if you can read the whole thing.”
The volume opens with an excerpt from “McCall’s Cookbook”:

Here is your book, the one your thousands of letters have asked us to publish. It has taken us years to do, checking and rechecking countless recipes to bring you only the best, only the interesting, only the perfect.

Inside are algorithms, the recipes that feed the digital age — although, as Dr. Knuth likes to point out, algorithms can also be found on Babylonian tablets from 3,800 years ago. He is an esteemed algorithmist; his name is attached to some of the field’s most important specimens, such as the Knuth-Morris-Pratt string-searching algorithm. Devised in 1970, it finds all occurrences of a given word or pattern of letters in a text — for instance, when you hit Command+F to search for a keyword in a document.
Now 80, Dr. Knuth usually dresses like the youthful geek he was when he embarked on this odyssey: long-sleeved T-shirt under a short-sleeved T-shirt, with jeans, at least at this time of year. In those early days, he worked close to the machine, writing “in the raw,” tinkering with the zeros and ones.

See the article for the rest

##News Roundup
###Let’s Encrypt: Certbot For OpenBSD’s httpd

Intro

Let’s Encrypt is “a free, automated, and open Certificate Authority”.
Certbot is “an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server”, well known as “the official Let’s Encrypt client”.
I remember well how excited I felt when I read Let’s Encrypt’s “Our First Certificate Is Now Live” in 2015.
How wonderful the goal of them is; it’s to “give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free” “to create a more secure and privacy-respecting Web”!
Since this year, they have begun to support even ACME v2 and Wildcard Certificate!
Well, in OpenBSD as well as other operating systems, it’s easy and comfortable to have their big help

Environment
OS: OpenBSD 6.4 amd64
Web Server: OpenBSD’s httpd
Certification: Let’s Encrypt with Certbot 0.27
Reference: OpenBSD’s httpd

###FreeBSD 12 released: Here is how to upgrade FreeBSD 11 to 12

The FreeBSD project announces the availability of FreeBSD 12.0-RELEASE. It is the first release of the stable/12 branch. The new version comes with updated software and features for a wild variety of architectures. The latest release provides performance improvements and better support for FreeBSD jails and more. One can benefit greatly using an upgraded version of FreeBSD.

FreeBSD 12.0 supports amd64, i386, powerpc, powerpc64, powerpcspe, sparc64, armv6, armv7, and aarch64 architectures. One can run it on a standalone server or desktop system. Another option is to run it on Raspberry PI computer. FreeBSD 12 also runs on popular cloud service providers such as AWS EC2/Lightsail or Google compute VM.

New features and highlights:
OpenSSL version 1.1.1a (LTS)
OpenSSH server 7.8p1
Unbound server 1.8.1
Clang and co 6.0.1
The FreeBSD installer supports EFI+GELI as an installation option
VIMAGE FreeBSD kernel configuration option has been enabled by default. VIMAGE was the main reason I custom compiled FreeBSD for the last few years. No more custom compile for me.
Graphics drivers for modern ATI/AMD and Intel graphics cards are now available in the FreeBSD ports collection
ZFS has been updated to include new sysctl(s), vfs.zfs.arc_min_prefetch_ms and vfs.zfs.arc_min_prescient_prefetch_ms, which improve performance of the zpool scrub subcommand
The pf packet filter is now usable within a jail using vnet
KDE updated to version 5.12.5
The NFS version 4.1 includes pNFS server support
Perl 5.26.2
The default PAGER now defaults to less for most commands
The dd utility has been updated to add the status=progress option to match GNU/Linux dd command to show progress bar while running dd
FreeBSD now supports ext4 for read/write operation
Python 2.7
much more

###Six Ways to Level Up Your nmap Game

nmap is a network exploration tool and security / port scanner.
If you’ve heard of it, and you’re like me, you’ve most likely used it like this:
ie, you’ve pointed it at an IP address and observed the output which tells you the open ports on a host.
I used nmap like this for years, but only recently grokked the manual to see what else it could do. Here’s a quick look and some of the more useful things I found out.

1. Scan a Network
1. Scan All Ports
1. Get service versions
1. Use -A for more data
1. Find out what nmap is up to
1. Script your own scans with NSE

###[NetBSD Desktop]

##Beastie Bits

##Feedback/Questions

Warren – Ep.273: OpenZFS on OS X
cogoman – tarsnap security and using SSDs in raid
Andrew – Portland BSD Pizza Night

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Nmap Level Up | BSD Now 277 first appeared on Jupiter Broadcasting.

Virginia BSD Assembly | BSD Now 105

chris — Thu, 03 Sep 2015 05:42:04 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s already our two-year anniversary! This time on the show, we’ll be chatting with Scott Courtney, vice president of infrastructure engineering at Verisign, about this year’s vBSDCon. What’s it have to offer in that’s different in the BSD conference space? We’ll find out!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

OpenBSD hypervisor coming soon

Our buddy Mike Larkin never rests, and he posted some very tight-lipped console output on Twitter recently
From what little he revealed at the time, it appeared to be a new hypervisor (that is, X86 hardware virtualization) running on OpenBSD -current, tentatively titled “vmm”
Later on, he provided a much longer explanation on the mailing list, detailing a bit about what the overall plan for the code is
Originally started around the time of the Australia hackathon, the work has since picked up more steam, and has gotten a funding boost from the OpenBSD foundation
One thing to note: this isn’t just a port of something like Xen or Bhyve; it’s all-new code, and Mike explains why he chose to go that route
He also answered some basic questions about the requirements, when it’ll be available, what OSes it can run, what’s left to do, how to get involved and so on

Why FreeBSD should not adopt launchd

Last week we mentioned a talk Jordan Hubbard gave about integrating various parts of Mac OS X into FreeBSD
One of the changes, perhaps the most controversial item on the list, was the adoption of launchd to replace the init system (replacing init systems seems to cause backlash, we’ve learned)
In this article, the author talks about why he thinks this is a bad idea
He doesn’t oppose the integration into FreeBSD-derived projects, like FreeNAS and PC-BSD, only vanilla FreeBSD itself – this is also explained in more detail
The post includes both high-level descriptions and low-level technical details, and provides an interesting outlook on the situation and possibilities
Reddit had quite a bit to say about this one, some in agreement and some not

DragonFly graphics improvements

The DragonFlyBSD guys are at it again, merging newer support and fixes into their i915 (Intel) graphics stack
This latest update brings them in sync with Linux 3.17, and includes Haswell fixes, DisplayPort fixes, improvements for Broadwell and even Cherryview GPUs
You should also see some power management improvements, longer battery life and various other bug fixes
If you’re running DragonFly, especially on a laptop, you’ll want to get this stuff on your machine quick – big improvements all around

OpenBSD tames the userland

Last week we mentioned OpenBSD’s tame framework getting support for file whitelists, and said that the userland integration was next – well, now here we are
Theo posted a mega diff of nearly 100 smaller diffs, adding tame support to many areas of the userland tools
It’s still a work-in-progress version; there’s still more to be added (including the file path whitelist stuff)
Some classic utilities are even being reworked to make taming them easier – the “w” command, for example
The diff provides some good insight on exactly how to restrict different types of utilities, as well as how easy it is to actually do so (and en masse)
More discussion can be found on HN, as one might expect
If you’re a software developer, and especially if your software is in ports already, consider adding some more fine-grained tame support in your next release

Interview – Scott Courtney – vbsdcon@verisign.com / @verisign

vBSDCon 2015

News Roundup

OPNsense, beyond the fork

We first heard about OPNsense back in January, and they’ve since released nearly 40 versions, spanning over 5,000 commits
This is their first big status update, covering some of the things that’ve happened since the project was born
There’s been a lot of community growth and participation, mass bug fixing, new features added, experimental builds with ASLR and much more – the report touches on a little of everything

LibreSSL nukes SSLv3

With their latest release, LibreSSL began to turn off SSLv3 support, starting with the “openssl” command
At the time, SSLv3 wasn’t disabled entirely because of some things in the OpenBSD ports tree requiring it (apache being one odd example)
They’ve now flipped the switch, and the process of complete removal has started
From the Undeadly summary, “This is an important step for the security of the LibreSSL library and, by extension, the ports tree. It does, however, require lots of testing of the resulting packages, as some of the fallout may be at runtime (so not detected during the build). That is part of why this is committed at this point during the release cycle: it gives the community more time to test packages and report issues so that these can be fixed. When these fixes are then pushed upstream, the entire software ecosystem will benefit. In short: you know what to do!”
With this change and a few more to follow shortly, LibreSSL won’t actually support SSL anymore – time to rename it “LibreTLS”

FreeBSD MPTCP updated

For anyone unaware, Multipath TCP is “an ongoing effort of the Internet Engineering Task Force’s (IETF) Multipath TCP working group, that aims at allowing a Transmission Control Protocol (TCP) connection to use multiple paths to maximize resource usage and increase redundancy.”
There’s been work out of an Australian university to add support for it to the FreeBSD kernel, and the patchset was recently updated
Including in this latest version is an overview of the protocol, how to get it compiled in, current features and limitations and some info about the routing requirements
Some big performance gains can be had with MPTCP, but only if both the client and server systems support it – getting it into the FreeBSD kernel would be a good start

UEFI and GPT in OpenBSD

There hasn’t been much fanfare about it yet, but some initial UEFI and GPT-related commits have been creeping into OpenBSD recently
Some support for UEFI booting has landed in the kernel, and more bits are being slowly enabled after review
This comes along with a number of other commits related to GPT, much of which is being refactored and slowly reintroduced
Currently, you have to do some disklabel wizardry to bypass the MBR limit and access more than 2TB of space on a single drive, but it should “just work” with GPT (once everything’s in)
The UEFI bootloader support has been committed, so stay tuned for more updates as further progress is made

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
BSD Now anniversary shirts are no longer available, and should be shipping out very soon (if they haven’t already) – big thanks to everyone who bought one (183 sold!)
This week is the last episode written/organized by TJ

The post Virginia BSD Assembly | BSD Now 105 first appeared on Jupiter Broadcasting.

May Contain ZFS | BSD Now 102

chris — Thu, 13 Aug 2015 10:05:32 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
In part two of the series, he talks about the GPIO and how you can configure it
Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
“It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
This guide also covers PPP and IPv6, in case you have those requirements
In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
If you’re using an older configuration file, the “without-password” option still works, so no change is required
You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
Various bug fixes and documentation improvements are also included
Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
Renato Westphal sent in a report of his very first hackathon
He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
Unlike with iocage, ZFS isn’t actually a requirement for this method
If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

Ripping me a new Protocol | TechSNAP 221

chris — Thu, 02 Jul 2015 19:05:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Amazon has a new TLS implementation & the details look great, we’ll share them with you. The technology that powers the NSA’s XKEYSCORE you could have deployed yourself.

Some fantastic questions, a big round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Amazon releases s2n, a new TLS implementation

s2n (signal2noise) is a brand new implementation of the TLS protocol in only ~6000 lines of code
It has been fully audited, and will be re-audited once per year, paid for by Amazon
It does not replace OpenSSL, as it only implements the TLS protocol (libssl) not the crypto primitives and algorithms (libcrypto). s2n can be built against any of the various libcrypto implementations, including: OpenSSL, LibreSSL, BoringSSL, and the Apple Common Crypto framework
The API appears to be very easy to use, and prevent many common errors
The client side of the library is not ready for use yet
Features:
- “s2n encrypts or erases plaintext data as quickly as possible. For example, decrypted data buffers are erased as they are read by the application.”
- “s2n uses operating system features to protect data from being swapped to disk or appearing in core dumps.”
- “s2n avoids implementing rarely used options and extensions, as well as features with a history of triggering protocol-level vulnerabilities. For example there is no support for session renegotiation or DTLS.”
- “s2n is written in C, but makes light use of standard C library functions and wraps all memory handling, string handling, and serialization in systematic boundary-enforcing checks.”
- “The security of TLS and its associated encryption algorithms depends upon secure random number generation. s2n provides every thread with two separate random number generators. One for “public” randomly generated data that may appear in the clear, and one for “private” data that should remain secret. This approach lessens the risk of potential predictability weaknesses in random number generation algorithms from leaking information across contexts. “
One of the main features is that, instead of having to specify which set of crypto algorithms you want to prefer, in what order, as we have discussed doing before for OpenSSL (in apache/nginx, etc), to can either use ‘default’, which will change with the times, or a specific snapshot date, that corresponds to what was the best practise at that time
Github Page
Additional Coverage – ThreatPost
It will be interesting to see how this compares with the new TLS API offered by LibreSSL, and which direction various applications choose to go.

How the NSA’s XKEYSCORE works

“The NSA’s XKEYSCORE program, first revealed by The Guardian, sweeps up countless people’s Internet searches, emails, documents, usernames and passwords, and other private communications. XKEYSCORE is fed a constant flow of Internet traffic from fiber optic cables that make up the backbone of the world’s communication network, among other sources, for processing. As of 2008, the surveillance system boasted approximately 150 field sites in the United States, Mexico, Brazil, United Kingdom, Spain, Russia, Nigeria, Somalia, Pakistan, Japan, Australia, as well as many other countries, consisting of over 700 servers.”
“XKEYSCORE allows for incredibly broad surveillance of people based on perceived patterns of suspicious behavior. It is possible, for instance, to query the system to show the activities of people based on their location, nationality and websites visited. For instance, one slide displays the search “germansinpakistn,” showing an analyst querying XKEYSCORE for all individuals in Pakistan visiting specific German language message boards.”
“The sheer quantity of communications that XKEYSCORE processes, filters and queries is stunning. Around the world, when a person gets online to do anything — write an email, post to a social network, browse the web or play a video game — there’s a decent chance that the Internet traffic her device sends and receives is getting collected and processed by one of XKEYSCORE’s hundreds of servers scattered across the globe.”
“In order to make sense of such a massive and steady flow of information, analysts working for the National Security Agency, as well as partner spy agencies, have written thousands of snippets of code to detect different types of traffic and extract useful information from each type, according to documents dating up to 2013. For example, the system automatically detects if a given piece of traffic is an email. If it is, the system tags if it’s from Yahoo or Gmail, if it contains an airline itinerary, if it’s encrypted with PGP, or if the sender’s language is set to Arabic, along with myriad other details.”
You might expect some kind of highly specialized system to be required to do all of this, but that is not the case:
“XKEYSCORE is a piece of Linux software that is typically deployed on Red Hat servers. It uses the Apache web server and stores collected data in MySQL databases. File systems in a cluster are handled by the NFS distributed file system and the autofs service, and scheduled tasks are handled by the cron scheduling service. Systems administrators who maintain XKEYSCORE servers use SSH to connect to them, and they use tools such as rsync and vim, as well as a comprehensive command-line tool, to manage the software.”
The security of the system is also not as good as than you might imagine:
“Analysts connect to XKEYSCORE over HTTPS using standard web browsers such as Firefox. Internet Explorer is not supported. Analysts can log into the system with either a user ID and password or by using public key authentication.”
“When systems administrators log into XKEYSCORE servers to configure them, they appear to use a shared account, under the name “oper.” Adams notes, “That means that changes made by an administrator cannot be logged.” If one administrator does something malicious on an XKEYSCORE server using the “oper” user, it’s possible that the digital trail of what was done wouldn’t lead back to the administrator, since multiple operators use the account.”
“There appears to be another way an ill-intentioned systems administrator may be able to cover their tracks. Analysts wishing to query XKEYSCORE sign in via a web browser, and their searches are logged. This creates an audit trail, on which the system relies to assure that users aren’t doing overly broad searches that would pull up U.S. citizens’ web traffic. Systems administrators, however, are able to run MySQL queries. The documents indicate that administrators have the ability to directly query the MySQL databases, where the collected data is stored, apparently bypassing the audit trail.”
The system is not well designed, and could likely have been done better with existing open source tools, or commercial software designed to classify web traffic
“When data is collected at an XKEYSCORE field site, it is processed locally and ultimately stored in MySQL databases at that site. XKEYSCORE supports a federated query system, which means that an analyst can conduct a single query from the central XKEYSCORE website, and it will communicate over the Internet to all of the field sites, running the query everywhere at once.”
Your traffic is analyzed and will probably match a number of classifiers. The most specific classifier is added as a tag to your traffic. Eventually (3-5 days), your actual traffic is deleted to make room for newer traffic, but the metadata (those tags) are kept for 30-45 days
“This is done by using dictionaries of rules called appIDs, fingerprints and microplugins that are written in a custom programming language called GENESIS. Each of these can be identified by a unique name that resembles a directory tree, such as “mail/webmail/gmail,” “chat/yahoo,” or “botnet/blackenergybot/command/flood.””
“One document detailing XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.”
“To tie it all together, when an Arabic speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/arabic” fingerprint (denoting language settings), as well as the “mail/yahoo/ymbm” fingerprint (which detects Yahoo browser cookies).”
“Sometimes the GENESIS programming language, which largely relies on Boolean logic, regular expressions and a set of simple functions, isn’t powerful enough to do the complex pattern-matching required to detect certain types of traffic. In these cases, as one slide puts it, “Power users can drop in to C++ to express themselves.” AppIDs or fingerprints that are written in C++ are called microplugins.”
All of this information is based on the Snowden leaks, and is from any years ago
“If XKEYSCORE development has continued at a similar pace over the last six years, it’s likely considerably more powerful today.”
Part 2 of Article

[SoHo Routers full of fail]

Home Routers that still support RIPv1 used in DDoS reflection attacks

RIPv1 is a routing protocol released in 1988 that was deprecated in 1996
It uses UDP and so an attacker can send a message to a home router with RIP enabled from a spoofed IP address, and that router will send the response to the victim, flooding their internet connection
““Since a majority of these sources sent packets predominantly of the 504-byte size, it’s pretty clear as to why they were leveraged for attack purposes. As attackers discover more sources, it is possible that this vector has the potential to create much larger attacks than what we’ve observed thus far,” the advisory cautions, pointing out that the unused devices could be put to work in larger and more distributed attacks.”
“Researchers at Akamai’s Prolexic Security Engineering and Research Team (PLXsert) today put out an advisory about an attack spotted May 16 that peaked at 12.9 Gbps. Akamai said that of the 53,693 devices that responded to RIPv1 queries in a scan it conducted, only 500 unique sources were identified in the DDoS attack. None of them use authentication, making them easy pickings.”
Akamai identified Netopia 2000 and 3000 series routers as the biggest culprits still running the vulnerable and ancient RIPv1 protocol on devices. Close to 19,000 Netopia routers responded in scans conducted by Akamai, which also noted that more than 5,000 ZET ZXv10 and TP-Link TD-8000 series routers collectively responded as well. Most of the Netopia routers, Akamai said, are issued by AT&T to customers in the U.S. BellSouth and MegaPath also distribute the routers, but to a much lesser extent.

Home Routers used to host Malware

Home routers were found to be hosting the Dyre malware
Symantec Research Paper of Dyre
Affected routers include MikroTik and Ubiquiti’s AirOS, which are higher end routers geared towards “power user” and small businesses
“We have seen literally hundreds of wireless access points, and routers connected in relation to this botnet, usually AirOS,” said Bryan Campbell, lead threat intelligence analyst at Fujitsu. “The consistency in which the botnet is communicating with compromised routers in relation to both distribution and communication leads us to believe known vulnerabilities are being exploited in the firmware which allows this to occur.”
“Campbell said it’s not clear why so many routers appear to be implicated in the botnet. Perhaps the attackers are merely exploiting routers with default credentials (e.g., “ubnt” for both username and password on most Ubiquiti AirOS routers). Fujitsu also found a disturbing number of the systems in the botnet had the port for telnet connections wide open.”

Feedback:

ZFS with 4K drives?
ZFS Replication Between FreeNAS and Linux
Splitting a pool
DNS Transfer Email Downtime Followup
FreeBSD Mastery: ZFS — Not just about ZFS

Round Up:

The post Ripping me a new Protocol | TechSNAP 221 first appeared on Jupiter Broadcasting.

Below the Clouds | BSD Now 88

chris — Thu, 07 May 2015 10:06:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be talking with Ed Schouten about CloudABI. It’s a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week’s BSD news and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted a report of the activities that went on between January and March of this year
As usual, it’s broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
FreeBSD’s future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
Lots of activity is happening in bhyve, some of which we’ve covered recently, and a number of improvements were made this quarter
Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64)

OpenBSD 5.7 released

OpenBSD has formally released another new version, complete with the giant changelog we’ve come to expect
In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
If you’re using one of the Soekris boards, there’s even a new driver to manipulate the GPIO and LEDs on them – this has some fun possibilities
Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic “random” functions being replaced with strong randomness, and support for remote logging over TLS
The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD’s libc from being vulnerable to earlier attacks affecting other BSDs’ implementations
Being that it’s OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore (very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily)
BIND and nginx have been taken out, so you’ll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
Speaking of httpd, it’s gotten a number of new features, and has had time to grow and mature since its initial debut – if you’ve been considering trying it out, now would be a great time to do so
This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
Groundwork has also been laid for some major SMP scalability improvements – look forward to those in future releases
There’s a song and artwork to go along with the release as always, and CDs should be arriving within a few days – we’ll show some pictures next week
Consider picking one up to support the project (and it’s the only way to get puffy stickers)
For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now…

Tor-BSD diversity project

We’ve talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
A new initiative has started to do just that, called the Tor-BSD diversity project
“Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. […] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity.”
In addition to encouraging people to put up more relays, they’re also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
There’s an additional progress report for that part specifically, and it looks like most of the work is done now
Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
If you’ve been considering running a node to help out, there’s always our handy tutorial on getting set up

PC-BSD 10.1.2-RC1 released

If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
This quarterly update includes a number of new features, improvements and even some additional utilities
PersonaCrypt is one of them – it’s a new tool for easily migrating encrypted home directories between systems
A new “stealth mode” option allows for a one-time login, using a blank home directory that gets wiped after use
Similarly, a new “Tor mode” allows for easy tunneling of all your traffic through the Tor network (hopefully through some BSD nodes, as we just mentioned..)
IPFW is now the default firewall, offering improved VIMAGE capabilities
The life preserver backup tool now allows for bare-metal restores via the install CD
ISC’s NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
It also includes the latest Lumina desktop, and there’s another post dedicated to that
Binary packages have also been updated to fresh versions from the ports tree
More details, including upgrade instructions, can be found in the linked blog post

Interview – Ed Schouten – ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

This article introduces OpenHRC, the “Open Household Router Contraption”
In short, it’s a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
It also makes use of Ansible playbooks for configuration, allowing for a more “mass deployment” type of setup
Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver – it even does DNSSEC validation
All the code is open source and on Github, so you can read through what’s actually being changed and put in place
There’s also a video guide to the entire process, if you’re more of a visual person

OPNsense 15.1.10 released

Speaking of BSD routers, if you’re looking for a more “prebuilt and ready to go” option, OPNsense has just released a new version
15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
Going along with this theme, they’ve redone how they do ports, and are now kept totally in sync with the regular ports tree
Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs

IBM Workpad Z50 and NetBSD

Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640×480 display
You can probably tell where this is going… the article is about installing NetBSD it
“What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running”
The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
He’s also got a couple videos of the bootup process and running Xorg (neither of which we’d call “speedy” by any stretch of the imagination)

FreeBSD from the trenches

The FreeBSD foundation has a new blog post up in their “from the trenches” series, detailing FreeBSD in some real-world use cases
In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
While the installer allows for an automatic ZFS layout, Glen notes that it’s not a one-size-fits-all thing, and goes through doing everything manually
Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool

Broadwell in DragonFly

DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
Their i915 driver has been brought up to speed with Linux 3.14’s, adding not only Broadwell support, but many other bugfixes for other cards too
It’s planned for commit to the main tree very soon, but you can test it out with a git branch for the time being

Feedback/Questions

Mailing List Gold

How did you guess

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you guys if you’re working on anything cool
The OpenBSD router tutorial has been reorganized and updated for 5.7, it has a new section on bandwidth statistics and has finally gotten so big that it now has a table of contents
This year’s vBSDCon has been formally announced, and will take place between September 11th-13th in Reston, Virginia (eastern USA)
There’s no official call for papers, but they do welcome people to submit talk ideas for consideration
If you’re in Michigan, there’s a new BSD users group just starting up – LivBUG
If there’s a local BUG in your area, let us know and we’ll be glad to mention it

The post Below the Clouds | BSD Now 88 first appeared on Jupiter Broadcasting.

SSL in the Wild | BSD Now 82

chris — Thu, 26 Mar 2015 10:08:34 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We’ll be chatting with Bernard Spil about wider adoption of LibreSSL in other communities. He’s been doing a lot of work with FreeBSD ports specifically, but also working with upstream projects. As usual, all this weeks news and answers to your questions, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

EuroBSDCon 2015 call for papers

The call for papers has been announced for the next EuroBSDCon, which is set to be held in Sweden this year
According to their site, the call for presentation proposals period will start on Monday the 23rd of March until Friday the 17th of April
If giving a full talk isn’t your thing, there’s also a call for tutorials – if you’re comfortable teaching other people about something BSD-related, this could be a great thing too
You’re not limited to one proposal – several speakers gave multiple in 2014 – so don’t hesitate if you’ve got more than one thing you’d like to talk about
We’d like to see a more balanced conference schedule than BSDCan’s having this year, but that requires effort on both sides – if you’re doing anything cool with any BSD, we’d encourage you submit a proposal (or two)
Check the announcement for all the specific details and requirements
If your talk gets accepted, the conference even pays for your travel expenses

Making security sausage

Ted Unangst has a new blog post up, detailing his experiences with some recent security patches both in and out of OpenBSD
“Unfortunately, I wrote the tool used for signing patches which somehow turned into a responsibility for also creating the inputs to be signed. That was not the plan!”
The post first takes us through a few OpenBSD errata patches, explaining how some can get fixed very quickly, but others are more complicated and need a bit more review
It also covers security in upstream codebases, and how upstream projects sometimes treat security issues as any other bug
Following that, it leads to the topic of FreeType – and a much more complicated problem with backporting patches between versions
The recent OpenSSL vulnerabilities were also mentioned, with an interesting story to go along with them
Just 45 minutes before the agreed-upon announcement, OpenBSD devs found a problem with the patch OpenSSL planned to release – it had to be redone at the last minute
It was because of this that FreeBSD actually had to release a security update to their security update
He concludes with “My number one wish would be that every project provide small patches for security issues. Dropping enormous feature releases along with a note ‘oh, and some security too’ creates downstream mayhem.”

Running FreeBSD on the server, a sysadmin speaks

More BSD content is appearing on mainstream technology sites, and, more importantly, BSD Now is being mentioned
ITWire recently did an interview with Allan about running FreeBSD on servers (possibly to go with their earlier interview with Kris about desktop usage)
They discuss some of the advantages BSD brings to the table for sysadmins that might be used to Linux or some other UNIX flavor
It also covers specific features like jails, ZFS, long-term support, automating tasks and even… what to name your computers
If you’ve been considering switching your servers over from Linux to FreeBSD, but maybe wanted to hear some first-hand experience, this is the article for you

NetBSD ported to Hardkernel ODROID-C1

In their never-ending quest to run on every new board that comes out, NetBSD has been ported to the Hardkernel ODROID-C1
This one features a quad-core ARMv7 CPU at 1.5GHz, has a gig of ram and gigabit ethernet… all for just $35
There’s a special kernel config file for this board’s hardware, available in both -current and the upcoming 7.0
More info can be found on their wiki page
After this was written, basic framebuffer console support was also committed, allowing a developer to run XFCE on the device

Interview – Bernard Spil – spil.oss@gmail.com / @sp1l

LibreSSL adoption in FreeBSD ports and the wider software ecosystem

News Roundup

Monitoring pf logs with Gource

If you’re using pf on any of the BSDs, maybe you’ve gotten bored of grepping logs and want to do something more fancy
This article will show you how to get set up with Gource for a cinematic-like experience
If you’ve never heard of Gource, it’s “an OpenGL-based 3D visualization tool intended for visualizing activity on source control repositories”
When you put all the tools together, you can end up with some pretty eye-catching animations of your firewall traffic
One of our listeners wrote in to say that he set this up and, almost immediately, noticed his girlfriend’s phone had been compromised – graphical representations of traffic could be useful for detecting suspicious network activity

pkgng 1.5.0 alpha1 released

The development version of pkgng was updated to 1.4.99.14, or 1.5.0 alpha1
This update introduces support for provides/requires, something that we’ve been wanting for a long time
It will also now print which package is the reason for direct dependency change
Another interesting addition is the “pkg -r” switch, allowing cross installation of packages
Remember this isn’t the stable version, so maybe don’t upgrade to it just yet on any production systems
DragonFly will also likely pick up this update once it’s marked stable

Welcome to OpenBSD

We mentioned last week that our listener Brian was giving a talk in the Troy, New York area
The slides from that talk are now online, and they’ve been generating quite a bit of discussion online
It’s simply titled “Welcome to OpenBSD” and gives the reader an introduction to the OS (and how easy it is to get involved with contributing)
Topics include a quick history of the project, who the developers are and what they do, some proactive security techniques and finally how to get involved
As you may know, NetBSD has almost 60 supported platforms and their slogan is “of course it runs NetBSD” – Brian says, with 17 platforms over 13 CPU architectures, “it probably runs OpenBSD”
No matter which BSD you might be interested in, these slides are a great read, especially for any beginners looking to get their feet wet
Try to guess which font he used…

BSDTalk episode 252

And somehow Brian has snuck himself into another news item this week
He makes an appearance in the latest episode of BSD Talk, where he chats with Will about running a BSD-based shell provider
If that sounds familiar, it’s probably because we did the same thing, albeit with a different member of their team
In this interview, they discuss what a shell provider does, hardware requirements and how to weed out the spammers in favor of real people
They also talk a bit about the community aspect of a shared server, as opposed to just running a virtual machine by yourself

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – don’t be afraid to write about your experiences and send them to us, we’d love to read about what you guys are doing with BSD
If you’re interested in OpenZFS discussion, they’re looking to start up the office hours series again on April 2nd (with Justin Gibbs)
There’s a new BSD users group starting up in the Vancouver, British Columbia area – VanBUG will be holding an event on April 8th

The post SSL in the Wild | BSD Now 82 first appeared on Jupiter Broadcasting.

Noah’s L2ARC | BSD Now 77

chris — Thu, 19 Feb 2015 12:12:30 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be chatting with Alex Reece and Matt Ahrens about what’s new in the world of OpenZFS. After that, we’re starting a new tutorial series on submitting your first patch. All the latest BSD news and answers to your emails, coming up on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Revisiting FreeBSD after 20 years

With comments like “has Linux lost its way?” floating around, a Debian developer was prompted to revisit FreeBSD after nearly two decades
This blog post goes through his experiences trying out a modern BSD variant, and includes the good, the bad and the ugly – not just praise this time
He loves ZFS and the beadm tool, and finds the FreeBSD implementation to be much more stable than ZoL
On the topic of jails, he summarizes: “Linux has tried so hard to get this right, and fallen on its face so many times, a person just wants to take pity sometimes. We’ve had linux-vserver, openvz, lxc, and still none of them match what FreeBSD jails have done for a long time.”
The post also goes through the “just plain different” aspects of a complete OS vs. a distribution of various things pieced together
Finally, he includes some things he wasn’t so happy about: subpar laptop support, virtualization being a bit behind, a myriad of complaints about pkgng and a few other things
There was some decent discussion on Hacker News about this article too, with counterpoints from both sides

s2k15 hackathon report: network stack SMP

The first trip report from the recent OpenBSD hackathon in Australia has finally been submitted
One of the themes of this hackathon was SMP (symmetric multiprocessing) improvement, and Martin Pieuchot did some hacking on the network stack
If you’re not familiar with him, he gave a presentation at EuroBSDCon last year, titled Taming OpenBSD Network Stack Dragons
Teaming up with David Gwynne, they worked on getting some bits of the networking code out of the big lock
Hopefully more trip reports will be sent in during the coming weeks
Most of the big code changes should probably appear after the 5.7-release testing period

From BIND to NSD and Unbound

If you’ve been running a DNS server on any of the BSDs, you’ve probably noticed a semi-recent trend: BIND being replaced with Unbound
BIND was ripped out in FreeBSD 10.0 and will be gone in OpenBSD 5.7, but both systems include Unbound now as an alternative
OpenBSD goes a step further, also including NSD in the base system
Instead of one daemon doing everything like BIND tried to do, this new setup splits the authoritative nameserver and the caching resolver into two separate daemons
This post takes you through the transitional phase of going from a single BIND setup to a combination of NSD and Unbound
All in all, everyone wins here, as there will be a lot less security advisories in both BSDs because of it…

m0n0wall calls it quits

The original, classic BSD firewall distribution m0n0wall has finally decided to close up shop
For those unfamiliar, m0n0wall was a FreeBSD-based firewall project that put a lot of focus on embedded devices: running from a CF card, CD, USB drive or even a floppy disk
It started over twelve years ago, which is pretty amazing when you consider that’s around half of FreeBSD itself’s lifespan
The project was probably a lot of people’s first encounter with BSD in any form
If you were a m0n0wall user, fear not, you’ve got plenty of choices for a potential replacement: doing it yourself with something like FreeBSD or OpenBSD, or going the premade route with something like pfSense, OPNsense or the BSD Router Project
The founder’s announcement includes these closing words: “m0n0wall has served as the seed for several other well known open source projects, like pfSense, FreeNAS and AskoziaPBX. The newest offspring, OPNsense, aims to continue the open source spirit of m0n0wall while updating the technology to be ready for the future. In my view, it is the perfect way to bring the m0n0wall idea into 2015, and I encourage all current m0n0wall users to check out OPNsense and contribute if they can.”
While m0n0wall didn’t get a lot of on-air mention, surely a lot of our listeners will remember it fondly

Interview – Alex Reece & Matt Ahrens – alex@delphix.com & matt@delphix.com / @openzfs

What’s new in OpenZFS

Tutorial

Making your first patch (OpenBSD)

News Roundup

Overlaying remote LANs with OpenBSD’s VXLAN

Have you ever wanted to “merge” multiple remote LANs? OpenBSD’s vxlan(4) is exactly what you need
This article talks about using it to connect two virtualized infrastructures on different ESXi servers
It gives a bit of networking background first, in case you’re not quite up to speed on all this stuff
This tool opens up a lot of very cool possibilities, even possibly doing a “remote” LAN party
Be sure to check the AsiaBSDCon talk about VXLANs if you haven’t already

2020, year of the PCBSD desktop

Here we have a blog post about BSD on the desktop, straight from a KDE developer
He predicts that PCBSD is going to take off before the year 2020, possibly even overtaking Linux’s desktop market share (small as it may be)
With PCBSD making a preconfigured FreeBSD desktop a reality, and the new KMS work, the author is impressed with how far BSD has come as a viable desktop option
ZFS and easy-to-use boot environments top the list of things he says differentiate the BSD desktop experience from the Linux one
There was also some discussion on Slashdot that might be worth reading

OpenSSH host key rotation, redux

We mentioned the new OpenSSH host key rotation and other goodies in a previous episode, but things have changed a little bit since then
djm says “almost immediately after smugly declaring ‘mission accomplished’, the bug reports started rolling in.”
There were some initial complaints from developers about the new options, and a serious bug shortly thereafter
After going back to the drawing board, he refactored some of the new code (and API) and added some more regression tests
Most importantly, the bigger big fix was described as: “a malicious server (say, “host-a”) could advertise the public key of another server (say, “host-b”). Then, when the client subsequently connects back to host-a, instead of answering the connection as usual itself, host-a could proxy the connection to host-b. This would cause the user to connect to host-b when they think they are connecting to host-a, which is a violation of the authentication the host key is supposed to provide.”
None of this code has been in a formal OpenSSH release just yet, but hopefully it will soon

PCBSD tries out LibreSSL

PCBSD users may soon be seeing a lot less security problems because of two recent changes
After switching over to OpenNTPD last week, PCBSD decides to give the portable LibreSSL a try too
Note that this is only for the packages built from ports, not the base system unfortunately
They’re not the first ones to do this – OPNsense has been experimenting with replacing OpenSSL in their ports tree for a little while now, and of course all of OpenBSD’s ports are built against it
A good number of patches are still not committed in vanilla FreeBSD ports, so they had to borrow some from Bugzilla
Look forward to Kris wearing a “keep calm and abandon OpenSSL” shirt in the near future

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you write an article or blog post about BSD, or even just come across one you like, be sure to send it our way
If you’re in or around the southern California area, there’s going to be at least two BSD-related talks at this year’s SCALE 13x conference, as well as an OpenBSD booth, FreeBSD booth and some BSD certification exams as well
That’s going on between February 19th-22nd at the Hilton Los Angeles Airport
A special thanks to our anonymous listener for writing most of this week’s tutorial – we’ll be doing ones for PCBSD (using git) and FreeBSD (using svn) sometime soon

The post Noah's L2ARC | BSD Now 77 first appeared on Jupiter Broadcasting.

From the Foundation (Part 1) | BSD Now 75

chris — Thu, 05 Feb 2015 11:40:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be starting a two-part series detailing the activities of various BSD foundations. Ed Maste from the FreeBSD foundation will be joining us this time, and we’ll talk about what all they’ve been up to lately. All this week’s news and answers to viewer-submitted questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Key rotation in OpenSSH 6.8

Damien Miller posted a new blog entry about one of the features in the upcoming OpenSSH 6.8
Times changes, key types change, problems are found with old algorithms and we switch to new ones
In OpenSSH (and the SSH protocol) however, there hasn’t been an easy way to rotate host keys… until now
With this change, when you connect to a server, it will log all the server’s public keys in your known_hosts file, instead of just the first one used during the key exchange
Keys that are in your known_hosts file but not on the server will get automatically removed
This fixes the problem of old servers still authenticating with ancient DSA or small RSA keys, as well as providing a way for the server to rotate keys every so often
There are some instructions in the blog post for how you’ll be able to rotate host keys and eventually phase out the older ones – it’s really simple
There are a lot of big changes coming in OpenSSH 6.8, so we’ll be sure to cover them all when it’s released

NetBSD Banana Pi images

We’ve talked about the Banana Pi a bit before – it’s a small ARM board that’s comparable to the popular Raspberry Pi
Some NetBSD -current images were posted on the mailing list, so now you can get some BSD action on one of these little devices
There are even a set of prebuilt pkgsrc packages, so you won’t have to compile everything initially
The email includes some steps to get everything working and an overview of what comes with the image
Also check the wiki page for some related boards and further instructions on getting set up
On a related note, NetBSD also recently got GPU acceleration working for the Raspberry Pi (which is a first for their ARM port)

LibreSSL shirts and other BSD goodies

If you’ve been keeping up with the LibreSSL saga and want a shirt to show your support, they’re finally available to buy online
There are two versions, either “keep calm and use LibreSSL” or the slightly more snarky “keep calm and abandon OpenSSL“
While on the topic, we thought it would be good to make people aware of shirts for other BSD projects too
You can get some FreeBSD, PCBSD and FreeNAS stuff from the FreeBSD mall site
OpenBSD recently launched their new store, but the selection is still a bit limited right now
NetBSD has a couple places where you can buy shirts and other apparel with the flag logo on it
We couldn’t find any DragonFlyBSD shirts unfortunately, which is a shame since their logo is pretty cool
Profits from the sale of the gear go back to the projects, so pick up some swag and support your BSD of choice (and of course wear them at any Linux events you happen to go to)

OPNsense 15.1.4 released

The OPNsense guys have been hard at work since we spoke to them, fixing lots of bugs and keeping everything up to date
A number of versions have come out since then, with 15.1.4 being the latest (assuming they haven’t updated it again by the time this airs)
This version includes the latest round of FreeBSD kernel security patches, as well as minor SSL and GUI fixes
They’re doing a great job of getting upstream fixes pushed out to users quickly, a very welcome change
A developer has also posted an interesting write-up titled “Development Workflow in OPNsense“
If any of our listeners are trying OPNsense as their gateway firewall, let us know how you like it

Interview – Ed Maste – board@freebsdfoundation.org

The FreeBSD foundation‘s activities

News Roundup

Rolling with OpenBSD snapshots

One of the cool things about the -current branch of OpenBSD is that it doesn’t require any compiling
There are signed binary snapshots being continuously re-rolled and posted on the FTP sites for every architecture
This provides an easy method to get onboard with the latest features, and you can also easily upgrade between them without reformatting or rebuilding
This blog post will walk you through the process of using snapshots to stay on the bleeding edge of OpenBSD goodness
After using -current for seven weeks, the author comes to the conclusion that it’s not as unstable as people might think
He’s now helping test out patches and new ports since he’s running the same code as the developers

Signing pkgsrc packages

As of the time this show airs, the official pkgsrc packages aren’t cryptographically signed
Someone from Joyent has been working on that, since they’d like to sign their pkgsrc packages for SmartOS
Using GNUPG pulled in a lot of dependencies, and they’re trying to keep the bootstrapping process minimal
Instead, they’re using netpgpverify, a fork of NetBSD’s netpgp utility
Maybe someday this will become the official way to sign packages in NetBSD?

FreeBSD support model changes

Starting with 11.0-RELEASE, which won’t be for a few months probably, FreeBSD releases are going to have a different support model
The plan is to move “from a point release-based support model to a set of releases from a branch with a guaranteed support lifetime”
There will now be a five-year lifespan for each major release, regardless of how many minor point releases it gets
This new model should reduce the turnaround time for errata and security patches, since there will be a lot less work involved to build and verify them
Lots more detail can be found in the mailing list post, including some important changes to the -STABLE branch, so give it a read

OpenSMTPD, Dovecot and SpamAssassin

We’ve been talking about setting up your own BSD-based mail server on the last couple episodes
Here we have another post from a user setting up OpenSMTPD, including Dovecot for IMAP and SpamAssassin for spam filtering
A lot of people regularly ask the developers how to combine OpenSMTPD with spam filtering, and this post should finally reveal the dark secrets
In addition, it also covers SSL certificates, PKI and setting up MX records – some things that previous posts have lacked
Just be sure to replace those “apt-get” commands and “eth0” interface names with something a bit more sane…
In related news, OpenSMTPD has got some interesting new features coming soon
They’re also planning to switch to LibreSSL by default for the portable version

FreeBSD 10 on the Thinkpad T400

BSD laptop articles are becoming popular it seems – this one is about FreeBSD on a T400
Like most of the ones we’ve mentioned before, it shows you how to get a BSD desktop set up with all the little tweaks you might not think to do
This one differs in that it takes a more minimal approach to graphics: instead of a full-featured environment like XFCE or KDE, it uses the i3 tiling window manager
If you’re a commandline junkie that basically just uses X11 to run more than one terminal at once, this might be an ideal setup for you
The post also includes some bits about the DRM and KMS in the 10.x branch, as well as vt

PC-BSD 10.1.1 Released

Automatic background updater now in
Shiny new Qt5 utils
OVA files for VM’s
Full disk encryption with Geli v7

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – if you’re doing anything cool with BSD, either at work or just as a hobby, let us know about it
If you have someone specific you’d like to see interviewed, or a tutorial you’d like to see, we’re just an email away
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post From the Foundation (Part 1) | BSD Now 75 first appeared on Jupiter Broadcasting.

Pipe Dreams | BSD Now 73

chris — Thu, 22 Jan 2015 13:48:41 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show we’ll be chatting with David Maxwell, a former NetBSD security officer. He’s got an interesting project called Pipecut that takes a whole new approach to the commandline. We’ve also got answers to viewer-submitted questions and all this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted an updated on some of their activities between October and December of 2014
They put a big focus on compatibility with other systems: the Linux emulation layer, bhyve, WINE and Xen all got some nice improvements
As always, the report has lots of updates from the various teams working on different parts of the OS and ports infrastructure
The release engineering team got 10.1 out the door, the ports team shuffled a few members in and out and continued working on closing more PRs
FreeBSD’s forums underwent a huge change, and discussion about the new support model for release cycles continues (hopefully taking effect after 11.0 is released)
Git was promoted from beta to an officially-supported version control system (Kris is happy)
The core team is also assembling a new QA team to ensure better code quality in critical areas, such as security and release engineering, after getting a number of complaints
Other notable entries include: lots of bhyve fixes, Clang/LLVM being updated to 3.5.0, ongoing work to the external toolchain, adding FreeBSD support to more “cloud” services, pkgng updates, work on SecureBoot, more ARM support and graphics stack improvements
Check out the full report for all the details that we didn’t cover

OpenBSD package signature audit

“Linux Audit” is a website focused on auditing and hardening systems, as well as educating people about securing their boxes
They recently did an article about OpenBSD, specifically their ports and package system and signing infrastructure
The author gives a little background on the difference between ports and binary packages, then goes through the technical details of how releases and packages are cryptographically signed
Package signature formats and public key distribution methods are also touched on
After some heckling, the author of the post said he plans to write more BSD security articles, so look forward to them in the future
If you haven’t seen our episode about signify with Ted Unangst, that would be a great one to check out after reading this

Replacing a Linux router with BSD

There was recently a Slashdot discussion about migrating a Linux-based router to a BSD-based one
The poster begins with “I’m in the camp that doesn’t trust systemd. You can discuss the technical merits of all init solutions all you want, but if I wanted to run Windows NT I’d run Windows NT, not Linux. So I’ve decided to migrate my homebrew router/firewall/samba server to one of the BSDs.”
A lot of people were quick to recommend OPNsense and pfSense, being that they’re very easy to administer (requiring basically no BSD knowledge at all)
Other commenters suggested a more hands-on approach, setting one up yourself with FreeBSD or OpenBSD
If you’ve been thinking about moving some routers over from Linux or other commercial solution, this might be a good discussion to read through
Unfortunately, a lot of the comments are just Linux users bickering about systemd, so you’ll have to wade through some of that to get to the good information

LibreSSL in FreeBSD and OPNsense

A FreeBSD sysadmin has started documenting his experience replacing OpenSSL in the base system with the one from ports (and also experimenting with LibreSSL)
The reasoning being that updates in base tend to lag behind, whereas the port can be updated for security very quickly
OPNsense developers are looking into switching away from OpenSSL to LibreSSL’s portable version, for both their ports and base system, which would be a pretty huge differentiator for their project
Some ports still need fixing to be compatible though, particularly a few python-related ones
If you’re a FreeBSD ports person, get involved and help squash some of the last remaining bugs
A lot of the work has already been done in OpenBSD’s ports tree – some patches just need to be adopted
More and more upstream projects are incorporating LibreSSL patches in their code – let your favorite software vendor know that you’re using it

Interview – David Maxwell – david@netbsd.org / @david_w_maxwell

Pipecut, text processing, commandline wizardry

News Roundup

Jetpack, a new jail container system

A new project was launched to adapt FreeBSD jails to the “app container specification”
While still pretty experimental in terms of the development phase, this might be something to show your Linux friends who are in love with docker
It’s a similar project to iocage or bsdploy, which we haven’t talked a whole lot about
There was also some discussion about it on Hacker News

Separating base and package binaries

All of the main BSDs make a strong separation between the base system and third party software
This is in contrast to Linux where there’s no real concept of a “base system” – more recently, some distros have even merged all the binaries into a single directory
A user asks the community about the BSD way of doing it, trying to find out the advantages and disadvantages of both hierarchies
Read the comments for the full explanation, but having things separated really helps keep things organized

Updated i915kms driver for FreeBSD

This update brings the FreeBSD code closer inline with the Linux code, to make it easier to update going forward
This update does not introduce Haswell support just yet, but was required before the Haswell bits can be added

Year of the OpenBSD desktop

Here we have an article about using OpenBSD as a daily driver for regular desktop usage
The author says he “ran fifty thousand different distributions, never being satisfied”
After dealing with the problems of Linux and fragmentation, he eventually gave up and bought a Macbook
He also used FreeBSD between versions 7 and 9, finding a “a mostly harmonious environment,” but regressions lead him to give up on desktop *nix once again
Starting with 2015, he’s back and is using OpenBSD on a Thinkpad x201
The rest of the article covers some of his configuration tweaks and gives an overall conclusion on his current setup
He apparently used our desktop tutorial – thanks for watching!

Unattended FreeBSD installation

A new BSD user was looking to get some more experience, so he documented how to install FreeBSD over PXE
His goal was to have a setup similar to Redhat’s “kickstart” or OpenBSD’s autoinstall
The article shows you how to set up DHCP and TFTP, with no NFS share setup required
He also gives a mention to mfsbsd, showing how you can customize its startup script to do most of the work for you

Feedback/Questions

Mailing List Gold

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We’re thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It’s meant to be informative like a tutorial, but more of a “free discussion” format. If you have any subjects you want us to explore, or even just a good name for it, send in an email. We may incorporate guests too, so if you’d like to join us for something like that, let us know.
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Pipe Dreams | BSD Now 73 first appeared on Jupiter Broadcasting.

A Man’s man(1) | BSD Now 63

chris — Thu, 13 Nov 2014 13:16:48 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ve got an interview with Kristaps Džonsons, the creator of mandoc. He tells us how the project got started and what its current status is across the various BSDs. We also have a mini-tutorial on using PF to throttle bandwidth. This week’s news, answers to your emails and even some cheesy mailing list gold, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Updates to FreeBSD’s random(4)

FreeBSD’s random device, which presents itself as “/dev/random” to users, has gotten a fairly major overhaul in -CURRENT
The CSPRNG (cryptographically secure pseudo-random number generator) algorithm, Yarrow, now has a new alternative called Fortuna
Yarrow is still the default for now, but Fortuna can be used with a kernel option (and will likely be the new default in 11.0-RELEASE)
Pluggable modules can now be written to add more sources of entropy
These changes are expected to make it in 11.0-RELEASE, but there hasn’t been any mention of MFCing them to 10 or 9

OpenBSD Tor relays and network diversity

We’ve talked about getting more BSD-based Tor nodes a few times in previous episodes
The “tor-relays” mailing list has had some recent discussion about increasing diversity in the Tor network, specifically by adding more OpenBSD nodes
With the security features and attention to detail, it makes for an excellent dedicated Tor box
More and more adversaries are attacking Tor nodes, so having something that can withstand that will help the greater network at large
A few users are even saying they’ll convert their Linux nodes to OpenBSD to help out
Check the archive for the full conversation, and maybe run a node yourself on any of the BSDs
The Tor wiki page on OpenBSD is pretty out of date (nine years old!?) and uses the old pf syntax, maybe one of our listeners can modernize it

SSP now default for FreeBSD ports

SSP, or Stack Smashing Protection, is an additional layer of protection against buffer overflows that the compiler can give to the binaries it produces
It’s now enabled by default in FreeBSD’s ports tree, and the pkgng packages will have it as well – but only for amd64 (all supported releases) and i386 (10.0-RELEASE or newer)
This will only apply to regular ports and binary packages, not the quarterly branch that only receives security updates
If you were using the temporary “new Xorg” or SSP package repositories instead of the default ones, you need to switch back over
NetBSD made this the default on i386 and amd64 two years ago and OpenBSD made this the default on all architectures twelve years ago
Next time you rebuild your ports, things should be automatically hardened without any extra steps or configuration needed

Building an OpenBSD firewall and router

While we’ve discussed the software and configuration of an OpenBSD router, this Reddit thread focuses more on the hardware side
The OP lists some of his potential choices, but was originally looking for something a bit cheaper than a Soekris
Most agree that, if it’s for a business especially, it’s worth the extra money to go with something that’s well known in the BSD community
They also list a few other popular alternatives: ALIX or the APU series from PC Engines, some Supermicro boards, etc.
Through the comments, we also find out that QuakeCon runs OpenBSD on their network
Hopefully most of our listeners are running some kind of BSD as their gateway – try it out if you haven’t already

Interview – Kristaps Džonsons – kristaps@openbsd.org

Mandoc, historical man pages, various topics

Tutorial

Throttling bandwidth with PF

News Roundup

NetBSD at Kansai Open Forum 2014

Japanese NetBSD users invade yet another conference, demonstrating that they can and will install NetBSD on everything
From a Raspberry Pi to SHARP Netwalkers to various luna68k devices, they had it all
As always, you can find lots of pictures in the trip report

Getting to know your portmgr lurkers

The lovable “getting to know your portmgr” series makes its triumphant return
This time around, they interview Alex, one of the portmgr lurkers that joined just this month
“How would you describe yourself?” “Too lazy.”
Another post includes a short interview with Emanuel, another new lurker
We discussed the portmgr lurkers initiative with Steve Wills a while back

NetBSD’s ARM port gets SMP

The ARM port of NetBSD now has SMP support, allowing more than one CPU to be used
This blog post on the website has a list of supported boards: Banana Pi, Cubieboard 2, Cubietruck, Merrii Hummingbird A31, CUBOX-I and NITROGEN6X
NetBSD’s release team is working on getting these changes into the 7 branch before 7.0 is released
There are also a few nice pictures in the article

A high performance mid-range NAS

This blog post is about FreeNAS and optimizing iSCSI performance
It talks about using mid-range hardware with FreeNAS and different tunables you can change to affect performance
There are some nice graphs and lots of detail if you’re interested in tweaking some of your own settings
They conclude “there is no optimal configuration; rather, FreeNAS can be configured to suit a particular workload”

Feedback/Questions

Mailing List Gold

All the tutorials are posted in their entirety at bsdnow.tv
The OpenBSD router tutorial now has a new section on bandwidth throttling
We’ll also have links on the site to a MeetBSD recap post, definitely worth reading, as well as a review of the new Book of PF
Speaking of that, Peter Hansteen’s Book of PF auction raised a total of $3,050 for the OpenBSD foundation
As usual, send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we do the show for you guys, so let us know if there’s something specific you’d like to see covered (especially new tutorial ideas)
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post A Man's man(1) | BSD Now 63 first appeared on Jupiter Broadcasting.

IPSECond Wind | BSD Now 61

chris — Thu, 30 Oct 2014 10:03:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we sat down with John-Mark Gurney to talk about modernizing FreeBSD’s IPSEC stack. We’ll learn what he’s adding, what needed to be fixed and how we’ll benefit from the changes. As always, answers to your emails and all of this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSD panel at Phoenix LUG

The Phoenix, Arizona Linux users group had a special panel so they could learn a bit more about BSD
It had one FreeBSD user and one OpenBSD user, and they answered questions from the organizer and the people in the audience
They covered a variety of topics, including filesystems, firewalls, different development models, licenses and philosophy
It was a good “real world” example of things potential switchers are curious to know about
They closed by concluding that more diversity is always better, and even if you’ve got a lot of Linux boxes, putting a few BSD ones in the mix is a good idea

Book of PF signed copy auction

Peter Hansteen (who we’ve had on the show) is auctioning off the first signed copy of the new Book of PF
All the profits from the sale will go to the OpenBSD Foundation
The updated edition of the book includes all the latest pf syntax changes, but also provides examples for FreeBSD and NetBSD’s versions (which still use ALTQ, among other differences)
If you’re interested in firewalls, security or even just advanced networking, this book is a great one to have on your shelf – and the money will also go to a good cause
Michael Lucas has challenged Peter to raise more for the foundation than his last book selling – let’s see who wins
Pause the episode, go bid on it and then come back!

FreeBSD Foundation goes to EuroBSDCon

Some people from the FreeBSD Foundation went to EuroBSDCon this year, and come back with a nice trip report
They also sponsored four other developers to go
The foundation was there “to find out what people are working on, what kind of help they could use from the Foundation, feedback on what we can be doing to support the FreeBSD Project and community, and what features/functions people want supported in FreeBSD”
They also have a second report from Kamil Czekirda
A total of $2000 was raised at the conference

OpenBSD 5.6 released

Note: we’re doing this story a couple days early – it’s actually being released on November 1st (this Saturday), but we have next week off and didn’t want to let this one slip through the cracks – it may be out by the time you’re watching this
Continuing their always-on-time six month release cycle, the OpenBSD team has released version 5.6
It includes support for new hardware, lots of driver updates, network stack improvements (SMP, in particular) and new security features
5.6 is the first formal release with LibreSSL, their fork of OpenSSL, and lots of ports have been fixed to work with it
You can now hibernate your laptop when using a fully-encrypted filesystem (see our tutorial for that)
ALTQ, Kerberos, Lynx, Bluetooth, TCP Wrappers and Apache were all removed
This will serve as a “transitional” release for a lot of services: moving from Sendmail to OpenSMTPD, from nginx to httpd and from BIND to Unbound
Sendmail, nginx and BIND will be gone in the next release, so either migrate to the new stuff between now and then or switch to the ports versions
As always, 5.6 comes with its own song and artwork – the theme this time was obviously LibreSSL
Be sure to check the full changelog (it’s huge) and pick up a CD or tshirt to support their efforts
If you don’t already have the public key releases are signed with, getting a physical CD is a good “out of bounds” way to obtain it safely
Here are some cool images of the set
After you do your installation or upgrade, don’t forget to head over to the errata page and apply any patches listed there

Interview – John-Mark Gurney – jmg@freebsd.org / @encthenet

Updating FreeBSD’s IPSEC stack

News Roundup

Clang in DragonFly BSD

As we all know, FreeBSD got rid of GCC in 10.0, and now uses Clang on i386/amd64 almost exclusively
Some DragonFly developers are considering migrating over as well, and one of them is doing some work to make the OS more Clang-friendly
We’d love to see more BSDs switch to Clang/LLVM eventually, it’s a lot more modern than the old GCC most are using

reallocarray(): integer overflow detection for free

One of the less obvious features in OpenBSD 5.6 is a new libc function: “reallocarray()”
It’s a replacement function for realloc(3) that provides integer overflow detection at basically no extra cost
Theo and a few other developers have already started a mass audit of the entire source tree, replacing many instances with this new feature
OpenBSD’s explicit_bzero was recently imported into FreeBSD, maybe someone could also port over this too

Switching from Linux blog

A listener of the show has started a new blog series, detailing his experiences in switching over to BSD from Linux
After over ten years of using Linux, he decided to give BSD a try after listening to our show (which is awesome)
So far, he’s put up a few posts about his initial thoughts, some documentation he’s going through and his experiments so far
It’ll be an ongoing series, so we may check back in with him again later on

Owncloud in a FreeNAS jail

One of the most common emails we get is about running Owncloud in FreeNAS
Now, finally, someone made a video on how to do just that, and it’s even jailed
A member of the FreeNAS community has uploaded a video on how to set it up, with lighttpd as the webserver backend
If you’re looking for an easy way to back up and sync your files, this might be worth a watch

Feedback/Questions

Mailing List Gold

All the tutorials are posted in their entirety at bsdnow.tv
The OpenBSD router, dpb, PXE autoinstall and patched ISO building tutorials have all been updated for 5.6
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – tell us how we’re doing or what you’d like to see in future episodes
You can usually watch live Wednesdays at 2:00PM Eastern (18:00 UTC), but…
We’ll be in California at MeetBSD next week, so there will be a prerecorded episode
Speaking of conferences, the operatingsystems.io event has gotten a few more BSD speakers – check it out if you’re in London on November 25th

The post IPSECond Wind | BSD Now 61 first appeared on Jupiter Broadcasting.

Xen Gets bashed | TechSNAP 182

chris — Thu, 02 Oct 2014 21:05:42 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Recent major flaws found in in critical open source software have sent the Internet into a panic. From Shellshock to Xen we’ll discuss how these vulnerabilities can be chained together to own a box.

Plus how secure are VLANs, a big batch of your questions, our answers, and much much more!

Thanks to:

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Bash plus Xen bug send the entire internet scrambling

A critical flaw was discovered in the bash shell, used as the default system shell in most versions of linux, as well as OS X.
The flaw was with the parsing of environment variables. If a new variable was set to contain a function, if that function was followed by a semi-colon (normally a separator that can be used to chain multiple commands together), the code after the semicolon would be be executed when the shell started
Many people are not aware, that CGI scripts pass the original request data, as well as all HTTP headers to the scripts via environment variables
After those using bash CGI scripts ran around with chickens with their heads cut off, others came to realize that even if the CGI scripts are actually perl or something else, if they happen to fork a shell with the system() call, or similar, to do something, that shell will inherit those environment variables, and be vulnerable
As more people spent brain cycles thinking of creative ways to exploit this bug, it was realized that even qmail was vulnerable in some cases, if a user has a .qmail file or similar to forward their email via a pipe, that command is executed via the system shell, with environment variables containing the email headers, including from, to, subject etc
While FreeBSD does not ship with bash by default, it is a common dependency of most of the desktop environments, including gnome and KDE. PCBSD also makes bash available to users, to make life easier to linux switchers. FreeNAS uses bash for its interactive web shell for the same reason. While not vulnerable in most cases, all have been updated to ensure that some new creative way to exploit the bug does not crop up
Apparently the DHCP client in Mac OS X also uses bash, and a malicious DHCP server could exploit the flaw
The flaw also affects a number of VMWare products
OpenVPN and many other software packages have also been found to be vulnerable
The version of bash on your system can be tested easily with this one-liner:
env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”
Which will print “this is a test”, and if bash has not yet been patched, will first print ‘vulnerable’
ArsTechnica: Bug in bash shell creates big security hole on anything with linux in it
Concern over bash bug grows as it is actively exploited in the wild
First bash patch doesn’t solve problem, second patch rushed out to resolve issue
Now that people are looking, even more bugs in bash found and fixed
Shellshock fixes result in another round of patches as attacks get more clever
Apple releases patch for shellshock bug
There were also a critical update to NSS (the Mozilla cryptographic library, which was not properly validating SSL certificates)
The other big patch this week was for Xen
It was announced by a number of public cloud providers, including Amazon and Rackspace, that some virtual server host machines would need to be rebooted to install security fixes, resulting in downtime for 10% of Amazon instances
It is not clear why this could not be resolved by live migrations
All versions of Xen since 4.1 until this patch are vulnerable. The flaw is only exploitable when running fully virtualized guests (HVM mode, uses the processor virtualization features), and can not be exploited by virtual machines running in the older paravirtualization mode. Xen on ARM is not affected
Xen Security Advisory
Amazon Blog Post #1
Amazon Blog Post #2
Rackspace Blog Post
Additional Coverage: eweek

Cox Communications takes the privacy of its customers seriously, kind of

A female employee of Cox Communications (a large US ISP) was socially engineered into giving up her username and password
These credentials were then used to access the private data of Cox Customers
The attacker apparently only stole data about 52 customers, one of which was Brian Krebs
This makes it sound like a targeted attack, or at least an attacker by someone who is (or is not) a fan of Brian Krebs
It appears that the Cox internal customer database can be accessed directly from the internet, with only a username and password
Cox says they use two factor authentication “in some cases”, and plan to expand the use of 2FA in the wake of this breach
Cox being able to quickly determine exactly how many customers’ data was compromised suggests they atleast have some form of auditing in place, to leave a trail describing what data was accessed
Brian points out: “This sad state of affairs is likely the same across multiple companies that claim to be protecting your personal and financial data. In my opinion, any company — particularly one in the ISP business — that isn’t using more than a username and a password to protect their customers’ personal information should be publicly shamed.” “Unfortunately, most companies will not proactively take steps to safeguard this information until they are forced to do so — usually in response to a data breach. Barring any pressure from Congress to find proactive ways to avoid breaches like this one, companies will continue to guarantee the security and privacy of their customers’ records, one breach at a time.”

Other researches recreate the BadUSB exploit and release the code on Github

The “BadUSB” research was originally done by Karsten Nohl and Jakob Lell, at SR Labs in Germany.
Presented at BlackHat, it described being able to reprogram the firmware of USB devices to perform other functions, such as a USB memory stick that presented itself to the computer as a keyboard, and typed out commands once plugged in, allowing it to compromise the computer and exfiltrate data
Brandon Wilson and Adam Caudill were doing their own work in this space, and when they heard about the talk at BlackHat, decided to accelerate their own work
They have now posted their code on Github
“The problem is that Nohl and Lell—and Caudill and Wilson—have not exploited vulnerabilities in USB. They’re just taking advantage of weaknesses in the manner in which USBs are supposed to behave“
“At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC“
“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”
The way around this issue would be for device manufacturers to implement code signing
The existing firmware would only allow the firmware to be updated if the new firmware was signed by the manufacturer, preventing a malicious users from overwriting the good firmware with ‘bad’ firmware
However, users could obviously create their own devices specifically for the purpose of the evil firmware, but it would prevent the case where an attack modifies your device to work against you
At the same time, many users might argue against losing control over their device, and no longer being able to update the firmware if they wish
The real solution may be for Operating Systems and users to evolve to no longer trust random USB devices, and instead allow the user to decide if they trust the device, possibly something similar to mobile apps, where the OS tells the user what functionality the device is trying to present
You might choose to not trust that USB memstick that is also attempting to present a network adapter, in order to override your DHCP settings and make your system use a set of rogue DNS servers

Feedback:

Round Up:

The post Xen Gets bashed | TechSNAP 182 first appeared on Jupiter Broadcasting.

The Promised WLAN | BSD Now 55

chris — Thu, 18 Sep 2014 10:26:43 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week, we’ll be talking with Adrian Chadd about all things wireless, his experience with FreeBSD on various laptop hardware and a whole lot more. As usual, we’ve got the latest news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD 10.1-BETA1 is out

The first maintenance update in the 10.x series of FreeBSD is on its way
Since we can’t see a changelog yet, the 10-STABLE release notes offer a glimpse at some of the new features and fixes that will be included in 10.1
The vt driver was merged from -CURRENT, lots of drivers were updated, lots of bugs were fixed and bhyve also got many improvements from 11
Initial UEFI support, multithreaded softupdates for UFS and many more things were added
You can check the release schedule for the planned release dates
Details for the various forms of release media can be found in the announcement

Remote headless OpenBSD installation

A lot of server providers only offer a limited number of operating systems to be easily installed on their boxes
Sometimes you’ll get lucky and they’ll offer FreeBSD, but it’s much harder to find ones that natively support other BSDs
This article shows how you can use a Linux-based rescue system, a RAM disk and QEMU to install OpenBSD on the bare metal of a server, headlessly and remotely
It required a few specific steps you’ll want to take note of, but is extremely useful for those pesky hosting providers

Building a firewall appliance with pfSense

In this article, we learn how to easily set up a gateway and wireless access point with pfSense on a Netgate ALIX2C3 APU
After the author’s modem died, he decided to look into a more do-it-yourself option with pf and a tiny router board
The hardware he used has gigabit ports and a BSD-compatible wireless card, as well as enough CPU power for a modest workload and a few services (OpenVPN, etc.)
There’s a lot of great pictures of the hardware and detailed screenshots, definitely worth a look

Receive Side Scaling – UDP testing

Adrian Chadd has been working on RSS (Receive Side Scaling) in FreeBSD, and gives an update on the progress
He’s using some quad core boxes with 10 gigabit ethernet for the tests
The post gives lots of stats and results from his network benchmark, as well as some interesting workarounds he had to do
He also provides some system configuration options, sysctl knobs, etc. (if you want to try it out)
And speaking of Adrian Chadd…

Interview – Adrian Chadd – adrian@freebsd.org / @erikarn

BSD on laptops, wifi, drivers, various topics

News Roundup

Sendmail removed from OpenBSD

Mail server admins around the world are rejoicing, because sendmail is finally gone from OpenBSD
With OpenSMTPD being a part of the base system, sendmail became largely redundant and unneeded
If you’ve ever compared a “sendmail.cf” file to an “smtpd.conf” file… the different is as clear as night and day
5.6 will serve as a transitional release, including both sendmail and OpenSMTPD, but 5.7 will be the first release without it
If you still need it for some reason, sendmail will live in ports from now on
Hopefully FreeBSD will follow suit sometime in the future as well, possibly including DragonFly’s mail transfer agent in base (instead of an entire mail server)

pfSense backups with pfmb

We’ve mentioned the need for a tool to back up pfSense configs a number of times on the show
This script, hosted on github, does pretty much exactly that
It can connect to one (or more!) pfSense installations and back up the configuration
You can roll back or replace failed hardware very easily with its restore function
Everything is done over SSH, so it should be pretty secure

The Design and Implementation of the FreeBSD Operating System

We mentioned when the pre orders were up, but now “The Design and Implementation of the FreeBSD Operating System, 2nd edition” seems to be shipping out
If you’re interested in FreeBSD development, or learning about the operating system internals, this is a great book to buy
We’ve even had all three authors on the show before!

OpenBSD’s systemd replacement updates

We mentioned last week that the news of OpenBSD creating systemd wrappers was getting mainstream attention
One of the developers writes in to Undeadly, detailing what’s going on and what the overall status is
He also clears up any confusion about “porting systemd to BSD” (that’s not what’s going on) or his code ever ending up in base (it won’t)
The top comment as of right now is a Linux user asking if his systemd wrappers can be ported back to Linux… poor guy

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you!
Last week we mentioned that Ken was looking for help to port Lumina to other BSDs, and now it’s been done for OpenBSD and DragonFly – so now you can try it out there too
Antoine Jacoutot sent a screenshot of Lumina on OpenBSD
We’ll be at EuroBSDCon soon, so there will be a prerecorded episode next week
When we’re not in Europe, you can usually watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Promised WLAN | BSD Now 55 first appeared on Jupiter Broadcasting.

VPN, My Dear Watson | BSD Now 50

chris — Thu, 14 Aug 2014 10:47:27 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s our 50th episode, and we’re going to show you how to protect your internet traffic with a BSD-based VPN. We’ll also be talking to Robert Watson, of the FreeBSD core team, about security research, exploit mitigation and a whole lot more. The latest news and answers to all of your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

MeetBSD 2014 is approaching

The MeetBSD conference is coming up, and will be held on November 1st and 2nd in San Jose, California
MeetBSD has an “unconference” format, which means there will be both planned talks and community events
All the extra details will be on their site soon
It also has hotels and various other bits of useful information – hopefully with more info on the talks to come
Of course, EuroBSDCon is coming up before then

First experiences with OpenBSD

A new blog post that leads off with “tired of the sluggishness of Windows on my laptop and interested in experimenting with a Unix-like that I haven’t tried before”
The author read the famous “BSD for Linux users” series (that most of us have surely seen) and decided to give BSD a try
He details his different OS and distro history, concluding with how he “eventually became annoyed at the poor quality of Linux userland software”
From there, it talks about how he used the OpenBSD USB image and got a fully-working system
He especially liked the simplicity of OpenBSD’s “hostname.if” system for network configuration
Finally, he gets Xorg working and imports all his usual configuration files – seems to be a happy new user!

NetBSD rump kernels on bare metal (and Kansai OSC report)

When you’re developing a new OS or a very specialized custom solution, working drivers become one of the hardest things to get right
However, NetBSD’s rump kernels – a very unique concept – make this process a lot easier
This blog post talks about the process of starting with just a rump kernel and expanding into an internet-ready system in just a week
Also have a look back at episode 8 for our interview about rump kernels and what exactly they do
While on the topic of NetBSD, there were also a couple of very detailed reports (with lots of pictures!) of the various NetBSD-themed booths at the 2014 Kansai Open Source Conference that we wanted to highlight

OpenSSL and LibreSSL updates

OpenSSL pushed out a few new versions, fixing multiple vulnerabilities (nine to be precise!)
Security concerns include leaking memory, possible denial of service, crashing clients, memory exhaustion, TLS downgrades and more
LibreSSL released a new version to address most of the vulnerabilities, but wasn’t affected by some of them
Whichever version of whatever SSL you use, make sure it’s patched for these issues
DragonFly and OpenBSD are patched as of the time of this recording but, even after a week, FreeBSD (outside of -CURRENT) and NetBSD are not

Interview – Robert Watson – rwatson@freebsd.org

FreeBSD architecture, security research techniques, exploit mitigation

Tutorial

Protecting traffic with a BSD-based VPN

News Roundup

A FreeBSD-based CGit server

If you use git (like a certain host of this show) then you’ve probably considered setting up your own server
This article takes you through the process of setting up a jailed git server, complete with a fancy web frontend
It even shows you how to set up multiple repos with key-based user separation and other cool things
The author of the post is also a listener of the show, thanks for sending it in!

Backup devices for small businesses

In this article, different methods of data storage and backup are compared
After weighing the various options, the author comes to an obvious conclusion: FreeNAS is the answer
He praises FreeNAS and the FreeNAS Mini for their tight integration, rock solid FreeBSD base and the great ZFS featureset that it offers
It also goes over some of the hardware specifics in the FreeNAS Mini

A new Xenocara interview

As a follow up to last week’s OpenSMTPD interview, this Russian blog interviews Matthieu Herrb about Xenocara
If you’re not familiar with Xenocara, it’s OpenBSD’s version of Xorg with some custom patches
In this interview, he discusses how large and complex the upstream X11 development is, how different components are worked on by different people, how they test code (including a new framework) and security auditing
Matthieu is both a developer of upstream Xorg and an OpenBSD developer, so it’s natural for him to do a lot of the maintainership work there

Building a high performance FreeBSD samba server

If you’ve got to PXE boot several hundred Windows boxes to upgrade from XP to 7, what’s the best solution?
FreeBSD, ZFS and Samba obviously!
The master image and related files clock in at over 20GB, and will be accessed at the same time by all of those clients
This article documents that process, highlighting some specific configuration tweaks to maximize performance (including NIC bonding)
It doesn’t even require the newest or best hardware with the right changes, pretty cool

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
We want to give a special thanks to our viewer Adam (aka bsdx) for writing most of today’s OpenVPN tutorial
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post VPN, My Dear Watson | BSD Now 50 first appeared on Jupiter Broadcasting.

The PC-BSD Tour | BSD Now 49

chris — Thu, 07 Aug 2014 11:38:35 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week on the show, we’ve got something special for you! We’ll be giving you an in-depth look at all of the graphical PC-BSD utilities. That’s right, BSD doesn’t have to be command line only anymore! There’s also the usual round of answers to your emails and all the latest headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD foundation semi-annual newsletter

The FreeBSD foundation published their semi-annual newsletter, complete with a letter from the president of the foundation
“In fact after reading [the president’s] letter, I was motivated to come up with my own elevator pitch instead of the usual FreeBSD is like Linux, only better!”
It talks about the FreeBSD journal as being one of the most exciting things they’ve launched this year, conferences they funded and various bits of sponsored code that went into -CURRENT
The full list of funded projects is included, also with details in the financial reports
There are also a number of conference wrap-ups: NYCBSDCon, BSDCan, AsiaBSDCon and details about the upcoming EuroBSDCon
A new application page for travel grants to EuroBSDCon is also up

OpenBSD on an Intel NUC

A lot of people love small form factor PCs, and we love ones that can run BSD – so does the author of this write-up
The Intel NUC is a small, almost Mac Mini-like device that’s pretty cheap and offers some nice specs
“The NUC has integrated Intel graphics (Intel HD Graphics 5000) which as an OpenBSD user is exactly what I wanted” – fully supported
The post goes into detail about PXE booting the installation and talks about his experiences

BAFUG presentation videos

A couple of talks from BAFUG, the Bay Area FreeBSD Users Group, were uploaded to YouTube
The first talk is by Craig Rodrigues about libvirt and bhyve integration
libvirt is a c library for interacting with various Hypervisors and virtualization technology – bhyve support was recently added
The second is by Adrian Chadd, titled “Upcoming RSS enhancements to the FreeBSD Network Stack”
Adrian also wrote a blog post that accompanies the video
We need more good quality BSD presentation videos!

TLS decompression

A new blog post from our buddy Ted Unangst](https://www.bsdnow.tv/episodes/2014_02_05-time_signatures), this time about a feature he recently removed from LibreSSL
The original commit message was just “decompress libressl” with no details – these are the missing details of that change
It talks about the different network layers where compression is applied and how code has to be refactored for that
“I might download a zip file (of png files!). The web server, if configured just wrong, can apply http compression to it. If it’s https, the TLS layer can compress it again. If I’m using an SSH tunnel, that can compress it. If it’s travelling over IPsec, it can get compressed again. It can get compressed again by IP compression. How many layers of compression do we really need?”

Special segment

The PC-BSD Tour

News Roundup

Introducing pkgfs

A new tool, pkgfs, was committed to FreeBSD -CURRENT
It’s described as “a file system implementation for reading files out of a compressed tarball”
Users will now be able to view pkgng packages (or any compressed tarball) just like NFS, SMB, SSHFS, etc

BSDMag’s July 2014 issue is out

Continuing their monthly release cycle, BSD Magazine has another issue for us
Topics include using Wireshark in a SAN environment, more GIMP image manipulation tutorials, an interview with Brett Davis about TrueNAS, an article about pkgng in DragonFlyBSD and a few other things
The PDF is free to download, as always

A new OpenSMTPD interview

Way back in episode three, we talked to Gilles and Eric from the OpenBSD team about OpenSMTPD
One of the developers gave a text-only interview with a Russian website about some recent activity
It talks about their development process, testing the code on various platforms and architectures, stress testing via the “Twitter flash mob” and a few other things

FreeBSD as a syslog server

If you have a large number of servers, examining their logs individually is a pain
Fortunately, you can configure them to send their logs to a dedicated system to receive them
This blog post goes through the process of setting up the “client” systems as well as the “server” system to get all your logs in one place

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
An important notice: OpenBSD is moving to a new distributor in September, so between now and then is your last chance to buy any of the current shirts, CDs, mugs, posters – grab them now while you still can!

The post The PC-BSD Tour | BSD Now 49 first appeared on Jupiter Broadcasting.

Liberating SSL | BSD Now 48

chris — Thu, 31 Jul 2014 10:38:19 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up in this week’s episode, we’ll be talking with one of OpenBSD’s newest developers – Brent Cook – about the portable version of LibreSSL and how it’s developed. We’ve also got some important information about the FreeBSD port of LibreSSL. The latest news and your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD quarterly status report

FreeBSD has gotten quite a lot done this quarter
Changes in the way release branches are supported – major releases will get at least five years over their lifespan
A new automounter is in the works, hoping to replace amd (which has some issues)
The CAM target layer and RPC stack have gotten some major optimization and speed boosts
Work on ZFSGuru continues, with a large status report specifically for that
The report also mentioned some new committers, both source and ports
It also covers GNATS being replaced with Bugzilla, the new core team, 9.3-RELEASE, GSoC updates, UEFI booting and lots of other things that we’ve already mentioned on the show
“Foundation-sponsored work resulted in 226 commits to FreeBSD over the April to June period”

A new OpenBSD HTTPD is born

Work has begun on a new HTTP daemon in the OpenBSD base system
A lot of people are asking “why?” since OpenBSD includes a chrooted nginx already – will it be removed? Will they co-exist?
Initial responses seem to indicate that nginx is getting bloated, and is a bit overkill for just serving content (this isn’t trying to be a full-featured replacement)
It’s partially based on the relayd codebase and also comes from the author of relayd, Reyk Floeter
This has the added benefit of the usual, easy-to-understand syntax and privilege separation
There’s a very brief man page online already
It supports vhosts and can serve static files, but is still in very active development – there will probably be even more new features by the time this airs
Will it be named OpenHTTPD? Or perhaps… LibreHTTPD? (I hope not)

pkgng 1.3 announced

The newest version of FreeBSD’s second generation package management system has been released, with lots of new features
It has a new “real” solver to automatically handle conflicts, and dynamically discover new ones (this means the annoying -o option is deprecated now, hooray!)
Lots of the code has been sandboxed for extra security
You’ll probably notice some new changes to the UI too, making things more user friendly
A few days later 1.3.1 was released to fix a few small bugs, then 1.3.2 shortly thereafter and 1.3.3 yesterday

FreeBSD after-install security tasks

A number of people have written in to ask us “how do I secure my BSD box after I install it?”
With this blog post, hopefully most of their questions will finally be answered in detail
It goes through locking down SSH with keys, patching the base system for security, installing packages and keeping them updated, monitoring and closing any listening services and a few other small things
Not only does it just list things to do, but the post also does a good job of explaining why you should do them
Maybe we’ll see some more posts in this series in the future

Interview – Brent Cook – bcook@openbsd.org / @busterbcook

LibreSSL’s portable version and development

News Roundup

FreeBSD Mastery – Storage Essentials

MWL‘s new book about the FreeBSD storage subsystems now has an early draft available
Early buyers can get access to an in-progress draft of the book before the official release, but keep in mind that it may go through a lot of changes
Topics of the book will include GEOM, UFS, ZFS, the disk utilities, partition schemes, disk encryption and maximizing I/O performance
You’ll get access to the completed (e)book when it’s done if you buy the early draft
The suggested price is $8

Why BSD and not Linux?

Yet another thread comes up asking why you should choose BSD over Linux or vice-versa
Lots of good responses from users of the various BSDs
Directly ripping a quote: “Features like Ports, Capsicum, CARP, ZFS and DTrace were stable on BSDs before their Linux versions, and some of those are far more usable on BSD. Features like pf are still BSD-only. FreeBSD has GELI and ipfw and is “GCC free”. DragonflyBSD has HAMMER and kernel performance tuning. OpenBSD have upstream pf and their gamut of security features, as well as a general emphasis on simplicity.”
And “Over the years, the BSDs have clearly shown their worth in the nix ecosystem by pioneering new features and driving adoption of others. The most recent on OpenBSD were 2038 support and LibreSSL. FreeBSD still arguably rules the FOSS storage space with ZFS.”
Some other users share their switching experiences – worth a read

More g2k14 hackathon reports

Following up from last week’s huge list of hackathon reports, we have a few more
Landry Breuil spent some time with Ansible testing his infrastructure, worked on the firefox port and tried to push some of their patches upstream
Andrew Fresh enjoyed his first hackathon, pushing OpenBSD’s perl patches upstream and got tricked into rewriting the adduser utility in perl
Ted Unangst did his usual “teduing” (removing of) old code – say goodbye to asa, fpr, mkstr, xstr, oldrdist, fsplit, uyap and bluetooth
Luckily we didn’t have to cover 20 new ones this time!

BSDTalk episode 243

The newest episode of BSDTalk is out, featuring an interview with Ingo Schwarze of the OpenBSD team
The main topic of discussion is mandoc, which some users might not be familiar with
mandoc is a utility for formatting manpages that OpenBSD and NetBSD use (DragonFlyBSD and FreeBSD include it in their source tree, but it’s not built by default)
You may also want to watch Ingo’s BSDCan talk about mandoc
We’ll catch up to you soon, Will…

Feedback/Questions

Thomas writes in
Stephen writes in
Sha’ul writes in
Florian writes in
Bob Beck writes in – and note the “Caution” section that was added to libressl.org

All the tutorials are posted in their entirety at bsdnow.tv
Just can’t get enough LibreSSL? Brent also did a text-only interview for Undeadly, which we also have a link to there
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Want to come on for an interview or have a tutorial you’d like to see? Let us know
If you’re a big PCBSD fan, or have been curious about what it has to offer over regular FreeBSD, you’ll like next week’s episode
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Liberating SSL | BSD Now 48 first appeared on Jupiter Broadcasting.

DES Challenge IV | BSD Now 47

chris — Thu, 24 Jul 2014 11:44:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week on the show!

We’ve got an interview with Dag-Erling Smørgrav, the current security officer of FreeBSD, to discuss what exactly being in such an important position is like.

The latest news, answers to your emails and even some LibreSSL drama, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

g2k14 hackathon reports

Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
Lots of work got done – in just the first two weeks of July, there were over 1000 commits to their CVS tree
Some of the developers wrote in to document what they were up to at the event
Bob Beck planned to work on kernel stuff, but then “LibreSSL happened” and he spent most of his time working on that
Miod Vallat also tells about his LibreSSL experiences
Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we’ll be interviewing him next week!)
Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
Martin Pelikan integrated read-only ext4 support
Vadim Zhukov did lots of ports work, including working on KDE4
Theo de Raadt created a new, more secure system call, “sendsyslog” and did a lot of work with /etc, sysmerge and the rc scripts
Paul Irofti worked on the USB stack, specifically for the Octeon platform
Sebastian Benoit worked on relayd filters and IPv6 code
Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
Stefan Sperling fixed a lot of issues with wireless drivers
Florian Obser did many things related to IPv6
Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
Matthieu Herrb worked on updating and modernizing parts of xenocara

FreeBSD pf discussion takes off

A thread started on the freebsd-questions and freebsd-current mailing lists this week concerning FreeBSD’s version of pf being old and seemingly unmaintained (unfortunately people didn’t always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
Straight from the SMP FreeBSD pf maintainer: “no one right now [is actively developing pf on FreeBSD]” and “Following OpenBSD on features would be cool, but no bulk imports would be made again. Bulk imports produce bad quality of port,
and also pf in OpenBSD has no multi thread support”
Baptiste Daroussin was quick to point out that multi-thread support is not the only difference between FreeBSD and OpenBSD versions of pf, including work that was done to support VIMAGE (network virtualization, to support have entire network stacks in jails)
Baptiste Daroussin also reports on his efforts to update FreeBSD pf. He ran into problems and after breaking pf on head, his changes were reverted. He reports that he is still interested in porting individual OpenBSD pf features that are relevant to him, but not in a ‘full sync’ or being the overall maintainer of FreeBSD pf
The project is looking for volunteers to continue the work. Mentorship is available for a number of people familiar with the FreeBSD networking stack, and Henning Brauer (one of the authors of OpenBSD pf) has stated his willingness to help on a number of occasions, and candidates can apply to the FreeBSD Foundation for funding
Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
FreeBSD’s pf man pages are lacking, and some of FreeBSD’s documentation still links to OpenBSD’s pages, which are not compatible anymore
The discussion also touched on importing pf patches from pfSense, although the license that these patches are under is not clear at this time
Things quickly got off topic as further disagreement among individual developers vs. users derailed the conversation somewhat
Many users are very vocal about wanting it updated, saying they are willing to deal with the syntax change and it is worth the benefits
Some developers wonder which features of OpenBSD pf users actually want, other than just ‘the latest shiny’
Currently the only known problem with FreeBSD pf is with ipv6 fragments, and the VIMAGE subsystem
Gleb Smirnoff, author of the FreeBSD-specific SMP patches, says Henning’s claims about OpenBSD’s improved speed are “uncorroborated claims” (but neither side has provided any public benchmarks)
Olivier Cochard-Labbé (of the BSD Router Project) provided his benchmarks from Nov 2013 of packet forwarding rates with various configurations of FreeBSD 9.2 and 10, vs OpenBSD 5.4. Here is the raw data and scripts to reproduce and a graph of the results
There seem to be many opinions about what to do about pf, but so far no one willing to do the work

LibreSSL progress update

LibreSSL’s first few portable releases have come out and they’re making great progress, releasing 2.0.3 two days ago
Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
However, there has already been some drama… with Linux users
There was a problem with Linux’s PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
This “problem” doesn’t affect OpenBSD’s native implementation, only the portable version
The developers decide to weigh in to calm the misinformation and rage
A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now – remember to say thanks, guys
Ted Unangst has a really good post about the whole situation, definitely check it out
As a follow-up from last week, bapt says they’re working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly – if you’re a port maintainer, please test your ports against it

Preparation for NetBSD 7

The release process for NetBSD 7.0 is finally underway
The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
If you run NetBSD, that’ll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
They’re also looking for some help updating documentation and fixing any bugs that get reported
Another formal announcement will be made when the beta binaries are up

Interview – Dag-Erling Smørgrav – des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
There’s also some detail about the signing infrastructure and different mirrors
Ports people and source people need to talk more often about ABI breakage
The post also includes information about pkg 1.3, the old pkg tools’ EOL, the quarterly stable package sets and a lot more (it’s a huge post!)

Cross-compiling ports with QEMU and poudriere

With recent QEMU features, you can basically chroot into a completely different architecture
This article goes through the process of building ARMv6 packages on a normal X86 box
Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
The poudriere-devel port now has a “qemu user” option that will pull in all the requirements
Hopefully this will pave the way for official pkgng packages on those lesser-used architectures

Cloning FreeBSD with ZFS send

For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
This post shows his entire process in creating a mirror machine, using ZFS for everything
The “zfs send” and “zfs snapshot” commands really come in handy for this
He does the whole thing from a live CD, pretty impressive

FreeBSD Overview series

A new blog series we stumbled upon about a Linux user switching to BSD
In part one, he gives a little background on being “done with Linux distros” and documents his initial experience getting and installing FreeBSD 10
He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
Most of what he was used to on Linux was already in the default FreeBSD (except bash…)
Part two documents his experiences with pkgng and ports

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Last week we talked a bit about hardware compatibility, check out the NYC BSD Users’ Group’s dmesgd , a database of user submitted dmesg output from various hardware on various BSD’s. Help the community, submit your dmesg today!
If you want to come on for an interview or have a tutorial you’d like to see, let us know – we want to do what the viewers want to see
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post DES Challenge IV | BSD Now 47 first appeared on Jupiter Broadcasting.

Base ISO 100 | BSD Now 44

chris — Thu, 03 Jul 2014 11:46:54 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be sitting down to talk with Craig Rodrigues about Jenkins and the FreeBSD testing infrastructure. Following that, we’ll show you how to roll your own OpenBSD ISOs with all the patches already applied… ISO can’t wait!

This week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

pfSense 2.1.4 released

The pfSense team has released 2.1.4, shortly after 2.1.3 – it’s mainly a security release
Included within are eight security fixes, most of which are pfSense-specific
OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
It also includes a large number of various other bug fixes
Update all your routers!

DragonflyBSD’s pf gets SMP

While we’re on the topic of pf…
Dragonfly patches their old[er than even FreeBSD’s] pf to support multithreading in many areas
Stemming from a user’s complaint, Matthew Dillon did his own work on pf to make it SMP-aware
Altering your configuration‘s ruleset can also help speed things up, he found
When will OpenBSD, the source of pf, finally do the same?

ChaCha usage and deployment

A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
OpenSSH offers it as a stream cipher now, OpenBSD uses it for it’s random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
Both Google’s fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
Unfortunately, this article has one mistake: FreeBSD does not use it – they still use the broken RC4 algorithm

BSDMag June 2014 issue

The monthly online BSD magazine releases their newest issue
This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, “saving time and headaches using the robot framework for testing,” an interview and an article about the increasing number of security vulnerabilities
The free pdf file is available for download as always

Interview – Craig Rodrigues – rodrigc@freebsd.org

FreeBSD’s continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end – this had the advantage of not requiring any extra disk space, but raised some security concerns
With signify, now everything is fully downloaded and verified before tar is even invoked
The pkg_add utility works a little bit differently, but it’s also been improved in this area – details in the post
Be sure to also read the original post from Adam, lots of good information

FreeBSD 9.3-RC2 is out

As the -RELEASE inches closer, release candidate 2 is out and ready for testing
Since the last one, it’s got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
The updated bsdconfig will use pkgng style packages now too
A lesser known fact: there are also premade virtual machine images you can use too

pkgsrcCon 2014 wrap-up

In what may be the first real pkgsrcCon article we’ve ever had!
Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
Unfortunately no recordings to be found…

PostgreSQL FreeBSD performance and scalability

FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
Lots of technical details if you’re interested in getting the best performance out of your hardware
It also includes specific kernel options he used and the rest of the configuration
If you don’t want to open the pdf file, you can use this link too

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
There, you’ll also find a link to Bob Beck’s LibReSSL talk from the end of May – we finally found a recording!
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
Next week Allan will be at BSDCam, so we’ll have a prerecorded episode then

The post Base ISO 100 | BSD Now 44 first appeared on Jupiter Broadcasting.

Package Design | BSD Now 43

chris — Thu, 26 Jun 2014 10:06:40 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

It’s a big show this week! We’ll be interviewing Marc Espie about OpenBSD’s package system and build cluster. Also, we’ve been asked many times “how do I keep my BSD box up to date?” Well, today’s tutorial should finally answer that. Answers to all your emails and this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

EuroBSDCon 2014 talks and schedule

The talks and schedules for EuroBSDCon 2014 are finally revealed
The opening keynote is called “FreeBSD, looking forward to another 10 years” by jkh
Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
It looks like Theo even has a talk, but the title isn’t on the page… how mysterious
There are also days dedicated to some really interesting tutorials
Register now, the conference is on September 25-28th in Bulgaria
If you see Allan and Kris walking towards you and you haven’t given us an interview yet… well you know what’s going to happen
Why aren’t the videos up from last year yet? Will this year also not have any?

FreeNAS vs NAS4Free

More mainstream news covering BSD, this time with an article about different NAS solutions
In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
“One is pleasantly functional; the other continues devolving during a journey of pain” – uh oh, who’s the loser?

Quality software costs money, heartbleed was free

PHK writes an article for ACM Queue about open source software projects’ funding efforts
A lot of people don’t realize just how widespread open source software is – TVs, printers, gaming consoles, etc
The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish’s funding
The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
On that subject, “Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software”
Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive

Geoblock evasion with pf and OpenBSD rdomains

Geoblocking is a way for websites to block visitors based on the location of their IP
This is a blog post about how to get around it, using pf and rdomains
It has the advantage of not requiring any browser plugins or DNS settings on the users’ computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that…)
In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
It’s got all the details you need to set up a VPN-like system and bypass those pesky geographic filters

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

OpenBSD’s package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
Adam Langley has a blog post about it, why they did it and how they’re going to maintain it
You can easily browse the source code
Theo de Raadt also weighs in with how this effort relates to LibReSSL
More eyes on the code is good, and patches will be shared between the two projects

More BSD Tor nodes wanted

Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
If one vulnerability is found, a huge portion of the network would be useless – we need more variety in the network stacks, crypto, etc.
The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
Check out our Tor tutorial and help out the network, and promote BSD at the same time!

FreeBSD 10 OpenStack images

OpenStack, to quote Wikipedia, is “a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution.”
The article goes into detail about creating a FreeBSD instant, installing and converting it for use with “bsd-cloudinit”
The author of the article is a regular listener and emailer of the show, hey!

BSDday 2014 call for papers

BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
It was created in 2008 and is the only BSD conference around that area
The “call for papers” was issued, so if you’re around Argentina and use BSD, consider submitting a talk
Sysadmins, developers and regular users are, of course, all welcome to come to the event

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Just a reminder for those who don’t check the website, you’ll also find contact information for every guest we’ve ever had in the show notes – so if you have follow up questions for them, it’s easy to get in touch
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
Congrats to Matt Ahrens for getting FreeBSD commit access – hopefully lots of great ZFS stuff to come
A special 21st happy birthday to FreeBSD

The post Package Design | BSD Now 43 first appeared on Jupiter Broadcasting.