opnsense – Jupiter Broadcasting

You have until Jan 30th to submit
Full paper requirement is relaxed a bit this year (this year ONLY!) due to the short submission window. You don’t need all 10-12 pages, but it is still preferred.
Send a message to secretary@asiabsdcon.org with your proposal. Could be either for a talk or a tutorial.
Two days of tutorials/devsummit and two days of conference during Sakura season in Tokyo, Japan
The conference is also looking for sponsors
If accepted, flight and hotel is paid for by the conference

###Project Trident 18.12 Released

###Building Spotifyd on NetBSD

These are the steps I went through to build and run Spotifyd (this commit at the time of writing) on NetBSD AMD64. It’s a Spotify Connect client so it means I still need to control Spotify from another device (typically my phone), but the audio is played through my desktop… which is where my speakers and headphones are plugged in – it means I don’t have to unplug stuff and re-plug into my phone, work laptop, etc. This is 100% a “good enough for now solution” for me; I have had a quick play with the Go based microcontroller from spotcontrol and that allows a completely NetBSD only experience (although it is just an example application so doesn’t provide many features – great as a basis to build on though).

##News Roundup

###OPNsense 18.7.10 released

2019 means 19.1 is almost here. In the meantime accept this small
incremental update with goodies such as Suricata 4.1, custom passwords
for P12 certificate export as well as fresh fixes in the FreeBSD base.
A lot of cleanups went into this update to make sure there will be a
smooth transition to 19.1-RC for you early birds. We expect RC1 in 1-2
weeks and the final 19.1 on January 29.

###Introducing the Ultra EPYC AMD Powered Sun Ultra 24 Workstation

A few weeks ago, I got an itch to build a workstation with AMD EPYC. There are a few constraints. First, I needed a higher-clock part. Second, I knew the whole build would be focused more on being an ultra high-end workstation rather than simply utilizing gaming components. With that, I decided it was time to hit on a bit of nostalgia for our readers. Mainly, I wanted to do an homage to Sun Microsystems. Sun made the server gear that the industry ran on for years, and as a fun fact, if you go behind the 1 Hacker Way sign at Facebook’s campus, they left the Sun Microsystems logo. Seeing that made me wonder if we could do an ultimate AMD EPYC build in a Sun Microsystems workstation.

###OpenRsync

This is a clean-room implementation of rsync with a BSD (ISC) license. It is designed to be compatible with a modern rsync (3.1.3 is used for testing). It currently compiles and runs only on OpenBSD.
This project is still very new and very fast-moving.
It’s not ready for wide-spread testing. Or even narrow-spread beyond getting all of the bits to work. It’s not ready for strong attention. Or really any attention but by careful programming.
Many have asked about portability. We’re just not there yet, folks. But don’t worry, the system is easily portable. The hard part for porters is matching OpenBSD’s pledge and unveil.

###The first report on LLD porting

LLD is the link editor (linker) component of Clang toolchain. Its main advantage over GNU ld is much lower memory footprint, and linking speed. It is of specific interest to me since currently 8 GiB of memory are insufficient to link LLVM statically (which is the upstream default).
The first goal of LLD porting is to ensure that LLD can produce working NetBSD executables, and be used to build LLVM itself. Then, it is desirable to look into trying to build additional NetBSD components, and eventually into replacing /usr/bin/ld entirely with lld.
In this report, I would like to shortly summarize the issues I have found so far trying to use LLD on NetBSD.

###Ring in the new

It’s the second week of 2019 already, which means I’m curious what Nate is going to do with his series This week in usability … reset the numbering from week 1? That series is a great read, to keep up with all the little things that change in KDE source each week — aside from the release notes.
For the big ticket items of KDE on FreeBSD, you should read this blog instead.

In ports this week (mostly KDE, some unrelated):
KDE Plasma has been updated to the latest release, 5.14.5.
KDE Applications 18.12.1 were released today, so we’re right on top of them.
Marble was fixed for FreeBSD-running-on-Power9.
Musescore caught up on 18 months of releases.
Phonon updated to 4.10.1, along with its backends.
And in development, Qt WebEngine 5.12 has been prepared in the incongruously-named plasma-5.13 branch in Area51; that does contain all the latest bits described above, as well.

##Beastie Bits

##Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Open the Rsync | BSD Now 282 first appeared on Jupiter Broadcasting.

Metaphorically Exploited | TechSNAP 258

chris — Thu, 17 Mar 2016 16:40:16 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

The theoretical Android flaw becomes reality, a simple phishing scam hits some major companies & why your PIN has already been leaked.

Plus great questions, our answers, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

W2 Phishing scams hit a number of companies

“Payday lending firm Moneytree is the latest company to alert current and former employees that their tax data — including Social Security numbers, salary and address information — was accidentally handed over directly to scam artists”
“Seattle-based Moneytree sent an email to employees on March 4 stating that “one of our team members fell victim to a phishing scam and revealed payroll information to an external source.”
“Moneytree was apparently targeted by a scam in which the scammer impersonated me (the company co-founder) and asked for an emailed copy of certain information about the Company’s payroll including Team Member names, home addresses, social security numbers, birthdates and W2 information,” Moneytree co-founder Dennis Bassford wrote to employees.”
Why that would even be a reasonable request, I don’t know
“Unfortunately, this request was not recognized as a scam, and the information about current and former Team Members who worked in the US at Moneytree in 2015 or were hired in early 2016 was disclosed. The good news is that our servers and security systems were not breached, and our millions of customer records were not affected. The bad news is that our Team Members’ information has been compromised.”
Moneytree joins a growing list of companies disclosing to employees that they were duped by W2 phishing scams, which this author first warned about in mid-February. Earlier this month, data storage giant Seagate acknowledged that a similar phishing scam had compromised the tax and personal data on thousands of current and past employees.
“On March 1, Seagate Technology learned that the 2015 W-2 tax form information for current and former U.S.-based employees was sent to an unauthorized third party in response to the phishing email scam. The information was sent by an employee who believed the phishing email was a legitimate internal company request.”
“W2 information is highly prized by fraudsters involved in tax refund fraud, a multi-billion dollar problem in which thieves claim a large refund in the victim’s name, and ask for the funds to be electronically deposited into an account the crooks control.”
“For better or worse, most companies that have notified employees about a W2 phish this year are offering employees the predictable free credit monitoring, which is of course useless to prevent tax fraud and many other types of identity theft. But in a refreshing departure from that tired playbook, Moneytree says it will be giving employees an extra $50 in their next paycheck to cover the initial cost of placing a credit freeze (for more information on the different between credit monitoring and a freeze and why a freeze might be a better idea, check out Credit Monitoring vs. Freeze and How I Learned to Stop Worrying and Embrace the Security Freeze).”
““When something like this happens, the right thing to do is to disclose what you know as soon as possible, take care of the people affected, and learn from what went wrong. To make good on that last point, we will be ramping up our information security efforts company-wide, because we never want to have to write an email like this to you again”.”

New exploit developed for Android Stagefright

“Security researchers have successfully exploited the Android-based Stagefright bug and remotely hacked a phone, which may leave millions devices vulnerable to attack.”
“Israeli software research company NorthBit claimed it had “properly” exploited the Android bug that was originally described as the “worst ever discovered”.”
“The exploitation, called Metaphor, is detailed in a research paper (PDF) from NorthBit and also a video showing the exploit being run on a Nexus 5. NorthBit said it had also successfully tested the exploit on a LG G3, HTC One and Samsung Galaxy S5.”
“The Stagefright vulnerability was first highlighted by security firm Zimperium in July 2015. The hack was said to be able to execute remote code on Android devices and could possibly affect up to 95 percent of Android devices.”
“A second critical vulnerability exploited issues in .mp3 and .mp4 files, which when opened were claimed to be able to remotely execute malicious code, was dubbed Stagefright 2.0 in October.”
The flaws were originally thought to not be easily exploitable, but this new research provides a simple remote exploit case
“The researchers from NorthBit say they have been able to create an exploit that can be used against Stagefright on Android 2.2, 4.0, 5.0 and 5.1. Other versions are not affected.”
Android 5.0 and above are protected by ASLR, however “Dabah claims the exploit “depicts a way to bypass” address space layout randomisation (ASLR)”
“”We managed to exploit it to make it work in the wild,” Dabah said. The research paper reads: “Breaking ASLR requires some information about the device, as different devices use slightly different configurations which may change some offsets or predictable addresses locations.”
“”I would be surprised if multiple professional hacking groups do not have working Stagefright exploits by now. Many devices out there are still vulnerable, so Zimperium has not published the second exploit in order to protect the ecosystem”.”
Researcher PDF
I am glad my phone runs Android 6.0.1 with the March 2016 Security Updates applied

PIN analysis

“There are 10,000 possible combinations that the digits 0-9 can be arranged to form a 4-digit pin code. Out of these ten thousand codes, which is the least commonly used?”
“People are notoriously bad at generating random passwords. I hope this article will scare you into being a little more careful in how you select your next PIN number. Are you curious about what the least commonly used PIN number might be?”
“I was able to find almost 3.4 million four digit passwords. Every single one of the of the 10,000 combinations of digits from 0000 through to 9999 were represented in the dataset”
“A staggering 26.83% of all passwords could be guessed by attempting the top 20 combinations”
“The first “puzzling” password I encountered was 2580 in position #22. What is the significance of these digits? Why should so many people select this code to make it appear so high up the list?”
This turns out to be straight down the middle of a telephone style number pad. Not the same as on on a computer, but most ABMs use the telephone style
“Another fascinating piece of trivia is that people seem to prefer even numbers over odd, and codes like 2468 occur higher than a odd number equivalent, such as 1357”
“Statistically, one third of all codes can be guessed by trying just 61 distinct combinations! The 50% cumulative chance threshold is passed at just 426 codes (far less than the 5,000 that a random uniformly distribution would predict)”
The most unpopular pin is: 8068
“Warning Now that we’ve learned that, historically, 8068 is (was?) the least commonly used password 4-digit PIN, please don’t go out and change yours to this! Hackers can read too! They will also be promoting 8068 up their attempt trees in order to catch people who read this (or similar) articles.”
“Many of the high frequency PIN numbers can be interpreted as years, e.g. 1967 1956 1937 … It appears that many people use a year of birth (or possibly an anniversary) as their PIN. This will certainly help them remember their code, but it greatly increases its predictability”
Pins that start with 19 dominate the top 10%, and all appear within the top 20%
The heatmap also shows that people tend to use Birthdays a lot as well (MMDD)

Feedback:

Round Up:

The post Metaphorically Exploited | TechSNAP 258 first appeared on Jupiter Broadcasting.

Big Network, SmallWall | BSD Now 97

chris — Thu, 09 Jul 2015 10:06:09 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this time on the show, we’ll be chatting with Lee Sharp. He’s recently revived the m0n0wall codebase, now known as SmallWall, and we’ll find out what the future holds for this new addition to the BSD family. As usual, we’ve also got answers to your emails and all this week’s news on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan and pkgsrcCon videos

Even more BSDCan 2015 videos are slowly but surely making their way to the internet
Nigel Williams, Multipath TCP for FreeBSD
Stephen Bourne, Early days of Unix and design of sh
John Criswell, Protecting FreeBSD with Secure Virtual Architecture
Shany Michaely, Expanding RDMA capability over Ethernet in FreeBSD
John-Mark Gurney, Adding AES-ICM and AES-GCM to OpenCrypto
Sevan Janiyan, Adventures in building open source software
And finally, the BSDCan 2015 closing
Some videos from this year’s pkgsrcCon are also starting to appear online
Sevan Janiyan, A year of pkgsrc 2014 – 2015
Pierre Pronchery, pkgsrc meets pkg-ng
Jonathan Perkin, pkgsrc at Joyent
Jörg Sonnenberger, pkg_install script framework
Benny Siegert, New Features in BulkTracker
This is the first time we’ve ever seen recordings from the conference – hopefully they continue this trend

OPNsense 15.7 released

The OPNsense team has released version 15.7, almost exactly six months after their initial debut
In addition to pulling in the latest security fixes from upstream FreeBSD, 15.7 also includes new integration of an intrusion detection system (and new GUI for it) as well as new blacklisting options for the proxy server
Taking a note from upstream PF’s playbook, ALTQ traffic shaping support has finally been retired as of this release (it was deprecated from OpenBSD a few years ago, and the code was completely removed just over a year ago)
The LibreSSL flavor has been promoted to production-ready, and users can easily migrate over from OpenSSL via the GUI – switching between the two is simple; no commitment needed
Various third party ports have also been bumped up to their latest versions to keep things fresh, and there’s the usual round of bug fixes included
Shortly afterwards, 15.7.1 was released with a few more small fixes

NetBSD at Open Source Conference 2015 Okinawa

If you liked last week’s episode then you’ll probably know what to expect with this one
The NetBSD users group of Japan hit another open source conference, this time in Okinawa
This time, they had a few interesting NetBSD machines on display that we didn’t get to see in the interview last week
We’d love to see something like this in North America or Europe too – anyone up for installing BSD on some interesting devices and showing them off at a Linux con?

OpenBSD BGP and VRFs

“VRFs, or in OpenBSD rdomains, are a simple, yet powerful (and sometimes confusing) topic”
This article aims to explain both BGP and rdomains, using network diagrams, for some network isolation goodness
With multiple rdomains, it’s also possible to have two upstream internet connections, but lock different groups of your internal network to just one of them
The idea of a “guest network” can greatly benefit from this separation as well, even allowing for the same IP ranges to be used without issues
Combining rdomains with the BGP protocol allows for some very selective and precise blocking/passing of traffic between networks, which is also covered in detail here
The BSDCan talk on rdomains expands on the subject a bit more if you haven’t seen it, as well as a few related posts

Interview – Lee Sharp – lee@smallwall.org

SmallWall, a continuation of m0n0wall

News Roundup

Solaris adopts more BSD goodies

We mentioned a while back that Oracle developers have begun porting a current version of OpenBSD’s PF firewall to their next version, even contributing back patches for SMP and other bug fixes
They recently published an article about PF, talking about what’s different about it on their platform compared to others – not especially useful for BSD users, but interesting to read if you like firewalls
Darren Moffat, who was part of originally getting an SSH implementation into Solaris, has a second blog post up about their “SunSSH” fork
Going forward, their next version is going to offer a completely vanilla OpenSSH option as well, with the plan being to phase out SunSSH after that
The article talks a bit about the history of getting SSH into the OS, forking the code and also lists some of the differences between the two
In a third blog post, they talk about a new system call they’re borrowing from OpenBSD, getentropy(2), as well as the addition of arc4random to their libc
With an up-to-date and SMP-capable PF, ZFS with native encryption, jail-like Zones, unaltered OpenSSH and secure entropy calls… is Solaris becoming better than us?
Look forward to the upcoming “Solaris Now” podcast _{(not really)}

EuroBSDCon 2015 talks and tutorials

This year’s EuroBSDCon is set to be held in Sweden at the beginning of October, and the preliminary list of accepted presentations has been published
The list looks pretty well-balanced between the different BSDs, something Paul would be happy to see if he was still with us
It even includes an interesting DragonFly talk and a couple talks from NetBSD developers, in addition to plenty of FreeBSD and OpenBSD of course
There are also a few tutorials planned for the event, some you’ve probably seen already and some you haven’t
Registration for the event will be opening very soon (likely this week or next)

Using ZFS replication to improve offsite backups

If you take backups seriously, you’re probably using ZFS and probably keeping an offsite copy of the data
This article covers doing just that, but with a focus on making use of the replication capability
It’ll walk you through taking a snapshot of your pool and then replicating it to another remote system, using “zfs send” and SSH – this has the benefit of only transferring the files that have changed since the last time you did it
Steps are also taken to allow a regular user to take and manage snapshots, so you don’t need to be root for the SSH transfer
Data integrity is a long process – filesystem-level checksums, resistance to hardware failure, ECC memory, multiple copies in different locations… they all play a role in keeping your files secure; don’t skip out on any of them
One thing the author didn’t mention in his post: having an offline copy of the data, ideally sealed in a safe place, is also important

Block encryption in OpenBSD

We’ve covered ways to do fully-encrypted installations of OpenBSD (and FreeBSD) before, but that requires dedicating a whole drive or partition to the sensitive data
This blog post takes you through the process of creating encrypted containers in OpenBSD, à la TrueCrypt – that is, a file-backed virtual device with an encrypted filesystem
It goes through creating a file that looks like random data, pointing vnconfig at it, setting up the crypto and finally using it as a fake storage device
The encrypted container method offers the advantage of being a bit more portable across installations than other ways

Docker hits FreeBSD ports

The inevitable has happened, and an early FreeBSD port of docker is finally here
Some details and directions are available to read if you’d like to give it a try, as well as a list of which features work and which don’t
There was also some Hacker News discussion on the topic

Microsoft donates to OpenSSH

We’ve talked about big businesses using BSD and contributing back before, even mentioning a few other large public donations – now it’s Microsoft’s turn
With their recent decision to integrate OpenSSH into an upcoming Windows release, Microsoft has donated a large sum of money to the OpenBSD foundation, making them a gold-level sponsor
They’ve also posted some contract work offers on the OpenSSH mailing list, and say that their changes will be upstreamed if appropriate – we’re always glad to see this

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
We’re always looking for interviews – get in touch if you’re doing anything cool with BSD that you’d like to talk about (or want to suggest someone else)
The FreeNAS community recently lost one of their most active members, Marbus90, who has been a big help to them for a long time – rest in peace and thanks for all your work

The post Big Network, SmallWall | BSD Now 97 first appeared on Jupiter Broadcasting.

Builder’s Insurance | BSD Now 94

chris — Thu, 18 Jun 2015 10:30:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week on the show, we’ll be chatting with Marc Espie. He’s recently added some additional security measures to dpb, OpenBSD’s package building tool, and we’ll find out why they’re so important. We’ve also got all this week’s news, answers to your emails and even a BSDCan wrap-up, coming up on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

BSDCan 2015 videos

BSDCan just ended last week, but some of the BSD-related presentation videos are already online
Allan Jude, UCL for FreeBSD
Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
Brooks Davis, CheriBSD: A research fork of FreeBSD
Giuseppe Lettieri, Even faster VM networking with virtual passthrough
Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
Peter Hessler, Using routing domains / routing tables in a production network
Ryan Lortie, a stitch in time: jhbuild
Ted Unangst, signify: Securing OpenBSD From Us To You
Many more still to come…

Documenting my BSD experience

Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it’s finally time to give BSD a try
“That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in.”
In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you’re into that)
You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
He’s also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
His second post explores replacing the firewall on his self-described “over complicated home network” with an OpenBSD box
After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
Getting to hear experiences like this are very important – they show areas where all the BSD developers’ hard work has paid off, but can also let us know where we need to improve

PC-BSD starts experimental HardenedBSD builds

The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
They’re not the first major FreeBSD-based project to offer an alternate build – OPNsense did that a few weeks ago – but this might open the door for more projects to give it a try as well
With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won’t have
Time will tell if more projects and products like FreeNAS might be interested too

C-states in OpenBSD

People who run BSD on their notebooks, you’ll want to pay attention to this one
OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
If you’re running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings

NetBSD at Open Source Conference 2015 Hokkaido

The Japanese NetBSD users group never sleeps, and they’ve hit yet another open source conference
As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
We’ll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD’s dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

We’ve talked about FreeBSD’s “bhyve” hypervisor a lot on the show, and now it’s been ported to another OS
As the name “xhyve” might imply, it’s a port of bhyve to Mac OS X
Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
There are also a few examples on how to use it

4K displays on DragonFlyBSD

If you’ve been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you’ll be pleased to know that 4K displays work just fine
Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
Some GUI applications might look weird on such a huge resolution,
HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience

Sandboxing port daemons on OpenBSD

We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD’s base as chrooted by default – things from ports or packages don’t always get the same treatment
This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn’t chroot by default
It goes through the process of manually building a sandbox with all the libraries you’ll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
With a few small changes, similar tricks could be done on the other BSDs as well – everybody has chroots

SmallWall 1.8.2 released

SmallWall is a relatively new BSD-based project that we’ve never covered before
It’s an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
They’ve just released the first official version, so you can give it a try now
If you’re interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks…

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Builder's Insurance | BSD Now 94 first appeared on Jupiter Broadcasting.

Below the Clouds | BSD Now 88

chris — Thu, 07 May 2015 10:06:26 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be talking with Ed Schouten about CloudABI. It’s a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week’s BSD news and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

FreeBSD quarterly status report

The FreeBSD team has posted a report of the activities that went on between January and March of this year
As usual, it’s broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
FreeBSD’s future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
Lots of activity is happening in bhyve, some of which we’ve covered recently, and a number of improvements were made this quarter
Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64)

OpenBSD 5.7 released

OpenBSD has formally released another new version, complete with the giant changelog we’ve come to expect
In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
If you’re using one of the Soekris boards, there’s even a new driver to manipulate the GPIO and LEDs on them – this has some fun possibilities
Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic “random” functions being replaced with strong randomness, and support for remote logging over TLS
The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD’s libc from being vulnerable to earlier attacks affecting other BSDs’ implementations
Being that it’s OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore (very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily)
BIND and nginx have been taken out, so you’ll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
Speaking of httpd, it’s gotten a number of new features, and has had time to grow and mature since its initial debut – if you’ve been considering trying it out, now would be a great time to do so
This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
Groundwork has also been laid for some major SMP scalability improvements – look forward to those in future releases
There’s a song and artwork to go along with the release as always, and CDs should be arriving within a few days – we’ll show some pictures next week
Consider picking one up to support the project (and it’s the only way to get puffy stickers)
For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now…

Tor-BSD diversity project

We’ve talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
A new initiative has started to do just that, called the Tor-BSD diversity project
“Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. […] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity.”
In addition to encouraging people to put up more relays, they’re also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
There’s an additional progress report for that part specifically, and it looks like most of the work is done now
Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
If you’ve been considering running a node to help out, there’s always our handy tutorial on getting set up

PC-BSD 10.1.2-RC1 released

If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
This quarterly update includes a number of new features, improvements and even some additional utilities
PersonaCrypt is one of them – it’s a new tool for easily migrating encrypted home directories between systems
A new “stealth mode” option allows for a one-time login, using a blank home directory that gets wiped after use
Similarly, a new “Tor mode” allows for easy tunneling of all your traffic through the Tor network (hopefully through some BSD nodes, as we just mentioned..)
IPFW is now the default firewall, offering improved VIMAGE capabilities
The life preserver backup tool now allows for bare-metal restores via the install CD
ISC’s NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
It also includes the latest Lumina desktop, and there’s another post dedicated to that
Binary packages have also been updated to fresh versions from the ports tree
More details, including upgrade instructions, can be found in the linked blog post

Interview – Ed Schouten – ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

This article introduces OpenHRC, the “Open Household Router Contraption”
In short, it’s a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
It also makes use of Ansible playbooks for configuration, allowing for a more “mass deployment” type of setup
Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver – it even does DNSSEC validation
All the code is open source and on Github, so you can read through what’s actually being changed and put in place
There’s also a video guide to the entire process, if you’re more of a visual person

OPNsense 15.1.10 released

Speaking of BSD routers, if you’re looking for a more “prebuilt and ready to go” option, OPNsense has just released a new version
15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
Going along with this theme, they’ve redone how they do ports, and are now kept totally in sync with the regular ports tree
Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs

IBM Workpad Z50 and NetBSD

Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640×480 display
You can probably tell where this is going… the article is about installing NetBSD it
“What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running”
The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
He’s also got a couple videos of the bootup process and running Xorg (neither of which we’d call “speedy” by any stretch of the imagination)

FreeBSD from the trenches

The FreeBSD foundation has a new blog post up in their “from the trenches” series, detailing FreeBSD in some real-world use cases
In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
While the installer allows for an automatic ZFS layout, Glen notes that it’s not a one-size-fits-all thing, and goes through doing everything manually
Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool

Broadwell in DragonFly

DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
Their i915 driver has been brought up to speed with Linux 3.14’s, adding not only Broadwell support, but many other bugfixes for other cards too
It’s planned for commit to the main tree very soon, but you can test it out with a git branch for the time being

Feedback/Questions

Mailing List Gold

How did you guess

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you guys if you’re working on anything cool
The OpenBSD router tutorial has been reorganized and updated for 5.7, it has a new section on bandwidth statistics and has finally gotten so big that it now has a table of contents
This year’s vBSDCon has been formally announced, and will take place between September 11th-13th in Reston, Virginia (eastern USA)
There’s no official call for papers, but they do welcome people to submit talk ideas for consideration
If you’re in Michigan, there’s a new BSD users group just starting up – LivBUG
If there’s a local BUG in your area, let us know and we’ll be glad to mention it

The post Below the Clouds | BSD Now 88 first appeared on Jupiter Broadcasting.