Show Notes: linuxactionnews.com/174

The post Linux Action News 174 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/329

The post Lucas' Arts | BSD Now 329 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/293

The post Booking Jails | BSD Now 293 first appeared on Jupiter Broadcasting.

We review Linux Mint 18 & our experience turns out to be a roller coaster ride from impressed glee to cautious concern. We’ve never felt more conflicted over a version of Linux Mint.

Plus we discuss the Ubuntu Forum hack, a Fedora bug that’s bricking some laptops & why we just can’t quit FreeNAS.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Mint 18 Review

​Linux Mint 18: The best desktop — period

I’ve been using Linux desktops since the leading desktop front-end was Bash. Things have changed in those 25 years. Today, the best Linux desktop is the latest version of Linux Mint: Linux Mint 18 Sarah with the Cinnamon 3.0 interface.

Linux Mint 18 Cinnamon: Quick Screenshot Tour

Linux Mint 18 improves security, but at a cost – TechRepublic

While this is a much-needed improvement, the explanation of this change on the Linux Mint website is baffling. The website claims that kernel updates “aren’t really updates, but the availability of packages for newer kernels.” Aside from the fact that this is literally the definition of an update, this appears to be an attempt at minimizing the importance of kernel updates. In Linux Mint 18, users are only notified of kernel updates, but they are not installed by default.

• How to upgrade to Linux Mint 18

As excited as we are about Linux Mint 18, upgrading blindly for the sake of running the latest version does not make much sense, especially if you’re already happy and everything is working perfectly.

• Bug#830624: ITP: xplayer — Simple media player based on GStreamer.

Given the history of Linux Mint with their weird view on security (Linux
Mint is the very definition of a FrankenDebian [1]) where they withhold
important security updates because their weird mixture of packages would
otherwise break too often or their hijacking of package names (mdm, for
example), I don’t really trust them to come up with a clean design for
desktop agnostic applications. Heck, the first thing they wanted to do
was naming their forked version of Pluma “xedit”.

— PICKS —

Runs Linux

Fors Fusion RUnS LINUX on a Raspberry Pi

Desktop App Pick

recalbox.com

Recalbox allows you to re-play a variety of videogame consoles and platforms in your living room, with ease! RecalboxOS is free, open source and designed to let you create your very own recalbox in no time! Raspberry Pi.

• RecalboxOS v4.0.0-beta4 release | Blog recalbox

Spotlight

Felony: Next Level PGP

Felony is an open-source pgp keychain built on the modern web with Electron, React, and Redux. Felony is the first PGP app that’s easy for anyone to use, without a tutorial. Security++ to the greatest extreme!

Coder Radio Coding Challenge

— NEWS —

Ubuntu Forums Hacked, 2 Million Users’ Details Stolen

Canonical CEO Jane Silber explains: “We were able to confirm there had been an exposure of data and shut down the Forums as a precautionary measure. Deeper investigation revealed that there was a known SQL injection vulnerability in the Forumrunner add-on in the Forums which had not yet been patched.”

The attacker was able to “download portions of the ‘user’ table which contained usernames, email addresses and IPs for 2 million users.”

• Notice of security breach on Ubuntu Forums | Ubuntu Insights

​Early Look at Skype for Linux and Chromebooks

Skype for Linux is no longer an afterthought for Microsoft as the company introduces new versions of Skype for Linux Chromebooks and the Chrome web browser.

GNOME Maps Hits A Dead End, Can No Longer Display Maps

As of this week the nifty desktop navigation app canno longer fetch maps tiles to display.

MapQuest, the application’s tile provider, has amended its usage policy and discontinued direct tile access. GNOME developers have the choice of paying to keep using the service or, ultimately, using a new one.

PSA: Failure to boot after kernel update on Skylake systems

So in the last couple of days a significant issue in all Fedora releases has come to our attention, affecting (so far) several systems that use the Intel ‘Skylake’ hardware platform.

• Virtualization Revelation | Linux Action Show 418

• Bug #1569479 “Graphics glitches with Skylake Intel HD Graphics 5…”

• Intel Skylake Graphics: Windows 10 vs. Ubuntu Linux Performance
• Well Known Linux Kernel Developer Recommends Against Buying Skylake Systems
• Early Intel Skylake Linux Users May Run Into A Silly Issue
• Screen flickering on Ubuntu 16.04 LTS

CrossOver For Android Now Running On Chromebooks

CodeWeavers confirmed today that it’s possible to run CrossOver on Chromebooks now via the Android support. CodeWeavers was even able to install Steam for Windows on the Chromebooks via the CrossOver support.

Mail Bag

• https://pastebin.com/jMJPAeXY

• https://pastebin.com/s9NWc85s

Call Box

• Chris’ call out for the community to help him with his background

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Mint 18: Convenience Over Security | LAS 426 first appeared on Jupiter Broadcasting.

This week we’ll be talking with Ryan Lortie and Baptiste Daroussin about GNOME on BSD. Upstream development is finally treating the BSDs as a first class citizen, so we’ll hear about how the recent porting efforts have been since.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD presents tame

• Theo de Raadt sent out an email detailing OpenBSD’s new “tame” subsystem, written by Nicholas Marriott and himself, for restricting what processes can and can’t do
• When using tame, programs will switch to a “restricted-service operating mode,” limiting them to only the things they actually need to do
• As for the background: “Generally there are two models of operation. The first model requires a major rewrite of application software for effective use (ie. capsicum). The other model in common use lacks granularity, and allows or denies an operation throughout the entire lifetime of a process. As a result, they lack differentiation between program ‘initialization’ versus ‘main servicing loop.’ systrace had the same problem. My observation is that programs need a large variety of calls during initialization, but few in their main loops.”
• Some initial categories of operation include: computation, memory management, read-write operations on file descriptors, opening of files and, of course, networking
• Restrictions can also be stacked further into the lifespan of the process, but removed abilities can never be regained (obviously)
• Anything that tries to access resources outside of its in-place limits gets terminated with a SIGKILL or, optionally, a SIGABRT (which can produce useful core dumps for investigation)
• Also included are 29 examples of userland programs that get additional protection with very minimal changes to the source – only 2 or 3 lines needing changed in the case of binaries like cat, ps, dmesg, etc.
• This is an initial work-in-progress version of tame, so there may be more improvements or further control options added before it hits a release (very specific access policies can sometimes backfire, however)
• The man page, also included in the mail, provides some specifics about how to integrate tame properly into your code (which, by design, was made very easy to do – making it simple means third party programs are more likely to actually use it)
• Kernel bits are in the tree now, with userland changes starting to trickle in too
• Combined with a myriad of memory protections, tight privilege separation and (above all else) good coding practices, tame should further harden the OpenBSD security fortress
• Further discussion can be found in the usual places you’d expect

Using Docker on FreeBSD

• With the experimental Docker port landing in FreeBSD a few weeks ago, some initial docs are starting to show up
• This docker is “the real thing,” and isn’t using a virtual machine as the backend – as such, it has some limitations
• The FreeBSD wiki has a page detailing how it works in general, as well as more info about those limitations
• When running Linux containers, it will only work as well as the Linux ABI compat layer for your version of FreeBSD (11.0, or -CURRENT when we’re recording this, is where all the action is for 64bit support)
• For users on 10.X, there’s also a FreeBSD container available, which allows you to use Docker as a fancy jail manager (it uses the jail subsystem internally)
• Give it a try, let us know how you find it to be compared to other solutions

OpenBSD imports doas, removes sudo

• OpenBSD has included the ubiquitous “sudo” utility for many years now, and the current maintainer of sudo (Todd C. Miller) is also a long-time OpenBSD dev
• The version included in the base system was much smaller than the latest current version used elsewhere, but was based on older code
• Some internal discussion lead to the decision that sudo should probably be moved to ports now, where it can be updated easily and offer all the extra features that were missing in base (LDAP and whatnot)
• Ted Unangst conjured up with a rewritten utility to replace it in the base system, dubbed “do as,” with the aim of being more simple and compact
• There were concerns that sudo was too big and too complicated, and a quick ‘n’ dirty check reveals that doas is around 350 lines of code, while sudo is around 10,000 – which would you rather have as a setuid root binary?
• After the initial import, a number of developers began reviewing and improving various bits here and there
• You can check out the code now if you’re interested
• Command usage and config syntax seem pretty straightforward
• More discussion on HN

What would you like to see in FreeBSD

• Adrian Chadd started a reddit thread about areas in which FreeBSD could be improved, asking the community what they’d like to see
• There are over 200 comments that span a wide range of topics, so we’ll just cover a few of the more popular requests – check the very long thread if you’re interested in more
• The top comment says things don’t “just work,” citing failover link aggregation of LACP laggs, PPPoE issues, disorganized jail configuration options, unclear CARP configuration and userland dtrace being unstable
• Another common one was that there are three firewalls in the base system, with ipfilter and pf being kinda dead now – should they be removed, and more focus put into ipfw?
• Video drivers also came up frequently, with users hoping for better OpenGL support and support for newer graphics cards from Intel and AMD – similar comments were made about wireless chipsets as well
• Some other replies included more clarity with pkgng output, paying more attention to security issues, updating PF to match the one in OpenBSD, improved laptop support, a graphical installer, LibreSSL in base, more focus on embedded MIPS devices, binary packages with different config options, steam support and lots more
• At least one user suggested better “marketing” for FreeBSD, with more advocacy and (hopefully) more business adoption
• That one really applies to all the BSDs, and regular users (that’s you listening to this) can help make it happen for whichever ones you use right now
• Maybe Adrian can singlehandedly do all the work and make all the users happy

Interview – Ryan Lortie & Baptiste Daroussin

Porting the latest GNOME code to the BSDs

News Roundup

Introducing resflash

• If you haven’t heard of resflash before, it’s “a tool for building OpenBSD images for embedded and cloud environments in a programmatic, reproducible way”
• One of the major benefits to images like this is the read-only filesystem, so there’s no possibility of filesystem corruption if power is lost
• There’s an optional read-write partition as well, used for any persistent changes you want to make
• You can check out the source code on Github or read the main site for more info

Jails with iocage

• There are a growing number of FreeBSD jail management utilities: ezjail, cbsd, warden and a few others
• After looking at all the different choices, the author of this blog post eventually settled on iocage for the job
• The post walks you through the basic configuration and usage of iocage for creating managing jails
• If you’ve been unhappy with ezjail or some of the others, iocage might be worth giving a try instead (it also has really good ZFS integration)

DragonFly GPU improvements

• DragonFlyBSD continues to up their graphics game, this time with Intel’s ValleyView series of CPUs
• These GPUs are primarily used in the newer Atom CPUs and offer much better performance than the older ones
• A git branch was created to hold the fixes for now while the last remaining bugs get fixed
• Fully-accelerated Broadwell support and an update to newer DRM code are also available in the git branch, and will be merged to the main tree after some testing

Branchless development

• Ted Unangst has a new blog post up, talking about software branches and the effects of having (or not having) them
• He covers integrating and merging code, and the versioning problems that can happen with multiple people contributing at once
• “For an open source project, branching is counter intuitively antisocial. For instance, I usually tell people I’m running OpenBSD, but that’s kind of a lie. I’m actually running teduBSD, which is like OpenBSD but has some changes to make it even better. Of course, you can’t have teduBSD because I’m selfish. I’m also lazy, and only inclined to make my changes work for me, not everyone else.”
• The solution, according to him, is bringing all the code the developers are using closer together
• One big benefit is that WIP code gets tested much faster (and bugs get fixed early on)

Feedback/Questions

• Matthew writes in
• Chris writes in
• Anonymous writes in
• Bill writes in

• There were a lot of links in today’s news – mailing list posts, wiki pages, discussion, source code commits and more – so hit up bsdnow.tv for all the show notes as usual
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• We’re always looking for new interviews – get in touch if you’re doing anything cool with BSD that you’d like to talk about (or feel free to volunteer someone else)
• EuroBSDCon 2015 registration is now officially open

The post BSD Gnow | BSD Now 99 first appeared on Jupiter Broadcasting.

It’s great to be a malware author, if your selling to the government, Bypassing PayPal’s two-factor authentication is easier than you might think. Plus a great batch of your questions and our answers and much, much more!

Thanks to:

— Show Notes: —

Flaw in mobile app allows attackers to bypass PayPal two-factor authentication

• Researchers at Duo Security have produced a proof-of-concept app that is able to bypass the two-factor authentication when using the PayPal mobile app, allowing an attacker to transfer funds out of a PayPal account with only the username and password, without needing to provide the one-time password
• The PayPal bug was discovered by an outside researcher, Dan Saltman, who asked Duo Security for help validating it and communicating with the PayPal security team
• “PayPal has been aware of the issue since March and has implemented a workaround, but isn’t planning a full patch until the end of July”
• Currently, the PayPal mobile apps do not support 2 factor authentication, meaning if you have 2FA enabled on your PayPal account, you cannot use the mobile app
• The exploit tricks the PayPal app into ignoring the 2FA flag and allowing the mobile app to work anyway
• The researchers found that in the PayPal mobile app, the only thing preventing a 2FA enabled account from working was a flag in the response from the server
• After modifying that flag, it was found that the client could login, and transfer funds
• The check to prevent 2FA enabled accounts from logging in without the one-time passwords appears to only be enforced on the client, not the server as it should be
• Once logged in with a valid session_id, the proof-of-concept app is able to use the API to transfer funds
• “There are plenty of cases of PayPal passwords being compromised in giant database dumps, and there’s also been a giant rise in PayPal related phishing”
• It is not clear how large the bug bounty on this vulnerability will be

“Hacking Team”

• “Hacking Team” is an Italian company that develops “legal” spyware used by law enforcement and other government agencies all over the world
• They originally came to light in 2011 after WikiLeaks released documents from 2008 where Hacking Team was trying to sell its software to governments
• The software bills itself as “Offensive Security”, allowing LEAs to remotely monitor and control infected machines
• The software claims to be undetectable, however when samples were anonymously sent to AV vendors in July of 2012, most scanners added definitions to detect some variants of the malware
• In newly released research, Kaspersky has tracked the Command & Control (C2) servers used by “HackingTeam”
• The countries with the most C2 servers include the USA, Kazakhstan, Ecuador, the UK and Canada
• It is not clear if all of the C2 servers located in these countries are for the exclusive use of LEAs in those countries
• “several IPs were identified as “government” related based on their WHOIS information and they provide a good indication of who owns them.”
• The malware produced by Hacking Team has evolved to include modern malware for mobile phones
• Although this is rarely seen, if it is only used by LEAs rather than for mass infection, this is to be expected
• On a jail broken iOS device, the malware has the following features:
• Control of Wi-Fi, GPS, GPRS
• Recording voice
• E-mail, SMS, MMS
• Listing files
• Cookies
• Visited URLs and Cached web pages
• Address book and Call history
• Notes and Calendar
• Clipboard
• List of apps
• SIM change
• Live microphone
• Camera shots
• Support chats, WhatsApp, Skype, Viber
• Log keystrokes from all apps and screens via libinjection
• The Android version is heavily obfuscated, but it appears to target these specific applications:
• com.tencent.mm
• com.google.android.gm
• android.calendar
• com.facebook
• jp.naver.line.android
• com.google.android.talk
• The article also provides details about how mobile phones are infected. Connecting a phone to an already compromised computer can silently infect it. In addition, the research includes screenshots of the iOS “Infector”, that merely requires LEAs connect the phone to their computer, where they can manually infect it before returning it to the owner
• Additional Coverage – ThreatPost
• Additional Coverage – SecureList
• Additional Coverage – SecureList – Original article on HackingTeam from April 2013

Feedback:

• What is the point of SUDO?
  • SUDO Mastery

• Sending E-mail from a server

• How To Install and Setup Postfix on Ubuntu 14.04 | DigitalOcean

• How To Configure a Mail Server Using Postfix, Dovecot, MySQL, and SpamAssasin | DigitalOcean

• Securing data in a database with GnuPG or OpenSSL

Round Up:

• Google Starts Removing Search Results Under Europe’s ‘Right to be Forgotten’
• Malware authors targeting vendors of legitimate apps as new infection vector. By hacking the websites of legitimate applications used by plants that also employ ICS (Industrial Control Systems), such as power plants, they gain a way to get a foothold in secure networks.
• Nation States implicated in two airports hacked with spear-phishing emails
• Yeah, I trust that ATM, looks totally legit
• Intel offering x86 based robot kits designed to be augmented with 3d printed parts
• MIT researchers unveil 36 core ‘tile’ processor that uses a routed network to move data between cores
• Red Hat Assistant General Counsel posts analysis of Supreme Court’s patent ruling
• Intuit defeats patent troll that bested NewEgg, may finally put an end to the SSL+RC4 trials

The post Big Brother's Malware | TechSNAP 169 first appeared on Jupiter Broadcasting.

We\’ll be talking to renowned BSD author Michael Lucas about his latest opus, \”Sudo Mastery.\” Also, we\’ve heard your cries and we\’ll also finally be showing you how to build a BSD desktop system from the ground up. There\’s plenty of news items to cover as well, so stay tuned to BSD Now – the place to B.. SD.

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

OpenBSD 5.4 released

• The usual 6 month release cycle continues with 5.4
• People who bought the CD (this is where we show the CD) get the release very early, but now it\’s on the public FTP
• New platforms \”octeon\” and \”beagle\”
• Improved Intel DRM, reworked checksumming for network protocols, ECDHE support in httpd, inetd no longer started by default, DHCP improvements, lots of new OpenSMTPD work, OpenSSH 6.3
• Over 7,800 ports available, comes with another new song and fun artwork, lots of new features – check out the full release notes
• A special thanks to Nick Holland and Bob Beck for their behind-the-scenes work
• Experimental FUSE support was enabled shortly after the release, so look forward to that in the future

FreeBSD pkgng repos are official

• Built weekly from a snapshot of the Ports Collection every Wednesday
• Signed packages coming soon with pkg 1.2
• Added official public key to -STABLE and -CURRENT
• New \”pkg+http\” protocol identifier for SRV records
• If you need something more up to date or with custom options, it\’s easy to make your own with just the packages you want using our tutorial
• If you need a guide on how to use pkgng itself, check our tutorial for that too!
• What does this mean for PCBSD repo users? Should they switch? Differences?

DragonflyBSD 3.6 branched

• SMP improvements and GCC changes are all in, so it\’s time to branch
• Release planned for a little under 2 weeks from today
• Features will include i915 support, mdocml imported, crazy SMP improvements, dports being default
• We\’re hoping to get someone from Dragonfly on the show next week to talk about the final release

FreeBSD portmgr lurkers

• Over the course of the next two years, volunteers from a group of ports committers will participate in portmgr activities
• At four month intervals, two committers at a time will be brought in to work on various projects and learn the inner workings of the team
• The first two -lurkers are Mathieu Arnold (mat@) and Antoine Brodin (antoine@).

Interview – Michael W. Lucas – mwlucas@michaelwlucas.com / @mwlauthor

Sudo Mastery
+ Could you tell us a little about yourself, how you got involved with writing and specifically writing about BSD?
+ To set the record straight, is \”su-doh\” or \”su-du\” the correct pronunciation?
+ For the sake of completeness, what is sudo, where does it come from, what does it do?
+ Why did you write this book?
+ Is this mainly a security-focused book?
+ What\’s something interesting you learned about sudo while writing this that you didn\’t know?
+ What are some other BSD books you\’ve written?
+ What makes a \”good\” tech book, would you say?
+ Since you\’ve written about OpenBSD and FreeBSD, how do you personally use both of them?
+ Do the projects get any of the money from sales of the books?
+ Where\’s the best place for people to go to find out more about (and buy) your books?
+ We saw on Twitter you\’re going to be doing an \”OpenBSD for Linux users\” talk for MUG?
+ Anything else you\’d like to mention?
+ Video: DNSSec in 55 Minutes

Tutorial

Configuring FreeBSD as a desktop system

• The BSDs are known around the world as the server OSes of the gods
• They can each make a pretty nice desktop
• PCBSD gives you an out of the box, preconfigured desktop experience
• This guide is for manually setting one up and learning about the process

News Roundup

iXsystems FreeBSD party wrap-up chat

Capsicum in DragonflyBSD

• Dragonfly has no security framework yet besides the traditional unix DAC model
• Port of Capsicum to Dragonfly has begun
• Quite a bit of technical detail in the show notes

NYCBSDCon 2014

• After a three year hiatus, NYCBSDCon is back on February 1, 2014
• Theme of \”The BSDs in Production\” this year
• Held in New York City, more information to come as the time draws closer

FreeBSD newcons progress update

• This project will provide a replacement for the legacy syscons system console
• Newcons provides a number of improvements, including better integration with graphics modes, and broader character set support
• More details on the project can be found on the FreeBSD wiki

Weekly PCBSD feature digest

• PBI 10 format is about ready and they\’ll begin populating the 10.0 appcafe starting next week
• PCDM login manager is back and is ready to be tested
• New PC-BSD Disk Manager Utility with lots of features
• New PC-BSD Builder Scripts (https://github.com/pcbsd/pcbsd-build)
• New 9.2 ISO just out today

Feedback/Questions

• Alptekin writes in: https://slexy.org/view/s208YfYZA9
• Gertjan writes in: https://slexy.org/view/s2k4C2Ryo9
• Kevin writes in: https://slexy.org/view/s2172EyaRG
• Kjell-Aleksander writes in: https://slexy.org/view/s2mP8ftX0U
• Michael writes in: https://slexy.org/view/s203Z9VdKt

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, etc to feedback@bsdnow.tv
• We don’t check YouTube comments, JB comments, Reddit, etc. If you want us to see it, send it via email (the preferred way) or Twitter (also acceptable)
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
• Thanks for ten great episodes so far, we hope to keep doing this for a long time. Be sure to send us your feedback about what you want to see on future episodes! Especially tutorials!

The post Year of the BSD Desktop | BSD Now 10 first appeared on Jupiter Broadcasting.