Show Notes: techsnap.systems/430

The post All Good Things | TechSNAP 430 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/428

The post RAID Reality Check | TechSNAP 428 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/303

The post OpenZFS in Ports | BSD Now 303 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/401

The post Everyday ZFS | TechSNAP 401 first appeared on Jupiter Broadcasting.

A 20 year old design flaw in Windows has just been patched & it requires some major re-working of the software. Attackers compromise Forbes.com & why Facebook’s new ThreatExchange platform could be a great idea.

Plus a great batch of feedback, our answers & much much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Critical Microsoft Vulnerabilities

• “In this month’s Patch Tuesday, Microsoft has released nine security bulletins to address 56 unique vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Microsoft Server software.”
• The two higher priority fixes are MS15-011 (dubbed JASBUG) and MS15-014
• What makes these vulnerabilities special, is that they are not the usual problem with the “implementation” of a protocol or feature. They are actually a design flaw in windows, that required Microsoft to invent entirely new features to solve. These new features needed to be tested against all supported versions and configurations of windows, and a process had to be developed and documented for deploying the new feature
• Most corporate network security features in Windows are deployed via “Group Policies”
• One of those group policies, is SMB signing, which makes a client verify the identity of a remote server before trusted it
• The MS15-014 bug allows an attacker to interfere with the application of the group policy, leaving the SMB signing feature off
• Then when a user tries to run a trusted program from a network server, they instead connect to the malactors server and run a malicious program
• MS15-011 is related, and is actually a catch-22
• During the process where the windows client downloads the group policy from the domain controller, authentication is not enforced (as this is set via the group policy, which needs to be downloaded first)
• As part of the group policy download, the client also runs a series of scripts from the domain controller (login.cmd, login.bat, etc)
• This means a malactor could use a man-in-the-middle position to replace the group policy with one that reduces the security of the machine, and cause the users’ system to run any commands they want
• To solve this issue, Microsoft has introduced a new feature to require “Mutual Authentication”
• This feature is enabled by… you guessed it, Group Policy
• So clients must make one last insecure connection to the domain controller, at which point they will verify the identity of the domain controller before accepting any future group policy from anyone
• It is unclear if fresh installs of windows will be vulnerable the first time they connect to the domain
• Microsoft is not patching Windows XP, Windows 2000, nor Windows Server 2000 and 2003
• MS15-011 was found by JAS Global Advisors which “found the bug while working on a project for ICANN looking into security issues surrounding the release of new generic Top Level Domains and Top Level Domains. The Group Policy issue was discovered during the research phase of this project, but is unrelated to new gTLDs or TLDs”
• “It certainly doesn’t work universally and it depends on some funky misconfigurations and happenstance. But it works frequently enough to be of concern,” the JAS advisory said. “We will release the specifics of the other attack scenarios we’re aware of at some future point, but for now it’s important that folks patch and not become complacent because of a perceived on-LAN requirement. It’s not a strict requirement. Go patch.”
• “Not only are Windows clients too trusting of the responses they get back from DNS, they can also be fairly easily tricked into downgrading to unauthenticated and unencrypted transit protocols (like WebDav over http)”
• Microsoft rolled out a new feature to address the vulnerabilities called UNC Hardened Access, which ensures the right authentication and in-transit encryption is carried out.
• “Instead of being subject to the OS “trying too hard” to make communication work, the UNC infrastructure within Windows now allows the higher layer resource requestor to specify whether Mutual Authentication, Integrity, and/or Privacy are required for the communication,” Schmidt said. “This is the right, general-purpose solution to this problem.”
• “Schmidt said there is an outstanding issue that Microsoft has not addressed wherein Active Directory clients could leak DNS requests to the open Internet. The Internet’s DNS infrastructure, he said, will try to resolve those queries as it would any other and provide pointers to the right sources, rather than a result from the local AD controller for an enterprise domain, for example. He said during JAS’ research, more than 200,000 AD reached out to JAS via a series of customized DNS registrations”
• Additional Coverage: Krebs on Security
• Additional Coverage: Threat Post
• Additional Coverage: Naked Security

Attackers compromise Forbes.com and uses IE and Flash zero days

• “A Chinese APT group was able to chain together two zero day vulnerabilities, one against Adobe’s Flash Player and one against Microsoft’s Internet Explorer 9, to compromise a popular news site late last year“
• “The group’s aim was to gain access to computers at several U.S. defense and financial firms by setting up a watering hole attack on the site that would go on to drop a malicious .DLL”
• It is not clear how the Forbes.com site was actually compromised
• The flash powered “thought of the day” widget was changed to redirect to a malicious .swf flash file, which would exploit an Adobe Flash 0-day to take control of the visitors system
• The flaw also optionally used an IE9+ ASLR bypass to ensure it could infect the machine even if it had additional attack mitigation features enabled
• “While the Adobe bug, a buffer overflow (CVE-2014-9163) was patched back on Dec. 9, the ASLR mitigation bypass (CVE-2015-0071) was one of many patched yesterday in Microsoft’s monthly Patch Tuesday round of patches, an update that was especially heavy on Internet Explorer fixes.”
• The release of the details was timed to coincide with Microsoft’s release of a patch for the IE9 ASLR bypass
• Researcher Post – Invincea
• Researcher Post – iSightPartners

Facebook launches ThreatExchange

• Facebook has launched a new information sharing platform to allow IT companies to share details and signatures of the evolving attacks they see against their networks and users
• Some early members of the platform include: Pinterest, Yahoo, Tumblr, Twitter, Bitly and Dropbox
• “The cost is free, and most of the heavy lifting is done by Facebook’s infrastructure. The platform developers were also cognizant of some of the concerns enterprises have about sharing threat data, from both a competitive and risk management standpoint. Privacy controls are built in to ThreatExchange that not only sanitize information provided by members, but also allows contributors to share data with all of the exchange’s members, or only particular subsets. In addition to threat information shared by contributors, open source threat intelligence feeds are pulled into the platform”
• “Facebook hopes the initial partner list grows to include other technology companies with a large Internet footprint. Microsoft, for example, has developed its own information sharing platform called Interflow, while the FBI announced last winter that it was releasing an unclassified version of its malware repository in the hopes of spurring public-private sharing of threat data”
• “If some reasonably large Internet properties cooperate on attacks they’ve seen and responded to, the vast majority of the Internet will be safer,” Hammell said. “We want to bring in more companies like that and eventually broaden it beyond big companies to smaller web properties and researchers. We want to create a forum where we can share attack and threat information in an easy way and share it with as many who want to receive it”
• “The classic example is an attack you’re investigating where only you and a few companies are targeted,” Hammell explained. “They can collaborate together on that particular attack and share data, but perhaps they don’t feel it’s appropriate to go wider because it may tip their hand and alert the attacker, or it would not be beneficial to the investigation if others started poking at the infrastructure and possibly disrupt the work they’re doing. It’s an important scenario to get right.”

Feedback:

• Question on Z(ed)FS

• Question on refurbished servers

• Backing Up Your NAS – Protect Your NAS Data

• Virtualizing PFsense

Round Up:

• Chinese bitcoin mine. Man those computers are dusty.
• Patch your car! BMW releases fix for 2.2 million cars that could allow an attacker to unlock the car and perform other functions
• How Canadian Spies Infiltrated the Internet’s Core to Watch What You Do Online
• Mozilla to enforce extension signing soon – will help prevent Man-in-the-Browser attacks
• TurboTax suspendes online filing after spike in tax fraud
• Gas pump monitoring system hacked with anonymous tagline
• Trend Jacking: Phishers pounce on Anthem Breach and try to trick people into disclosing information
• New information points to fact that Anthem breach may have started in April 2014
• Samsung’s smart TVs are inserting unwanted ads into users’ own movies

The post Group Problemcy | TechSNAP 201 first appeared on Jupiter Broadcasting.

This week on the show we\’ll be showing you how to set up RAID arrays in FreeBSD. There\’s also an interview with David Chisnall – of the FreeBSD core team – about the switch to Clang and a lot more.

Sit back and enjoy some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD 5.5 released

• If you ordered a CD set then you\’ve probably had it for a little while already, but OpenBSD has formally announced the public release of 5.5
• This is one of the biggest releases to date, with a very long list of changes and improvements
• Some of the highlights include: time_t being 64 bit on all platforms, release sets and binary packages being signed with the new signify tool, a new autoinstall feature of the installer, SMP support on Alpha, a new AViiON port, lots of new hardware drivers including newer NICs, the new vxlan driver, relayd improvements, a new pf queue system for bandwidth shaping, dhcpd and dhclient fixes, OpenSMTPD 5.4.2 and all its new features, position-independent executables being default for i386, the RNG has been replaced with ChaCha20 as well as some other security improvements, FUSE support, tmpfs, softraid partitions larger than 2TB and a RAID 5 implementation, OpenSSH 6.6 with all its new features and fixes… and a lot more
• The full list of changes is HUGE, be sure to read through it all if you\’re interested in the details
• If you\’re doing an upgrade from 5.4 instead of a fresh install, pay careful attention to the upgrade guide as there are some very specific steps for this version
• Also be sure to apply the errata patches on your new installations… especially those OpenSSL ones (some of which still aren\’t fixed in the other BSDs yet)
• On the topic of errata patches, the project is now going to also send them out (signed) via the announce mailing list, a very welcome change
• Congrats to the whole team on this great release – 5.6 is going to be even more awesome with \”Libre\”SSL and lots of other stuff that\’s currently in development

FreeBSD foundation funding highlights

• The FreeBSD foundation posts a new update on how they\’re spending the money that everyone donates
• \”As we embark on our 15th year of serving the FreeBSD Project and community, we are proud of what we\’ve done to help FreeBSD become the most innovative, reliable, and high-performance operation system\”
• During this spring, they want to highlight the new UEFI boot support and newcons
• There\’s a lot of details about what exactly UEFI is and why we need it going forward
• FreeBSD has also needed some updates to its console to support UTF8 and wide characters
• Hopefully this series will continue and we\’ll get to see what other work is being sponsored

OpenSSH without OpenSSL

• The OpenSSH team has been hard at work, making it even better, and now OpenSSL is completely optional
• Since it won\’t have access to the primitives OpenSSL uses, there will be a trade-off of features vs. security
• This version will drop support for legacy SSH v1, and the only two cryptographic algorithms supported are an in-house implementation of AES (in counter mode) and the new combination of the Chacha20 stream cipher with Poly1305 for packet integrity
• Key exchange is limited to elliptic curve Diffie-Hellman and the newer Curve25519 KEXs
• No support for RSA, DSA or ECDSA public keys – only Ed25519
• It also includes a new buffer API and a set of wrappers to make it compatible with the existing API
• Believe it or not, this was planned before all the heartbleed craziness
• Maybe someday soon we\’ll have a mini-openssh-portable in FreeBSD ports and NetBSD pkgsrc… would be really cool

BSDMag\’s April 2014 issue is out

• The free monthly BSD magazine has got a new issue available for download
• This time the articles include: pascal on BSD, an introduction to revision control systems and configuration management, deploying NetBSD on AWS EC2, more GIMP tutorials, an AsiaBSDCon 2014 report and a piece about how easily credit cards are stolen online
• Anyone can contribute to the magazine, just send the editors an email about what you want to write
• No Linux articles this time around

Interview – David Chisnall – theraven@freebsd.org

The LLVM/Clang switch, FreeBSD\’s core team, various topics

Tutorial

RAID in FreeBSD and OpenBSD

News Roundup

BSDTalk episode 240

• The original BSD podcaster Will Backman has uploaded a new episode of BSDTalk, this time with our other buddy GNN as the guest – mainly to talk about NTP and keeping reliable time
• Topics include the specific details of crystals used in watches and computers to keep time, how temperature affects the quality, different sources of inaccuracy, some general NTP information, why you might want extremely precise time, different time sources (GPS, satellite, etc), differences in stratum levels, the problem of packet delay and estimating the round trip time, some of the recent NTP amplification attacks, the downsides to using UDP instead of TCP and… much more
• GNN also talks a little about the Precision Time Protocol and how it\’s different than NTP
• Two people we\’ve interviewed talking to each other, awesome
• If you\’re interested in NTP, be sure to see our tutorial too

m2k14 trip reports

• We\’ve got a few more reports from the recent OpenBSD hackathon in Morocco
• The first one is from Antoine Jacoutot (who is a key GNOME porter, and gave us the screenshots for the OpenBSD desktop tutorial)
• \”Since I always fail at actually doing whatever I have planned for a hackathon, this time I decided to come to m2k14 unprepared about what I was going to do\”
• He got lots of work done with ports and pushing GNOME-related patches back up to the main project, then worked on fixing ports\’ compatibility with LibreSSL
• Speaking of LibreSSL, there\’s an article all would-be portable version writers should probably read and take into consideration
• Jasper Adriaanse also writes about what he got done over there
• He cleaned up and fixed the puppet port to work better with OpenBSD

Why you should use FreeBSD on your cloud VPS

• Here we have a blog post from Atlantic, a VPS and hosting provider, about 10 reasons for using FreeBSD
• Starts off with a little bit of BSD history for those who are unfamiliar with it and only know Linux and Windows
• (Spoiler) the 10 reasons are: community, stability, collaboration, ease of use, ports, security, ZFS, GEOM, sound and having lots of options
• The post goes into detail about each of them and why FreeBSD makes a great choice for a VPS OS

PCBSD weekly digest

• Big changes coming in the way PCBSD manages software
• The PBI system, AppCafe and related tools are all going to use pkgng now
• The AppCafe will no longer be limited to PBIs, so much more software will be easily available from the ports tree
• New rating system coming soon and much more

Feedback/Questions

• Martin writes in
• John writes in
• Alex writes in
• Goetz writes in
• Jarrad writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• The Tor and mailing list tutorials have gotten some fixes and updates
• The OpenBSD router tutorial has also gotten a bit of a makeover, and now includes new scripts for 5.5 and signify
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• If any listeners have a collection of old FreeBSD or OpenBSD CDs, we\’d love for you to send in a picture of the whole set together so we can show it off
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• We will be at BSDCan next week – be sure to say hi if you run into us!

The post Let's Get RAID | BSD Now 36 first appeared on Jupiter Broadcasting.

Microsoft has been breached, Google suffers a major outage, and finally some solid technical details on Target’s massive credit card hack.

Plus a great batch of your questions, a rockin roundup, and much much more.

Thanks to:

— Show Notes: —

Microsoft breach leads to hackers stealing Law Enforcement documents

• According to the company, a number of Microsoft employees were targeted with attacks aiming to compromise both email and social media accounts, and in some cases, the attacks were successful.
• “It appears that documents associated with law enforcement inquiries were stolen”
• Adrienne Hall, General Manager at Microsoft’s Trustworthy Computing Group, wrote in a blog post.
• He continues: “If we find that customer information related to those requests has been compromised, we will take appropriate action,” Hall continued. “Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents.”
• The attackers have conducted their offensive against both email and social media accounts of Microsoft’s employees, the company did not reveal how many documents might have been exposed neither the nature of the attackers.
• What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers.
• According to Microsoft, the Syrian Electronic Army may be behind the attacks.
• “Our current information suggests the phishing attacks are related,” Hall told SecurityWeek in an emailed statement.
• In March 2013, Microsoft released its first transparency report, noting that it had received over 70,000 law enforcement requests in 2012.
• Additional Coverage:
• Spear phishing against Microsoft, exposed law enforcement inquiries
• Microsoft Believes Law Enforcement Documents Compromised in Hack
• Microsoft says new phishing attacks targeted law enforcement documents | Ars Technica
• Microsoft: documents were stolen during recent employee email hack | The Verge
• Syrian Electronic Army stole law enforcement docs from Microsoft

Target Update

• An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software
• As we previously noted the attackers used malware on the POS boxes to send credit card data read from memory to a central control server on Targets internal network.
• The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.
• That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”
• BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine
• The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.” According to a Dell SecureWorks paper being circulated to certain Dell customers.
• According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite.
• According to a trusted Krebs source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.
• Initial entry into the network is suspected to have been facilitated by a SQL injection attack, according to Malcovery.
• Update: BMC says it is working with McAfee to investigate
• Krebs: WSJ says that vendor credentials that were used in the attack may have been from vendor other than BMC
• Additional Coverage – Ars Technica

Google breaks itself, and then fixes itself, while Engineers are busy on Reddit

• At 10:55 a.m. PST this morning, an internal system that generates configurations—essentially, information that tells other systems how to behave—encountered a software bug and generated an incorrect configuration.
• The incorrect configuration was sent to live services over the next 15 minutes, caused users’ requests for their data to be ignored, and those services, in turn, generated errors.
• Users began seeing these errors on affected services at 11:02 a.m., and at that time our internal monitoring alerted Google’s Site Reliability Team. Engineers were still debugging 12 minutes later when the same system, having automatically cleared the original error, generated a new correct configuration at 11:14 a.m. and began sending it; errors subsided rapidly starting at this time.
• By 11:30 a.m. the correct configuration was live everywhere and almost all users’ service was restored.
• Reddit AMA
• Additional Coverage – Reuters
• Additional Coverage – TechCrunch
• Additional Coverage – FoxNews

• FauxShow – Final sticker map! That was quite the experience! Awards Show on Feb 15th

Feedback:

• Unrecoverable read errors, how they affect ZFS
  • Has RAID5 stopped working – No, it never worked
• Dell Poweredge 1800 server
• pfSense firewalls hardware?
  • Amazon.com: PLANEX Wireless N 150Mbps USB2.0 RJ45 Mini Print Server Supports Windows 7 and MAC OS, WPS, IEEE 802.11n/g/b print server support SNMP & HP Web JetAdmin/ Hi-Speed USB – EN, Fast EN – 10Base-T, 100Base-Print Server/2.4 Ghz Wi-Fi Wireless Network LAN Print Server/Mini -103MN for office and SOHO usage supports peer to peer or server based printing 2dBi internal antenna x 1: Electronics
• Using RAID (or RAID-Z) with SSD drives
• cURL vs curling

Round-Up:

• How I lost my $50,000 Twitter username
  • Update: GoDaddy restored account and increase employee training
  • Update: PayPal denies providing attackers with details
• Yes, Virginia, There Really is Social Engineering
• Slashdot headline claims IE market share down to single digits, turns out metrics are only from W3School, so are skewed towards web developers
• Why the backblaze hard drive reliability numbers are wrong
• ISC highlights findings from Cisco Annual Security Report
• Gmail bug sends thousands of emails to the same guy
• If You Used This Secure Webmail Site, the FBI Has Your Inbox
• Department of Justice says company that did background check on Snowden faked over 665,000 background checks
• 4 HTTP security headers you should know about
• LeaseWeb Labs talks about ZFS

The post Google's Automated Outage | TechSNAP 147 first appeared on Jupiter Broadcasting.

This week is the long-awaited episode you\’ve been asking for! We\’ll be giving you a crash course on becoming a ZFS wizard, as well as having a chat with George Wilson about the OpenZFS project\’s recent developments. We have answers to your feedback emails and there are some great news items to get caught up on too, so stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

pkgng 1.2 released

• bapt and bdrewery from the portmgr team released pkgng 1.2 final
• New features include an improved build system, plugin improvements, new bootstrapping command, SRV mirror improvements, a new \”pkg config\” command, repo improvements, vuXML is now default, new fingerprint features and much more
• Really simple to upgrade, check our pkgng tutorial if you want some easy instructions
• It\’s also made its way into Dragonfly
• See the show notes for the full list of new features and fixes

ChaCha20 and Poly1305 in OpenSSH

• Damien Miller recently committed support for a new authenticated encryption cipher for OpenSSH, chacha20-poly1305
• Long blog post explaining what these are and why we need them
• This cipher combines two primitives: the ChaCha20 cipher and the Poly1305 MAC
• RC4 is broken, we needed an authenticated encryption mode to complement AES-GCM that doesn\’t show the packet length in cleartext
• Great explanation of the differences between EtM, MtE and EaM and their advantages
• \”Both AES-GCM and the EtM MAC modes have a small downside though: because we no longer desire to decrypt the packet as we go, the packet length must be transmitted in plaintext. This unfortunately makes some forms of traffic analysis easier as the attacker can just read the packet lengths directly.\”

Is it time to dump Linux and move to BSD

• ITworld did an article about switching from Linux to BSD
• The author\’s interest was sparked from a review he was reading that said \”I feel the BSD communities, especially the FreeBSD-based projects, are where the interesting developments are happening these days. Over in FreeBSD land we have efficient PBI bundles, a mature advanced file system in the form of ZFS, new friendly and powerful system installers, a new package manager (pkgng), a powerful jail manager and there will soon be new virtualization technology coming with the release of FreeBSD 10.0\”
• The whole article can be summed up with \”yes\” – ok, next story!

OpenZFS devsummit videos

• Kicking off the ZFS episode, we\’ve got…
• The OpenZFS developer summit discussion and presentation videos are up
• People from various operating systems (FreeBSD, Mac OS X, illumos, etc.) were there to discuss ZFS on their platforms and the challenges they faced
• Question and answer session from representatives of every OS – had a couple FreeBSD guys there including one from the foundation
• Presentations both about ZFS itself and some hardware-based solutions for implementing ZFS in production
• TONS of video, about 6 hours\’ worth
• This leads us into our interview, which is…

Interview – George Wilson – Soft Eng at Delphix – wilzun@gmail.com / @zfsdude

• KM: Can you tell us a little about yourself how you first got involved with ZFS?
• AJ: Which features have you worked on in the past?
• KM: Which platform do you personally use ZFS on, and for what tasks?
• AJ: So what exactly is the OpenZFS project about?
• KM: What do you hope the future of OpenZFS will bring?
• AJ: When are we going to see native encryption?
• KM: Are there some new features you\’re currently hacking on?
• AJ: Is there anything specific you\’d like to see added to ZFS in the future?
• KM: How did the developer summit and hackathon go?
• AJ: Where can people go to get involved with development, and what\’s currently needed?
• KM: Anything else you\’d like to mention?

Tutorial

A crash course on ZFS

• Everything you need to know to get acquainted with the world\’s most powerful filesystem on the world\’s most powerful OS
• Includes both beginner and advanced topics

News Roundup

ruBSD 2013 information

• The ruBSD 2013 conference will take place on Saturday December 14, 2013 at 10:30 AM in Moscow, Russia
• Speakers include three OpenBSD developers, Theo de Raadt, Henning Brauer and Mike Belopuhov
• Their talks are titled \”The bane of backwards compatibility,\” \”OpenBSD\’s pf: Design, Implementation and Future\” and \”OpenBSD: Where crypto is going?\”
• No word on if there will be video recordings, but we\’ll let you know if that changes

DragonFly roadmap, post 3.6

• John Marino posted a possible roadmap for DragonFly, now that they\’re past the 3.6 release
• He wants some third party vendor software updated from very old versions (WPA supplicant, bmake, binutils)
• Plans to replace GCC44 with Clang, but GCC47 will probably be the primary compiler still
• Bring in fixes and new stuff from FreeBSD 10

BSDCan 2014 CFP

• BSDCan 2014 will be held on May 16-17 in Ottawa, Canada
• They\’re now accepting proposals for talks
• If you are doing something interesting with a BSD operating system, please submit a proposal
• We\’ll be getting lots of interviews there

casperd added to -CURRENT

• \”It (and its services) will be responsible forgiving access to functionality that is not available in capability modes and box. The functionality can be precisely restricted.\”
• Lists some sysctls that can be controlled

ZFS corruption bug fixed in -CURRENT

• Just a quick follow-up from last week, the ZFS corruption bug in FreeBSD -CURRENT was very quickly fixed, before that episode was even uploaded

Feedback/Questions

• Chris writes in: https://slexy.org/view/s2JDWKjs7l
• SW writes in: https://slexy.org/view/s20BLqxTWD
• Jason writes in: https://slexy.org/view/s2939tUOf5
• Clint writes in: https://slexy.org/view/s21qKY6qIb
• Chris writes in: https://slexy.org/view/s20LWlmhoK

• The written versions of the Tor, jails and OpenBSD router tutorials have gotten a few small improvements and fixes
• The poudriere and pkgng tutorials have been updated for the new 1.2 repository syntax
• All the tutorials are posted in their entirety at bsdnow.tv, including today\’s HUGE ZFS one
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you have stories about how you or your company uses BSD, interesting things you\’ve done, crazy network stories or cool projects, send them to us!
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Kris\’ Skype video was coming straight from PCBSD this week!

The post Zettabytes for Days | BSD Now 14 first appeared on Jupiter Broadcasting.

Striking a balance between performance and reliability can be a challenge, we’ll share our thoughts. Hackers figure out how to take over twitter account they want, while Adobe stores your private data in reversible encryption.

Plus your questions, our answers, and much much more.

Thanks to:

Adobe encrypted passwords, rather than cryptographically hashing them

• This is a detail reporters often get wrong, saying that passwords were ‘encrypted’ when they meant ‘hashed’
• Turns out, Adobe actually did it WRONG
• The Adobe breach gave the attackers access to a 9.3 GB database containing 130 million user accounts and their passwords
• The problem is that the passwords are stored using ‘reversible’ encryption (standard symmetric encryption, normally used on files), rather than cryptographic hashes (one-way encryption)
• This means that if the attacker manages to get or brute force the private key that was used to encrypt the passwords, they would be able to decrypt EVERY password, in one go
• Many of the accounts in the Adobe database belong to government organizations including the FBI, as well as many large corporations
• The passwords were encrypted using 3DES (Triple DES)
• DES was originally introduced in 1977, and 3DES in 1998 because the 56 bit keys in DES were no longer strong enough
• Adobe also used ECB (Electronic Code Book) mode, which is known to leak information about the passwords
• 3DES was superseded in 2001 by AES
• Unliking with a cryptographic hashing algorithm, where the server does not know each users’ password, upgrading from 3DES to AES would have been easy, just decrypt all passwords and encrypt them with the new algorithm
• Or better yet, decrypt all passwords, and properly cryptographically hash them and then throw away the plain text
• “For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored.”

Hackers Take Limo Service Firm for a Ride

• A break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
• The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc.
• Suggesting that the same attacker(s) may have been involved in all three compromises.
• The name on the file archive reads “CorporateCarOnline.”
• That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
• Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses.
• More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts.
• Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion.

Researcher finds way to take over ANY twitter account

• Security researcher Henry Hoggard discovered a cross-site request forgery (CSRF) vulnerability in Twitter’s “add a mobile device” feature
• Using this, he was able to read any user’s tweets and DMs
• A victim that went to a malicious page, would unexpectedly authorize a new device to access their twitter account
• This should have been prevented by Twitter’s verification step, except it seems that twitter was not actually checking the value, so an attacker would authorize their mobile device on your account by entering any value in place of the verification code
• Twitter fixed the issue within 24 hours of it being reported

Feedback:

• My First Home Server: Noob question

• 24TB freenas

• deploy FreeBSD jails

• Learning Nagios?

  • FAN « Fully Automated Nagios

• ZPool recovered

• ZFS Question

• UPDATE: A plea from a weary sysadmin

Round Up:

• Internet Archive building damaged by fire
• Krebs finds humourous ad placement on pastebin
• DEF CON 19 Presentations
• Cryptolocker ransomware FAQ
• Microsoft warns of zero-day attack on MS Office
• The truth about big data
• Attackers link to your site with SQL injection urls, google bot does the damage
• Making vim better
• Redhat fixes missing commands in OpenSSL packages
• Helium filled disks, first to 6 TB
• What every admin should know about email
• Cisco fixes blank admin password flaw in their Telepresence product

The post Ideal ZFS Configurations | TechSNAP 135 first appeared on Jupiter Broadcasting.