Show Notes: linuxunplugged.com/333

The post Linux Wayback Machine | LINUX Unplugged 333 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Responsible Disclosure Is Hard

• When a responsible person discovers a security issue, disclosing it properly is difficult

• Uses Tesla’s policy as a good example of how companies should do this

• “This is not hard stuff and it basically amounts to text on a page. Consider whether your own organisation has something to this effect and is actually ready to handle disclosure by those who attempt to do so ethically. Listen to these people and be thankful they exist; there’s a whole bunch of others out there who are far less charitable and by the time you hear from those guys, it’s already too late.”

RedHat deprecates Btrfs

• The Btrfs file system has been in Technology Preview state since the initial release of Red Hat Enterprise Linux 6. Red Hat will not be moving Btrfs to a fully supported feature and it will be removed in a future major release of Red Hat Enterprise Linux.

• The Btrfs file system did receive numerous updates from the upstream in Red Hat Enterprise Linux 7.4 and will remain available in the Red Hat Enterprise Linux 7 series. However, this is the last planned update to this feature.

320 Million Freely Downloadable Pwned Password hashes

• NOTE: these are SHA-1 hashes, not the raw passwords: 320,335,236 to be precise

• Password checking page – that same URL has links for downloading the hashes

• To unzip the files, you need p7zip. Command to extract is: 7z x pwned-passwords-update-1.txt.7z

• to generate a sha1 hash, Dan used: ‘sha1 -s TechSNAP’ – SHA1 (“TechSNAP”) = c6586a62febc8706d814fe28fe397e9dca146992. Use “tr ‘[a-z]’ ‘[A-Z]'” to upper case.

• takes about 0.176ms to locate a hash on a PostgreSQL 9.6 database

• Example query construction

• Passwords Evolved: Authentication Guidance for the Modern Era

• API for using Troy’s service

• Troy’s donation page

Feedback

• PXE Boot Imaging

• +1 for FOG! Versatile and reliable

• slobeck retweets x0rz 1960’s vs. now

Round Up:

• How Dropbox securely stores your passwords

• gedit is unmaintained, some thoughts

• DigiCert to Acquire Symantec’s Website Security Business and Related PKI Solutions

• Microsoft didn’t sandbox Windows Defender, so I did

• Should I revoke no longer used Let’s Encrypt certificates before destroying them?

The post BTRFS is Toast | TechSNAP 331 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Mandiant researcher doxed by hackers

• HACKERS LEAK DATA FROM MANDIANT SECURITY RESEARCHER IN OPERATION #LEAKTHEANALYST

• The leaked data included more screenshots than documents. Images showed that the hackers might have gained access to the researcher’s Microsoft (Hotmail, OneDrive) and LinkedIn accounts. Earlier in the day, when Bleeping Computer was alerted of the leak, the researcher’s LinkedIn account had been defaced.

• No clear proof that anything more than a personal computer / personal accounts were breeched.

• Other news “sources” used headlines such as Hackers kick off #leaktheanalyst campaign by dumping data of $1bn security firm
  .

70,000 Memcached Servers Can Be Hacked Using Eight-Month-Old Flaws

• Original Talos blog post

• Background: January 2017, a series of Mongodb incidents wherein multiple competing groups were attacking the same servers which leads to the conclusion that there is no hope of actually recovering data, if there ever was in the first place.

• This prompted Talos to investigate memcached

Dan talks about upgrading ZFS arrays

• raidz arrays cannot be expanded. You have n devices; it stays N devices

• you can replace devices

• you can replace devices with bigger devices

• once they area all replaced, BANG, you have more space

• what options exist for replacing devices?

• Pull a drive, insert a new one, issue the zfs replace command.

• Insert a new drive, if you have space, issue the zfs replace command.

• But then Dan had a great idea the other night….

Feedback

• Hypervisor and ZFS setup for home

• PXE boot for imaging servers

• Cheap Managed Switch – Original question from Episode 318

Round Up:

• From the Netflix Technology Blog ChAP: Chaos Automation Platform

• Hacking Voting Machines at DEF CON 25

• real people’ don’t need end-to-end encryption

• FreeNAS 11.0 is Now Here

The post Netflix Lab Rats | TechSNAP 330 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

‘Devil’s Ivy’ Vulnerability

• Original work

• Bug is in gSOAP by Genivia

• gSOAP is a C and C++ software development toolkit for SOAP/XML web services and generic XML data bindings. The gSOAP tools generate efficient source code for XML serialization of any type of C/C++ data with zero-copy overhead.

• Plant is toxic to dogs & cats, and it is almost impossible to kill

Beyond public key encryption

• One of the saddest and most fascinating things about applied cryptography is how 6689264031_4c7516b3e1_zlittle cryptography we actually use. In fact, with a few minor exceptions, the vast majority of the cryptography we use was settled by the early-2000s.*

• Identity Based Cryptography – In the mid-1980s, a cryptographer named Adi Shamir proposed a radical new idea. The idea, put simply, was to get rid of public keys.

• Attribute Based Encryption – The beautiful thing about this idea is not fuzzy IBE. It’s that once you have a threshold gate and a concept of “attributes”, you can more interesting things. The main observation is that a threshold gate can be used to implement the boolean AND and OR gates

Dan’s Let’s Encrypt Tool

• use case is centralized Let’s Encrypt with dns-01 challenges

Feedback

• ARM & risc systems not readily sold. Intel and AMD have a very compelling AESNI and virt instructions, and PCIe

• Host your own mail server – see https://www.nethserver.org/

• PXE boot – see Zalman ZM-VE350

  • iPXE – open source boot firmware
  • netboot.xyz
  • PXE – ArchWiki
• HOWTO: setup a PXE Server with dnsmasq
• Cobbler – Linux install and update server

Round Up:

• Alexa is listening to what you say – and might share that with developers – see https://nakedsecurity.sophos.com/2017/07/17/alexa-is-listening-to-what-you-say-and-might-share-that-with-developers/

• Life Is About to Get a Whole Lot Harder for Websites Without HTTPS

• BCBS sent out USB cards telling people to insert into their computer. Here is the prototype for the next big wave of security breaches.

• Google Glass 2.0 is a startling second act

• Google Glass is officially back with a clearer vision

The post LetsEncrypt is a SNAP | TechSNAP 328 first appeared on Jupiter Broadcasting.

We show off OpenBSD\’s new \”autoinstall\” feature to do completely automatic, unattended installations. We also have an interview with Dru Lavigne about all the writing work she does for FreeBSD, PCBSD and FreeNAS. The latest headlines and answers to your emails, on BSD Now – it\’s the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD ASLR status update

• Shawn Webb gives us a little update on his address space layout randomization work for FreeBSD
• He\’s implemented execbase randomization for position-independent executables (which OpenBSD also just enabled globally in 5.5 on i386)
• Work has also started on testing ASLR on ARM, using a Raspberry Pi
• He\’s giving a presentation at BSDCan this year about his ASLR work
• While we\’re on the topic of BSDCan…

BSDCan tutorials, improving the experience

• Peter Hansteen writes a new blog post about his upcoming BSDCan tutorials
• The tutorials are called \”Building the network you need with PF, the OpenBSD packet filter\” and \”Transitioning to OpenBSD 5.5\” – both scheduled to last three hours each
• He\’s requesting anyone that\’ll be there to go ahead and contact him, telling him exactly what you\’d like to learn
• There\’s also a bit of background information about the tutorials and how he\’s looking to improve them
• If you\’re interested in OpenBSD and going to BSDCan this year, hit him up

pkgsrc-2014Q1 released

• The new stable branch of pkgsrc packages has been built and is ready
• Python 3.3 is now a \”first class citizen\” in pkgsrc
• 14255 packages for NetBSD-current/x86_64, 11233 binary packages built with clang for FreeBSD 10/x86_64
• There\’s a new release every three months, and remember pkgsrc works on MANY operating systems, not just NetBSD – you could even use pkgsrc instead of pkgng or ports if you were so inclined
• They\’re also looking into signing packages

Only two holes in a heck of a long time, who cares?

• A particularly vocal Debian user, a lost soul, somehow finds his way to the misc@ OpenBSD mailing list
• He questions \”what\’s the big deal\” about OpenBSD\’s slogan being \”Only two remote holes in the default install, in a heck of a long time!\”
• Luckily, the community and Theo set the record straight about why you should care about this
• Running insecure applications on OpenBSD is actually more secure than running them on other systems, due to things like ASLR, PIE and all the security features of OpenBSD
• It spawned a discussion about ease of management and Linux\’s poor security record, definitely worth reading

Interview – Dru Lavigne – dru@freebsd.org / @bsdevents

FreeBSD\’s documentation printing, documentation springs, various topics

Tutorial

Automatic, unattended OpenBSD installs with PXE

News Roundup

pfSense 2.1.1 released

• A new version of pfSense is released, mainly to fix some security issues
• Tracking some recent FreeBSD advisories, pfSense usually only applies the ones that would matter on a firewall or router
• There are also some NIC driver updates and other things
• Of course if you want to learn more about pfSense, watch episode 25
• 2.1.2 is already up for testing too

FreeBSD gets UEFI support

• It looks like FreeBSD\’s battle with UEFI may be coming to a close?
• Ed Maste committed a giant list of patches to enable UEFI support on x86_64
• Look through the list to see all the details and information
• Thanks FreeBSD foundation!

Ideas for the next DragonflyBSD release

• Mr. Dragonfly release engineer himself, Justin Sherrill posts some of his ideas for the upcoming release
• They\’re aiming for late May for the next version
• Ideas include better support for running in a VM, pkgng fixes, documentation updates and PAM support
• Gasp, they\’re even considering dropping i386

PCBSD weekly digest

• Lots of new PBI updates for 10.0, new runtime implementation
• New support for running 32 bit applications in PBI runtime
• Autodetection for DVD / Audio CD insertion / plus playback
• Latest GNOME 3 and Cinnamon merged, new edge package builds

Feedback/Questions

• Remy writes in
• Jan writes in
• Eddie writes in
• Zen writes in
• Sean writes in

• BSD Now has an official IRC channel now. #bsdnow on irc.freenode.net
• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Just a quick reminder: If you\’re running OpenSSL 1.0.1 through 1.0.1f please update it and regenerate, rotate and revoke your keys if you run a server with HTTPS, IMAPS, etc – huge security hole! (Also DES offers some insight on the FreeBSD security process)
• We\’re lucky it wasn\’t OpenSSH

The post PXE Dust | BSD Now 32 first appeared on Jupiter Broadcasting.

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD automatic installation

• A CFT (call for testing) was posted for OpenBSD’s new automatic installer process
• Using this new system, you can spin up fully-configured OpenBSD installs very quickly
• Allows you to PXE boot the system and load the answer file via HTTP by each machines MAC address, with fallback to a default config file
• It will answer all the questions for you and can put files into place and start services
• Great for large deployments, help test it and report your findings

FreeNAS install guide and blog posts

• A multipart series on YouTube about installing FreeNAS
• In part 1, the guy (who is possibly Dracula, with his very Transylvanian accent..) builds his new file server and shows off the hardware
• In part 2, he shows how to install and configure FreeNAS, uses IPMI, sets up his pools
• He pronounces gigabytes as jiggabytes and it’s hilarious
• We’ve also got an unrelated blog post about a very satisfied FreeNAS user who details his setup
• As well as another blog post from our old pal Devin Teske about his recent foray into the FreeNAS development world

FreeBSD 10.0-RC5 is out

• Another, unexpected RC is out for 10.0
• Includes an ABI change, you must recompile/reinstall all ports/packages if you are upgrading from a previous 10.0-RC
• Minor fixes included, please help test and report any bugs
• You can update via freebsd-update or from source
• Hopefully this will be the last one before 10.0-RELEASE, which has tons of new features we’ll talk about
• It’s been tagged -RELEASE in SVN already too!

OpenBSD 5.5-beta is out

• Theo updated the branch status to 5.5-beta
• A list of changes is available
• Help test and report any bugs you find
• Lots of rapid development with signify (which we mentioned last week), the beta includes some “test keys”
• Does that mean it’ll be part of the final release? We’ll find out in May.. or when we interview Ted (soon)

This episode was brought to you by

iX doesn’t just make big servers for work, they also make little servers for home. The FreeNAS Mini is a compact little rig that will take up to 4 drives and makes a great home storage server.

Interview – Neel Natu & Peter Grehan – neel@freebsd.org & grehan@freebsd.org

BHyVe – the BSD hypervisor
+ Could you tell us a bit about yourselves and how you first got into BSD?
+ What’s your current roles in the FreeBSD project, and how did you get there?
+ What exactly is bhyve and how did the project get started?
+ What is the current status of bhyve? What guest OSes are supported?
+ What bugs remain when running different guest OSs?
+ How is support for AMD hardware virtualization progressing?
+ Is there any work on supporting older hardware that does not have EPT?
+ What will it take to be able to boot FreeBSD root-on-zfs inside bhyve?
+ Any progress on a ‘vfs hack’ to mount/passthru a file system (zfs dataset?) from the host to the guest, a la Jails?
+ How is the performance? How does the network performance compare to alternatives? How much benchmarking has been done?
+ What features have been added recently? (nmdm etc)
+ When is VGA support planned?
+ When might we see Windows (server) as a guest? What else would be required to make that happen?
+ What features are you planning for the future? How far do you plan to take bhyve (snapshots, live migration etc)

Tutorial

Virtualization with bhyve

News Roundup

Hostname canonicalisation in OpenSSH

• Blog post from our friend Damien Miller
• This new feature allows clients to canonicalize unqualified domain names
• SSH will know if you typed “ssh bsdnow” you meant “ssh bsdnow.tv” with new config options
• This will help clean up some ssh configs, especially if you have many hosts
• Should make it into OpenSSH 6.5, which is “due really soon”

Dragonfly on a Chromebook

• Some work has been done by Matthew Dillon to get DragonflyBSD working on a Google Chromebook
• These couple of posts detail some of the things he’s got working so far
• Changes were needed to the boot process, trackpad and wifi drivers needed updating…
• Also includes a guide written by Dillon on how to get yours working

Spider in a box

• “Spiderinabox” is a new OpenBSD-based project
• Using a combination of OpenBSD, Firefox, XQuartz and VirtualBox, it creates a secure browsing experience for OS X
• Firefox runs encapsulated in OpenBSD and doesn’t have access to OS X in any way
• The developer is looking for testers on other operating systems!

PCBSD weekly digest

• PCBSD 10 has entered into the code freeze phase
• They’re focusing on fixing bugs now, rather than adding new features
• The update system got a lot of improvements
• PBI load times reduced by up to 40%! what!!!

Feedback/Questions

• Scott writes in: https://slexy.org/view/s25zbSPtcm
• Chris writes in: https://slexy.org/view/s2EarxbZz1
• SW writes in: https://slexy.org/view/s2MWKxtWxF
• Ole writes in: https://slexy.org/view/s20kzex2qm
• Gertjan writes in: https://slexy.org/view/s2858Ph4o0

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Reminder: OpenBSD still really needs funding for electricity – if you know a company that can help, please contact Theo or the foundation
• Reminder: NYCBSDCon February 8th – The BSDs in Production
• Reminder: Our tutorial contest is going until the end of this month, check bsdnow.tv/contest for info and rules, win a cool BSD pillow!

The post Bhyve Mind | BSD Now 20 first appeared on Jupiter Broadcasting.