Show Notes: linuxunplugged.com/456

The post Our Linux Regrets | LINUX Unplugged 456 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/406

The post SACK Attack | TechSNAP 406 first appeared on Jupiter Broadcasting.

Debian aims for reproducible builds of all packages. We’ll explain what that means & why other distributions might be jumping onboard with the idea.

Plus impressive early performance results under Mir & Gnome’s 3.18’s best features you’re not hearing about.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Cards Against IT

Feedback:

• System XVI

System XVI is a modern take on service management. It aims to incorporate useful functionality while maintaining a modular design in the UNIX tradition.

Jose Macbook Linux feedback

From: Sean
RE: Jose Macbook Linux feedback

I’ve been running Linux on my macbook pro for about 4 years now, I just switched back to Fedora 22 from OpenSuse (been rocking Suse since 2007) and my macbook has never worked better.

The newer kernel 4.1+ finally has good hardware support for the keyboard backlight, thermal/fan controls, cpu scaling (yes Apple does their own crap for this) so battery life is still good.

One other thing that I’ve done to extend battery life is buy the Fluendo codec suite and switch to a gstreamer based video player, the fluendo codecs have much better video acceleration for video decoding, taking much of the load off the cpu.

Also, not all gstreamer video players are created equal; totem is still pretty heavy on the cpu, 24% on 1080p h.264 video, but something lightweight like MPV sits around 12%, and this is on a Sandy Bridge i5.

I haven’t tried Arch on here but I imagine getting a similar setup wouldn’t be too hard. I wish Jose the best of luck, don’t give up on Linux.

Name for the road show

From: Zek the Penguin
RE: Name for the road show

Hi Chris!

Was listening to Unplugged today and figured I’d make suggestions for the road show.

How about ‘Nation Migration’? ‘March of the Penguin’? ‘Roll Your Own’?

Just a few ideas. Hope it helps.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Ubuntu Convergence Demo: X Apps Running on Mir Display Server

The video was filmed by Canonical at a recent developer sprint. The video was distributed internally to better demonstrate the progress made on the X.org compatability layer for Mir.

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

How Debian Is Trying to Shut Down the CIA and Make Software Trustworthy Again

In response to the Snowden revelation that the CIA compromised Apple developers’ build process, thus enabling the government to insert backdoors at compile time without developers realizing, Debian, the world’s largest free software project, has embarked on a campaign to to prevent just such attacks. Debian’s solution? Reproducible builds.

Reproducible builds, as the name suggests, make it possible for others to reproduce the build process. “The idea is to get reasonable confidence that a given binary was indeed produced by the source,” Lunar said. “We want anyone to be able to produce identical binaries from a given source.”

A software package reproducibly built should be byte for byte identical to the publicly-available package. Any difference would be evidence of tampering.

Reproducible builds rely in part on David A. Wheeler’s solution to this problem, Diverse Double-Compiling.

“You need two compilers,” Lunar explained, “with one that you somehow trust. Then you build the compiler under test twice, once with each compiler, and then you use the compilers that you just built to build the compiler under test again.

“If the output is the same, then no backdoors,” he added. “But for this scheme to work, you need to be able to compare that both build outputs are the same. And that’s exactly what we are enabling when having reproducible builds.”

According to Lunar, 83 percent of Debian packages are now built reproducibly, and more join the party every day.

• PDF of the Presentation

TING

• Ting – mobile that makes sense

Gnome 3.18’s Best new Features

• Gnome Terminal 3.18 comes two new great features! The first one is the…

• Quick testing on Wayland This is the standard user testing, trying both…

• Gnome Files 318 will disable recursive search on network locations, because of…

• GNOME 3.18 Will Feature Google Drive Support

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

Support Jupiter Broadcasting on Patreon

Post Show:

• Traccar Client – Android Apps on Google Play

The post Who Will Build The Builders | LINUX Unplugged 109 first appeared on Jupiter Broadcasting.

One of the core developers of Arch Linux ARM joins us to chat about this rapidly developing platform, how Arch is used in ARM deployments & their relationship with the main Arch project.

Plus an update on Ubuntu Phone & the first fully sandboxed portable Linux desktop app is demoed this week. How is it different than what we’ve seen before? And how far away might it be? We debate.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

• Linux-Sale – Get Games – official online digital download retailer

• Matrix.org | A new basis for open, distributed, real-time communication

FU:

• What features do you miss most when you’re away from Linux? : linux

Linux Academy

• Linux Academy | Linux and AWS Online Training

• SCALE 13x | 13x

• Noah J. Chelliah (@Kernellinux) | Twitter

• Retro LAS next Sunday w/light crew at JB1, but live recording SCALE coverage.

LinuxFest Northwest 2015

Bellingham, WA • April 25th & 26th

• guake or guake alternatives?

lanoxx/tilda · GitHub

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Arch Linux ARM

• Team | Arch Linux ARM

Jason Plum (WarheadsSE) – OxNAS specialist, Perlmonger, and once again, another one of the smartest guys we know. Available as a hired gun for ARM projects.

ODROID-C1 | Arch Linux ARM

TING

• Ting – mobile that makes sense

First fully sandboxed Linux desktop app | Alexander Larsson

This is going to require a lot of changes to the Linux stack. For instance, we have to use Wayland instead of X11, because X11 is impossible to secure. We also need to use kdbus to allow desktop integration that is properly filtered at the kernel level.

Recently Wayland has made some pretty big strides though, and we now have working Wayland sessions in Fedora 21. This means we can start testing real sandboxing for simple applications. To get something running I chose to focus on a game, because they require very little interaction with the system. Here is a video I made of Neverball, running in a minimal sandbox.

• Is independent of the host distribution
• Has no access to any system or user files other than the ones from the runtime and application itself
• Has no access to any hardware devices, other than DRI (for GL rendering)
• Has no network access
• Can’t see any other processes in the system
• Can only get input via Wayland
• Can only show graphics via Wayland
• Can only output audio via PulseAudio
• … plus more sandboxing details

How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last | Ars Technica

In 2009, one or more prestigious researchers received a CD by mail that contained pictures and other materials from a recent scientific conference they attended in Houston. The scientists didn’t know it then, but the disc also delivered a malicious payload developed by a highly advanced hacking operation that had been active since at least 2001. The CD, it seems, was tampered with on its way through the mail.

It wasn’t the first time the operators—dubbed the “Equation Group” by researchers from Moscow-based Kaspersky Lab—had secretly intercepted a package in transit, booby-trapped its contents, and sent it to its intended destination. In 2002 or 2003, Equation Group members did something similar with an Oracle database installation CD in order to infect a different target with malware from the group’s extensive library. (Kaspersky settled on the name Equation Group because of members’ strong affinity for encryption algorithms, advanced obfuscation methods, and sophisticated techniques.)

Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.

Next week: Retro edition of LUP. Your favorite moments, now available with the self gratifying feature known has hindsight.

Runs Linux from the people:

• Send in a pic/video of your runs Linux.
• Please upload videos to YouTube and submit a link via email or the subreddit.

New Shows : Tech Talk Today (Mon – Thur)

• Tech Talk Today Today | Jupiter Broadcasting

Support Jupiter Broadcasting on Patreon

The post ARMed with Arch | LINUX Unplugged 80 first appeared on Jupiter Broadcasting.

The US State Department shuts down its email in what can only be described as a major overreaction, WebRTC sees a major breakthrough that will bring major competition to Skype.

Plus the big results from Mobile Pwn2Own 2014 & more!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

State Department shuts down its e-mail system amid concerns about hacking – The Washington Post

The State Department scrambled over the weekend to secure its unclassified e-mails, shutting down the entire e-mail system after finding evidence suggesting a hacker may have been been poking around.

A senior State Department official said technicians recently detected “activity of concern” in portions of the system handling unclassified e-mail. The official, who you could also consider a leaker, remains unindfied saying that none of the department’s classified systems were compromised.

VP8 and H.264 to both become mandatory for WebRTC | Andreas Gal

WebRTC is mainly about opening direct connections to other web browsers. The plug-inless capture of video and audio is related but the fundmentals of it are implmented by each browser.

Unfortunately, the full potential of the WebRTC ecosystem has been held back by a long-running disagreement about which video codec should be mandatory to implement. The mandatory to implement audio codecs were chosen over two years ago with relatively little contention: the legacy codec G.711 and Opus, an advanced codec co-designed by Mozilla engineers. The IETF RTCWEB Working Group has been deadlocked for years over whether to pick VP8 or H.264 for the video side.

At the last IETF meeting in Hawaii the RTCWEB working group reached strong consensus to follow in our footsteps and make support for both H.264 and VP8 mandatory for browsers. This compromises was put forward by Mozilla, Cisco and Google. The details are a little bit complicated, but here’s the executive summary:

• Browsers will be required to support both H.264 and VP8 for WebRTC.
• Non-browser WebRTC endpoints will be required to support both H.264 and VP8. However, if either codec becomes definitely royalty free (with no outstanding credible non-RF patent claims) then endpoints will only have to do that codec.
• “WebRTC-compatible” endpoints will be allowed to do either codec, both, or neither.

See the complete proposal by Mozilla Principal Engineer Adam Roach here. There are still a few procedural issues to resolve, but given the level of support in the room, things are looking good.

Mobile Pwn2Own 2014: Windows Phone’s sandbox resists attack

The Mobile Pwn2Own 2014 hacking competition, held at the PacSec Applied Security Conference in Tokyo, Japan, was concluded on Thursday, and not one of the targeted phones has survived completely unscathed.

Of the targets available for selection, Amazon Fire Phone, Apple iPhone 5S, Samsung Galaxy S5, and Google/LG Nexus were completely “pwned,” the Nokia Lumia 1520 running Windows Phone partially, and BlackBerry Z30, Apple’s iPad Mini and the Nexus 7 weren’t targeted at all.

A successful exploitation of a bug in the latter carried with it a $150,000 prize, the others less: $100,000 for messaging services, $75,000 for short distance and $50,000 for the browser, apps or OS.

What we know is that the Apple iPhone 5S was owned via the Safari browser by exploiting two bugs, the Amazon Fire Phone was breached via three bugs in its browser, Samsung Galaxy S5 was successfully targeted via NFC by two different teams (one by triggering a deserialization issue in certain code, and the other by targeting a logical error), and the Nexus 5 was forced to pair with another phone via Bluetooth.

The two contestants that did their attacks on the second day were less successful: Jüri Aedla used Wi-Fi to target a Nexus 5, but was unable to elevate his privileges further than their original level. And Nico Joly tried to exploit Lumia’s browser, but didn’t manage to gain full control of the system as the sandbox held. He did, however, manage to extract the cookie database.

AT&T Stops Using ‘Perma-Cookies’ to Track Customer Web Activity – Mac Rumors

In late October, researchers discovered that AT&T and Verizon had been engaging in some unsavory customer tracking methods, using unique identifying numbers or “perma-cookies” to track the websites that customers visited on their cellular devices to deliver target advertisements.

Following significant negative attention from the media, AT&T today told the Associated Press that it is no longer injecting the hidden web tracking codes into the data sent from its customers’ devices.

The change by AT&T essentially removes a hidden string of letters and numbers that are passed along to websites that a consumer visits. It can be used to track subscribers across the Internet, a lucrative data-mining opportunity for advertisers that could still reveal users’ identities based on their browsing habits.

AT&T’s customer tracking practices, called “Relevant Advertising,” were the result of a pilot program the company had been experimenting with, which has apparently come to an end.

While AT&T has opted to stop using the invasive tracking method, Verizon is continuing to utilize perma-cookies to track the web activity of its customers. Unlike AT&T’s experimental program, Verizon has been using Relevant Advertising techniques for approximately two years.

• Simple test page for Cellular ISP tracking beacons – by Kenn White

The post WebRTC vs Skype | Tech Talk Today 92 first appeared on Jupiter Broadcasting.

An Android flaw from 2010 allows any app to break out of the Android sandbox. But is it really a threat in practice? We’ll dig in.

The Podcast patent troll takes it on the nose, and some highlights from the Gnome development conference this week.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Android crypto blunder exposes users to highly privileged malware | Ars Technica

This is the issue in a nutshell.

The Fake ID vulnerability stems from the failure of Android to verify the validity of cryptographic certificates that accompany each app installed on a device. The OS relies on the credentials when allocating special privileges that allow a handful of apps to bypass Android sandboxing. Under normal conditions, the sandbox prevents programs from accessing data belonging to other apps or to sensitive parts of the OS. Select apps, however, are permitted to break out of the sandbox. Adobe Flash in all but version 4.4, for instance, is permitted to act as a plugin for any other app installed on the phone, presumably to allow it to add animation and graphics support. Similarly, Google Wallet is permitted to access Near Field Communication hardware that processes payment information.

The App simply needs to claim its Adobe flash, and it gets to break out of the sandbox.

The flaw appears to have been introduced to Android through an open source component, Apache Harmony. Google turned to Harmony as an alternative means of supporting Java in the absence of a deal with Oracle to license Java directly.

Work on Harmony was discontinued in November, 2011. However, Google has continued using native Android libraries that are based on Harmony code. The vulnerability concerning certificate validation in the package installer module persisted even as the two codebases diverged.

Google’s Response to Ars

After receiving word of this vulnerability, we quickly issued a patch that was distributed to Android partners, as well as to AOSP. Google Play and Verify Apps have also been enhanced to protect users from this issue. At this time, we have scanned all applications submitted to Google Play as well as those Google has reviewed from outside of Google Play, and we have seen no evidence of attempted exploitation of this vulnerability.

The Reality of the Situation

First, a patch been sent to OEMs and AOSP, but with Android’s abysmal update situation, this is a moot point. The crux, however, lies with Google Play and Verify Apps. These have already been updated to detect this issue, and prevent applications that try to abuse this flaw from being installed. This means two things.

First, that there are no applications in Google Play that exploit this issue. If you stick to Google Play, you’re safe from this issue, period. No ifs and buts. Second, even if you install applications from outside of Google Play, you are still safe from this issue. Verify Apps is part of Play Services, and runs on every Android device from 2.3 and up. It scans every application at install and continuously during use for suspect behaviour. In this case, an application that tries to exploit this flaw will simply be blocked from installing or running.

• New Android ‘Fake ID’ flaw empowers stealthy new class of super-malware

A new Android design error discovered by Bluebox Security allows malicious apps to grab extensive control over a user’s device without asking for any special permissions at installation. The problem affects virtually all Android phones sold since 2010.

• Android ‘supermalware’ can impersonate any app- The Inquirer

The vulnerability in the Android code that allows “Fake ID” in was first noticed in the now dormant Adobe Flash integration, which had been present since 2010 and was only patched with the arrival of Android 4.4 Kitkat earlier this year. The flaw is so deeply embedded in Android that it can affect all forks of the Android Open Source Project including Amazon’s Fire OS.

• Android Fake ID Vulnerability Lets Malware Impersonate Trusted Applications, Puts All Android Users Since January 2010 At Risk – Bluebox Security

Dubbed “Fake ID,” the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM.

• Old Apache Code At Root of Android FakeID Mess – Slashdot

Podcasting patent troll: We tried to drop lawsuit against Adam Carolla | Ars Technica

In a statement released today, Personal Audio says that Carolla, who has raised more than $450,000 from fans to fight the case, is wasting their money on an unnecessary lawsuit. The company, which is a “patent troll” with no business other than lawsuits, has said Carolla just doesn’t care since his fans are paying his lawyers’ bills.

Adam Carolla’s assertions that we would destroy podcasting were ludicrous on their face,” said Personal Audio CEO Brad Liddle. “But it generated sympathy from fans and ratings for his show.

According to Personal Audio, they’ve lost interest in suing podcasters because the podcasters—even one of Adam Carolla’s size—just don’t make enough money for it to care.

“[Personal Audio] was under the impression that Carolla, the self-proclaimed largest podcaster in the world, as well as certain other podcasters, were making significant money from infringing Personal Audio’s patents,” stated the company. “After the parties completed discovery, however, it became clear this was not the case.”

Personal Audio also says it has a patent covering playlists.

Personal Audio has already dropped its lawsuits against two other podcasting defendants from the case (Togi Net and How Stuff Works) apparently without getting paid anything.

The patent company is charging ahead with its patent case against the big three television networks, CBS, NBC, and ABC. Personal Audio is trying to wring a royalty from those companies for releasing video “episodic content” over the Internet.

In response, Carolla sent Ars a statement saying he’ll continue to pursue counterclaims against Personal Audio, seeking to invalidate the patent “so that Personal Audio cannot sue other podcasters for infringement of US Patent 8,112,504.” Lotzi (Carolla’s company) has already “incurred hundreds of thousands of dollars in fees and expenses to defend itself” against the Personal Audio patents.

GUADEC 2014, Day Four: Hardware, New IDE for GNOME | Fedora Magazine

The fourth day of GUADEC was devoted to hardware and its interaction with desktop. The first talk was “Hardware Integration, The GNOME Way” by Bastien Nocera who has been a contributor to GNOME and Fedora for many years.

Performance Testing on Actual Hardware

Owen Taylor talked on continuous integration performance testing on actual hardware. According to Owen, continuous performance testing is very important. It helps find performance regressions more easily because the delta between the code tested last time and the code tested now is much smaller, thus there are much fewer commits to investigate.

He noted that desktop performance testing in VMs is not very useful which is why he has several physical machines that are connected to a controller which downloads new builds of GNOME Continuous and installs them on the connected machines. The testing can be controlled by GNOME Hardware Testing app Owen has created. And what is tested?

Here are currently used metrics:

• time from boot to desktop
• time redraw entire empty desktop
• time to show overview
• time to redraw overview with 5 windows
• time to show application picker
• time to draw frame from test application, time to start gedit.

Tests are scripted right in the shell (javascript) and events logged with timestamp. The results are uploaded to perf.gnome.org. In the future, he’d like to have results in the graph linked to particular commits (tests are triggered after very commit), have more metrics (covering also features in apps), assemble more machines and various kinds of them (laptops, ARM devices,…).

Builder: a new IDE for GNOME

The last talk of the day was “Builder, a new IDE for GNOME” by Christian Hergert. Christian started the talk by clearly stating what Builder is not intended to be: a generic IDE (use Eclipse, Anjuta, MonoDevelop,… instead). And it most likely won’t support plugins. Builder should be an IDE specializing on GNOME development.

Here are some characteristics of Builder:

• components are broken into services and services are contained in sub-processes,
• uses basic autotools management,
• source editor uses GtkSourceView,
• has code highlighting, auto-completation,
• cross-reference, change tracking,
• snippets,
• auto-formatting,
• distraction free mode.
• Vim/Emacs integration may be possible.
• The UI designer will use Glade and integrate GTK+ Inspector.
• Builder will also contain resource manager, simulator (something similar to Boxes, using OSTree), debugger, profiler, source control.

After naming all Builder’s characteristics Christian demoed a prototype.

For Later Reading Pick:

• AnandTech | The NVIDIA SHIELD Tablet Review

Feedback:

• More information on the “Trans Pacific Partnership” from an Avid Australian listener – Magentium

Hey Guys at Jupiter Broadcasting. Just wanted to put a bit more info to you that I saw on Tech Talk Today about the Copyright Act that’s being brought into Australia. Someone mentioned that “Netflix could come in” and make some serious mone. Netflix would be awesome if our Internet Infrastructure wasnt at a maximum of 12Mbps speeds (If you are lucky).

On a good day (and ive got some of the best net here) i get around 8mbps down. Netflix wouldn’t be viable because it wouldnt be available to even 30% of the country. We have Foxtel (like SKY / Cable) which is Premium Paid TV and costs a FORTUNE. It’s still not viable.

In regards to the Copyrighting, the Government also has it all wrong. The number one reason that I am always told by people I know as to why they pirate TV shows, movies and Games, is that the pricing of this stuff over here is unbelievable. For instance, the box set of Star Trek : The Next Generation will cost you over US$250 if you convert the costs, depending if its on special / discount or not.

Either way, you guys were spot on. Keep up the great work, Love the show, and a big shoutout from Australia! CRICKEY! ( we dont actually say that, so don’t get fooled by the stereotype). And no I don’t have a pet Kangeroo (not anymore).

The post Android's Leaky Sandbox | Tech Talk Today 35 first appeared on Jupiter Broadcasting.

This time on the show we\’ll be talking with Jon Anderson about Capsicum and Casper to securely sandbox processes. After that, our tutorial will show you how to encrypt all your DNS lookups, either on a single system or for your whole network. News, emails and all the usual fun, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer\’s keynote (he\’s on next week\’s episode)
• Mariusz Zaborski and Pawel Jakub Dawidek,
  Capsicum and Casper (relevant to today\’s interview)
• Luigi Rizzo,
  In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL – The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD\’s Ext2 Implementation
  
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There\’s also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that\’s a recurring trend)

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems – this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you\’re watching!

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren\’t familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question \”my server already works, why bother switching?\”
• \”Stackoverflow’s answers assume I have apt-get installed\” ← lol
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: \”I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before\”

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD\’s newest developers
• Back in 2010, he started sending in patched for OpenBSD\’s \”mg\” editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back

Interview – Jon Anderson – jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial \”portable\” versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly – stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It\’s a free PDF, go grab it

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation\’s recent activities, his own work in the project, some stories about the hardware in Theo\’s basement and a lot more
• The interview itself isn\’t about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time

Feedback/Questions

• We got a number of replies about last week\’s VPN question, so thanks to everyone who sent in an email about it – the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We\’re looking for new tutorial ideas, so if there\’s something specific you\’d like to learn about, let us know
• FreeBSD core team elections are in progress – nominations ended today. There are 21 candidates, and voting is open for the next month. We\’ll let you know how it goes in a future episode.
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post The Friendly Sandbox | BSD Now 39 first appeared on Jupiter Broadcasting.

If you have a Barracuda device, it’s time to put it behind a real firewall. We’ll blow your minds with the horrible state of security on many popular Barracuda products.

Plus why a long password is not necessarily mean a more secure password, a big batch of your questions, and a great roundup!

All that and a lot more, on this week’s TechSNAP!

Thanks to:

Use our code tech295 to get a .COM for $2.95.

Something else in mind? Use go20off5 to save 20% on your entire order!

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: