Show Notes: selfhosted.show/20

The post One is None | Self-Hosted 20 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Red alert! Intel patches remote execution hole that’s been hidden in biz, server chips since 2008

• Bug is in Intel’s Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6.

• Every Intel platform with either Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the IME (Intel Management Engine)

• Are you affected? Read this!

Tarsnap

• Costs about $0.75 a day – storing about 87G total, and adding about 1.6GB / month

• I have not deleted any old backups since I started.

• Dan’s first big backup with Tarsnap

Feedback

• bareos – a bacula fork

• Backing up a Raspberry Pi TB disk photos

  • rdiff-backup
  • rsnapshot
  • duplicity
  • Borg

• mixing HDD batches in raid

Round Up:

• Why use Postgres (Updated for last 5 years) – Craig Kerstiens

• That grumpy BSD guy: Forcing the password gropers through a smaller hole with OpenBSD’s PF queues

• N.S.A. Halts Collection of Americans’ Emails About Foreign Targets – The New York Times

The post Some Fishy Chips | TechSNAP 317 first appeared on Jupiter Broadcasting.

Let’s Encrypt hits a major milestone, F-Secure publishes their investigation into “The Dukes” & we dig into Tarsnap’s email confirmation bypass.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Let’s Encrypt goes live

• “Let’s Encrypt, a movement to issue free and automated HTTPS certificates, today hit a major milestone when its first cert went live”
• It is hoped that free, automatically generated SSL certificates will allow the web to move to HTTPS everywhere
• “A coalition of technology companies, including Mozilla, Cisco, Akamai, Automattic and IdenTrust, joined the EFF and the University of Michigan late last year in getting Let’s Encrypt off the ground; the initiative is open source and overseen by a California non-profit called Internet Security Research Group (ISRG)”
• Let’s Encrypt has done all of the setup, paperwork, and audits required to become a regular trusted Certificate Authority
• The big difference is, they will give the certificates away for free
• “IdenTrust is providing Let’s Encrypt with the cross-signature it needs in order to become a CA for existing browsers and software”
• “Eventually, webmasters will merely have to run a client to authenticate their server. They’ll also be able to enable features on their site like HTTP Strict Transport Security (HSTS), OCSP stapling and making sure that visitors to the old HTTP version of their site are redirected to the new HTTPS version”
• The cross signature is not yet in place, so Let’s Encrypt issued certificates are not trusted by existing browsers. This is expected to be in place in about a month

F-Secure publishes their investigation into “The Dukes”, a Russian APT team

• “We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making”
• The same group is also tracked by FireEye, where they are known as just APT29
• By combining their new research, and that of other researchers like Kaspersky, FireEye and ICDS, then going back over historical research and data from as far back as 7 years, the F-Secure researchers were able to “connect the dots” and attribute 2 older malware campaigns to this same group, and better understand the objectives of that malware
• The Dukes are known to employ a wide arsenal of malware toolsets including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka HAMMERTOSS).
• “The Dukes rapidly react to research being published about their toolsets and operations. However, the group (or their sponsors) value their operations so highly that though they will attempt to modify their tools to evade detection and regain stealth, they will not cease operations to do so, but will instead incrementally modify their tools while continuing apparently as previously planned.”
• These campaigns utilize a smash-and-grab approach involving a fast but noisy breakin
  followed by the rapid collection and exfiltration of as much data as possible. If the
  compromised target is discovered to be of value, the Dukes will quickly switch the
  toolset used and move to using stealthier tactics focused on persistent compromise
  and long-term intelligence gathering.
• In some of the most extreme cases, the Dukes have been known to engage in
  campaigns with unaltered versions of tools that only days earlier have been brought
  to the public’s attention by security companies and actively mentioned in the
  media. In doing so, the Dukes show unusual confidence in their ability to continue
  successfully compromising their targets even when their tools have been publicly
  exposed.
• This suggests they do not fear getting caught. They may have been promised protection by the Russian government
• The story of the Dukes, as it is currently known, begins with a malware toolset that F-Secure call PinchDuke.
• This toolset consists of multiple loaders and an information-stealer trojan. Importantly, PinchDuke trojan samples always contain a notable text string, which we believe is used as a campaign identifier by the Dukes group to distinguish between multiple attack campaigns that are run in parallel.
• Their first campaign appears to have in 2008, against Chechnya
• The first time the group targeted a Western government was 2009
• In 2013 the group shifted targets to the Ukraine, and also started working against drug dealers inside Russia
• On the 12th of February 2013, FireEye published a blogpost alerting readers to a combination of new Adobe Reader 0-day vulnerabilities, CVE-2013-0640 and CVE-2013-0641, that were being actively exploited in the wild. 8 days after FireEye’s initial alert, Kaspersky spotted the same exploit being used to spread an entirely different malware family from the one mentioned in the original report.
• On the 23rd of October 2014, Leviathan Security Group published a blog post describing a malicious Tor exit node they had found. They noted that this node appeared to be maliciously modifying any executables that were downloaded through it over a HTTP connection. Executing the modified applications obtained this way would result in the victim being infected with unidentified malware. On the 14th of November, F-Secure published a blog post naming the malware OnionDuke and associating it with MiniDuke and CosmicDuke, the other Duke toolsets known at the time.
• Based on the presented evidence and analysis, F-Secure believe, with a high level of confidence, that the Duke toolsets are the product of a single, large, well-resourced organization (which F-Secure identify as the Dukes) that provides the Russian government with intelligence on foreign and security policy matters in exchange for support and protection.
• The evidence seem to be pretty compelling, but it is hard to know anything for certain
• FireEye PDF — Hammertoss
• F-Secure PDF — The Dukes

Tarsnap email confirmation bypass

• Colin Percival of Tarsnap has posted a blog entry describing a flaw in the Tarsnap signup process that he recently fixed
• This provides some interesting insight into how easy it is to make a small mistake when building an application, that ends up having real world repercussions
• Because of the Tarsnap bug bounty program, a lot of fake signups are attempted against Tarsnap, to try to ‘fuzz test’ the forms on the site
• For this, and other reasons, Tarsnap requires an email verification before creating an account
• “so I wasn’t concerned when I received an email last week telling me that someone was trying to create an account as admin@tarsnap.com”
• “Five minutes later, I was very concerned upon receiving an email telling me that the registration for admin@tarsnap.com had been confirmed and the account created.”
• “This should not have happened, so I immediately started running down a list of possibilities. Was it a forged email? No, the headers showed it being delivered from the CGI script to the tarsnap web server’s qmail to the tarsnap mail server’s qmail to my inbox. Was a copy of the confirmation email — which should never have gotten past the mail server — being misdelivered somehow? No, the mail logs showed that the email to admin@tarsnap.com went from CGI script to the web server’s qmail to the mail server’s qmail and then was dropped. Was one of the CGI scripts on the tarsnap web server compromised? There was nothing in the logs to suggest a malformed request of the sort which might have been used to exploit a bug; nor, for that matter, anything to suggest that someone had been probing for bugs, so if a CGI script had been exploited, it was done completely blindly. Nevertheless, I disabled the CGI scripts just in case.”
• “Had someone managed to compromise the web server or mail server? unlikely”
• “The mystery was solved a few minutes later when an email arrived from Elamaran Venkatraman: He hadn’t compromised any servers or exploited any bugs in my C code; rather, he had found a dumb mistake in tarsnap’s account-creation process.”
• “For most people to create a Tarsnap account, only a few things are required: An email address, a password, and checkbox confirming that you agree to the Tarsnap legal boilerplate. You submit those to the Tarsnap server; it generates a registration cookie; it sends that cookie to you as part of a URL in the confirmation email; and when you click through that link and re-enter your password your account is created. So far so good — but some people need a bit more than that. Tarsnap is a Canadian company, and as such is required to remit sales tax for its Canadian-resident customers. Moreover, Tarsnap is required to issue invoices to its Canadian-resident customers — invoices which show the customers’ physical mailing addresses — so if a registrant identifies themself as being a Canadian resident, they are taken to a second page to provide their name and mailing address.”
• “But what of that confirmation email? Well, I didn’t want someone who self-identified as a Canadian resident to create an account without providing the legally-mandated information, so I couldn’t send out that email until they submitted the second page. On the other hand, they having provided their email address and password once already, I didn’t want to ask for those again. And so, when I finally got all the paperwork sorted and started accepting Canadian customers in July 2012, I took the option which was simple, obvious and completely wrong: I passed the registration cookie as a hidden variable in the second-page form, to be echoed back to the server.”
• “This of course is what Elamaran had found. To be clear, the registration cookie didn’t reveal any server internals; the only thing it could be used for was to confirm an email address. But because it was being sent in the HTML response, anyone could “confirm” any email address, simply by claiming to be a Canadian resident and viewing the page source. Oops. The fix for this was easy: Use two cookies, one for email confirmation and one for the Canadian-address-obtaining continuation. More importantly, I’ve moved the cookie-generation to where it belongs — within the routine which generates and sends the confirmation email — and I’ve added a comment to remind myself that the cookie must never be exposed via any channel other than an email destined for the address being confirmed.”
• “That last part is ultimately the most important lesson from this: Comments matter! I don’t know what I was thinking three years ago when I reused that cookie; but unless my memory was much better then than it is now, I almost certainly wasn’t thinking about my original design from four years prior. While this was hardly a fatal bug — while I’ll never know for certain, I doubt anyone exploited this email confirmation bypass, and the impact would not be severe even if someone did — it’s a reminder of the importance of writing useful comments. I often see solo developers excuse a lack of comments in their code on the basis that they understand their code and nobody else will be touching it; this misses an essential point: I am not the same person as I was three years ago, nor do I understand everything I understood three years ago. People make mistakes, and people edit code without fully understanding how and why it works. Leave breadcrumbs behind, even if you don’t intend for anyone to follow you: When you try to retrace your steps, you might get lost without them.”

Feedback

• Apple Keychain

• FreeBSD Network Troubles

• ZFS snapshots instead on the FreeNAS server?

• Can’t get enough Allan? Was recently interviewed by the BSDTalk Podcast, episode 256

Round Up:

• Ashley Madison Lawsuit: Former CTO sues security researcher for libal and more coverage
• Oracle releases fix for Virtualbox, won’t disclose what the bug was
• Malicious Cisco router backdoor found on 79 more devices, 25 in the US
• AT&T offering $250,000 USD reward for leading to the capture of the “fiber ripper”
• Dutch police arrest alleged authors of CoinVault ransomware
• Bug in iOS and OS X allow anyone within Airdrop range to overwrite arbitrary files on your system or phone
• How I created a fake business and got many positive reviews
• Cryptome announces his PGP keys have been compromised. All prior communications at risk of disclosure
• Justice Department Releases Letters to Congress about breach risk, just before Snowden
• Intel launches the Automotive Security Review Board (ASRB)
• Survey finds users need atleast 10mbps to feel like they have “broadband”
• A journey through the Yahoo bug bounty program
• Bug Bounties are a privilege, not a right
• An IT themed set of Cards Against Humanity cards

The post Dukes of Cyber Hazard | TechSNAP 233 first appeared on Jupiter Broadcasting.

Coming up this week on the show!

We’ve got an interview with Dag-Erling Smørgrav, the current security officer of FreeBSD, to discuss what exactly being in such an important position is like.

The latest news, answers to your emails and even some LibreSSL drama, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

g2k14 hackathon reports

• Nearly 50 OpenBSD developers gathered in Ljubljana, Slovenia from July 8-14 for a hackathon
• Lots of work got done – in just the first two weeks of July, there were over 1000 commits to their CVS tree
• Some of the developers wrote in to document what they were up to at the event
• Bob Beck planned to work on kernel stuff, but then “LibreSSL happened” and he spent most of his time working on that
• Miod Vallat also tells about his LibreSSL experiences
• Brent Cook, a new developer, worked mainly on the portable version of LibreSSL (and we’ll be interviewing him next week!)
• Henning Brauer worked on VLAN bpf and various things related to IPv6 and network interfaces (and he still hates IPv6)
• Martin Pieuchot fixed some bugs in the USB stack, softraid and misc other things
• Marc Espie improved the package code, enabling some speed ups, fixed some ports that broke with LibreSSL and some of the new changes and also did some work on ensuring snapshot consistency
• Martin Pelikan integrated read-only ext4 support
• Vadim Zhukov did lots of ports work, including working on KDE4
• Theo de Raadt created a new, more secure system call, “sendsyslog” and did a lot of work with /etc, sysmerge and the rc scripts
• Paul Irofti worked on the USB stack, specifically for the Octeon platform
• Sebastian Benoit worked on relayd filters and IPv6 code
• Jasper Lievisse Adriaanse did work with puppet, packages and the bootloader
• Jonathan Gray imported newer Mesa libraries and did a lot with Xenocara, including work in the installer for autodetection
• Stefan Sperling fixed a lot of issues with wireless drivers
• Florian Obser did many things related to IPv6
• Ingo Schwarze worked on mandoc, as usual, and also rewrote the openbsd.org man.cgi interface
• Ken Westerback hacked on dhclient and dhcpd, and also got dump working on 4k sector drives
• Matthieu Herrb worked on updating and modernizing parts of xenocara

FreeBSD pf discussion takes off

• A thread started on the freebsd-questions and freebsd-current mailing lists this week concerning FreeBSD’s version of pf being old and seemingly unmaintained (unfortunately people didn’t always use reply-all so you have to cross-reference the two lists to follow the whole conversation sometimes)
• Straight from the SMP FreeBSD pf maintainer: “no one right now [is actively developing pf on FreeBSD]” and “Following OpenBSD on features would be cool, but no bulk imports would be made again. Bulk imports produce bad quality of port,
  and also pf in OpenBSD has no multi thread support”
• Baptiste Daroussin was quick to point out that multi-thread support is not the only difference between FreeBSD and OpenBSD versions of pf, including work that was done to support VIMAGE (network virtualization, to support have entire network stacks in jails)
• Baptiste Daroussin also reports on his efforts to update FreeBSD pf. He ran into problems and after breaking pf on head, his changes were reverted. He reports that he is still interested in porting individual OpenBSD pf features that are relevant to him, but not in a ‘full sync’ or being the overall maintainer of FreeBSD pf
• The project is looking for volunteers to continue the work. Mentorship is available for a number of people familiar with the FreeBSD networking stack, and Henning Brauer (one of the authors of OpenBSD pf) has stated his willingness to help on a number of occasions, and candidates can apply to the FreeBSD Foundation for funding
• Searching for documentation online for pf is troublesome because there are two incompatible syntaxes
• FreeBSD’s pf man pages are lacking, and some of FreeBSD’s documentation still links to OpenBSD’s pages, which are not compatible anymore
• The discussion also touched on importing pf patches from pfSense, although the license that these patches are under is not clear at this time
• Things quickly got off topic as further disagreement among individual developers vs. users derailed the conversation somewhat
• Many users are very vocal about wanting it updated, saying they are willing to deal with the syntax change and it is worth the benefits
• Some developers wonder which features of OpenBSD pf users actually want, other than just ‘the latest shiny’
• Currently the only known problem with FreeBSD pf is with ipv6 fragments, and the VIMAGE subsystem
• Gleb Smirnoff, author of the FreeBSD-specific SMP patches, says Henning’s claims about OpenBSD’s improved speed are “uncorroborated claims” (but neither side has provided any public benchmarks)
• Olivier Cochard-Labbé (of the BSD Router Project) provided his benchmarks from Nov 2013 of packet forwarding rates with various configurations of FreeBSD 9.2 and 10, vs OpenBSD 5.4. Here is the raw data and scripts to reproduce and a graph of the results
• There seem to be many opinions about what to do about pf, but so far no one willing to do the work

LibreSSL progress update

• LibreSSL’s first few portable releases have come out and they’re making great progress, releasing 2.0.3 two days ago
• Lots of non-OpenBSD people are starting to contribute, sending in patches via the tech mailing list
• However, there has already been some drama… with Linux users
• There was a problem with Linux’s PRNG, and LibreSSL was unforgiving of it, not making an effort to randomize something that could not provide real entropy
• This “problem” doesn’t affect OpenBSD’s native implementation, only the portable version
• The developers decide to weigh in to calm the misinformation and rage
• A fix was added in 2.0.2, and Linux may even get a new system call to handle this properly now – remember to say thanks, guys
• Ted Unangst has a really good post about the whole situation, definitely check it out
• As a follow-up from last week, bapt says they’re working on building the whole FreeBSD ports tree against LibreSSL, but lots of things still need some patching to work properly – if you’re a port maintainer, please test your ports against it

Preparation for NetBSD 7

• The release process for NetBSD 7.0 is finally underway
• The netbsd-7 CVS branch should be created around July 26th, which marks the start of the first beta period, which will be lasting until September
• If you run NetBSD, that’ll be a great time to help test on as many platforms as you can (this is especially true on custom embedded applications)
• They’re also looking for some help updating documentation and fixing any bugs that get reported
• Another formal announcement will be made when the beta binaries are up

Interview – Dag-Erling Smørgrav – des@freebsd.org / @RealEvilDES

The role of the FreeBSD Security Officer, recent ports features, various topics

News Roundup

BSDCan ports and packages WG

• Back at BSDCan this year, there was a special event for discussion of FreeBSD ports and packages
• Bapt talked about package building, poudriere and the systems the foundation funded for compiling packages
• There’s also some detail about the signing infrastructure and different mirrors
• Ports people and source people need to talk more often about ABI breakage
• The post also includes information about pkg 1.3, the old pkg tools’ EOL, the quarterly stable package sets and a lot more (it’s a huge post!)

Cross-compiling ports with QEMU and poudriere

• With recent QEMU features, you can basically chroot into a completely different architecture
• This article goes through the process of building ARMv6 packages on a normal X86 box
• Note though that this requires 10-STABLE or 11-CURRENT and an extra patch for QEMU right now
• The poudriere-devel port now has a “qemu user” option that will pull in all the requirements
• Hopefully this will pave the way for official pkgng packages on those lesser-used architectures

Cloning FreeBSD with ZFS send

• For a FreeBSD mail server that MWL runs, he wanted to have a way to easily restore the whole system if something were to happen
• This post shows his entire process in creating a mirror machine, using ZFS for everything
• The “zfs send” and “zfs snapshot” commands really come in handy for this
• He does the whole thing from a live CD, pretty impressive

FreeBSD Overview series

• A new blog series we stumbled upon about a Linux user switching to BSD
• In part one, he gives a little background on being “done with Linux distros” and documents his initial experience getting and installing FreeBSD 10
• He was pleasantly surprised to be able to use ZFS without jumping through hoops and doing custom kernels
• Most of what he was used to on Linux was already in the default FreeBSD (except bash…)
• Part two documents his experiences with pkgng and ports

Feedback/Questions

• Bostjan writes in
• Rick writes in
• Clint writes in
• Esteban writes in
• Ben writes in
• Matt sends in pictures of his FreeBSD CD collection

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Last week we talked a bit about hardware compatibility, check out the NYC BSD Users’ Group’s dmesgd , a database of user submitted dmesg output from various hardware on various BSD’s. Help the community, submit your dmesg today!
• If you want to come on for an interview or have a tutorial you’d like to see, let us know – we want to do what the viewers want to see
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post DES Challenge IV | BSD Now 47 first appeared on Jupiter Broadcasting.

This time on the show, we’ll be sitting down to talk with Craig Rodrigues about Jenkins and the FreeBSD testing infrastructure. Following that, we’ll show you how to roll your own OpenBSD ISOs with all the patches already applied… ISO can’t wait!

This week’s news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

pfSense 2.1.4 released

• The pfSense team has released 2.1.4, shortly after 2.1.3 – it’s mainly a security release
• Included within are eight security fixes, most of which are pfSense-specific
• OpenSSL, the WebUI and some packages all need to be patched (and there are instructions on how to do so)
• It also includes a large number of various other bug fixes
• Update all your routers!

DragonflyBSD’s pf gets SMP

• While we’re on the topic of pf…
• Dragonfly patches their old[er than even FreeBSD’s] pf to support multithreading in many areas
• Stemming from a user’s complaint, Matthew Dillon did his own work on pf to make it SMP-aware
• Altering your configuration‘s ruleset can also help speed things up, he found
• When will OpenBSD, the source of pf, finally do the same?

ChaCha usage and deployment

• A while back, we talked to djm about some cryptography changes in OpenBSD 5.5 and OpenSSH 6.5
• This article is sort of an interesting follow-up to that, showing which projects have adopted ChaCha20
• OpenSSH offers it as a stream cipher now, OpenBSD uses it for it’s random number generator, Google offers it in TLS for Chromium and some of their services and lots of other projects seem to be adopting it
• Both Google’s fork of OpenSSL and LibReSSL have upcoming implementations, while vanilla OpenSSL does not
• Unfortunately, this article has one mistake: FreeBSD does not use it – they still use the broken RC4 algorithm

BSDMag June 2014 issue

• The monthly online BSD magazine releases their newest issue
• This one includes the following articles: TLS hardening, setting up a package cluster in MidnightBSD, more GIMP tutorials, “saving time and headaches using the robot framework for testing,” an interview and an article about the increasing number of security vulnerabilities
• The free pdf file is available for download as always

Interview – Craig Rodrigues – rodrigc@freebsd.org

FreeBSD’s continuous testing infrastructure

Tutorial

Creating pre-patched OpenBSD ISOs

News Roundup

Preauthenticated decryption considered harmful

• Responding to a post from Adam Langley, Ted Unangst talks a little more about how signify and pkg_add handle signatures
• In the past, the OpenBSD installer would pipe the output of ftp straight to tar, but then verify the SHA256 at the end – this had the advantage of not requiring any extra disk space, but raised some security concerns
• With signify, now everything is fully downloaded and verified before tar is even invoked
• The pkg_add utility works a little bit differently, but it’s also been improved in this area – details in the post
• Be sure to also read the original post from Adam, lots of good information

FreeBSD 9.3-RC2 is out

• As the -RELEASE inches closer, release candidate 2 is out and ready for testing
• Since the last one, it’s got some fixes for NIC drivers, the latest file and libmagic security fixes, some serial port workarounds and various other small things
• The updated bsdconfig will use pkgng style packages now too
• A lesser known fact: there are also premade virtual machine images you can use too

pkgsrcCon 2014 wrap-up

• In what may be the first real pkgsrcCon article we’ve ever had!
• Includes wrap-up discussion about the event, the talks, the speakers themselves, what they use pkgsrc for, the hackathon and basically the whole event
• Unfortunately no recordings to be found…

PostgreSQL FreeBSD performance and scalability

• FreeBSD developer kib@ writes a report on PostgreSQL on FreeBSD, and how it scales
• On his monster 40-core box with 1TB of RAM, he runs lots of benchmarks and posts the findings
• Lots of technical details if you’re interested in getting the best performance out of your hardware
• It also includes specific kernel options he used and the rest of the configuration
• If you don’t want to open the pdf file, you can use this link too

Feedback/Questions

• James writes in
• Klemen writes in
• John writes in
• Brad writes in
• Adam writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• There, you’ll also find a link to Bob Beck’s LibReSSL talk from the end of May – we finally found a recording!
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Next week Allan will be at BSDCam, so we’ll have a prerecorded episode then

The post Base ISO 100 | BSD Now 44 first appeared on Jupiter Broadcasting.

It’s a big show this week! We’ll be interviewing Marc Espie about OpenBSD’s package system and build cluster. Also, we’ve been asked many times “how do I keep my BSD box up to date?” Well, today’s tutorial should finally answer that. Answers to all your emails and this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

EuroBSDCon 2014 talks and schedule

• The talks and schedules for EuroBSDCon 2014 are finally revealed
• The opening keynote is called “FreeBSD, looking forward to another 10 years” by jkh
• Lots of talks spanning FreeBSD, OpenBSD and PCBSD, and we finally have a few about NetBSD and DragonflyBSD too! Variety is great
• It looks like Theo even has a talk, but the title isn’t on the page… how mysterious
• There are also days dedicated to some really interesting tutorials
• Register now, the conference is on September 25-28th in Bulgaria
• If you see Allan and Kris walking towards you and you haven’t given us an interview yet… well you know what’s going to happen
• Why aren’t the videos up from last year yet? Will this year also not have any?

FreeNAS vs NAS4Free

• More mainstream news covering BSD, this time with an article about different NAS solutions
• In a possibly excessive eight-page article, Ars Technica discusses the pros and cons of both FreeNAS and NAS4Free
• Both are based on FreeBSD and ZFS of course, but there are more differences than you might expect
• Discusses the different development models, release cycles, features, interfaces and ease-of-use factor of each project
• “One is pleasantly functional; the other continues devolving during a journey of pain” – uh oh, who’s the loser?

Quality software costs money, heartbleed was free

• PHK writes an article for ACM Queue about open source software projects’ funding efforts
• A lot of people don’t realize just how widespread open source software is – TVs, printers, gaming consoles, etc
• The article discusses ways to convince your workplace to fund open source efforts, then goes into a little bit about FreeBSD and Varnish’s funding
• The latest heartbleed vulnerability should teach everyone that open source projects are critical to the internet, and need people actively maintaining them
• On that subject, “Earlier this year the OpenSSL Heartbleed bug laid waste to Internet security, and there are still hundreds of thousands of embedded devices of all kinds—probably your television among them—that have not been and will not ever be software-upgraded to fix it. The best way to prevent that from happening again is to avoid having bugs of that kind go undiscovered for several years, and the only way to avoid that is to have competent people paying attention to the software”
• Consider donating to your favorite BSD foundation (or buying cool shirts and CDs!) and keeping the ecosystem alive

Geoblock evasion with pf and OpenBSD rdomains

• Geoblocking is a way for websites to block visitors based on the location of their IP
• This is a blog post about how to get around it, using pf and rdomains
• It has the advantage of not requiring any browser plugins or DNS settings on the users’ computers, you just need to be running OpenBSD on your router (hmm, if only a website had a tutorial about that…)
• In this post, the author wanted to get an American IP address, since the service he was using (Netflix) is blocked in Australia
• It’s got all the details you need to set up a VPN-like system and bypass those pesky geographic filters

Interview – Marc Espie – espie@openbsd.org / @espie_openbsd

OpenBSD’s package system, building cluster, various topics

Tutorial

Keeping your BSD up to date

News Roundup

BoringSSL and LibReSSL

• Yet another OpenSSL fork pops up, this time from Google, called BoringSSL
• Adam Langley has a blog post about it, why they did it and how they’re going to maintain it
• You can easily browse the source code
• Theo de Raadt also weighs in with how this effort relates to LibReSSL
• More eyes on the code is good, and patches will be shared between the two projects

More BSD Tor nodes wanted

• Friend of the show bcallah posts some news to the Tor-BSD mailing list about monoculture in the Tor network being both bad and dangerous
• Originally discussed on the Tor-Relays list, it was made apparent that having such a large amount of Linux nodes weakens the security of the whole network
• If one vulnerability is found, a huge portion of the network would be useless – we need more variety in the network stacks, crypto, etc.
• The EFF is also holding a Tor challenge for people to start up new relays and keep them online for over a year
• Check out our Tor tutorial and help out the network, and promote BSD at the same time!

FreeBSD 10 OpenStack images

• OpenStack, to quote Wikipedia, is “a free and open-source software cloud computing platform. It is primarily deployed as an infrastructure as a service (IaaS) solution.”
• The article goes into detail about creating a FreeBSD instant, installing and converting it for use with “bsd-cloudinit”
• The author of the article is a regular listener and emailer of the show, hey!

BSDday 2014 call for papers

• BSD Day, a conference not so well-known, is going to be held August 9th in Argentina
• It was created in 2008 and is the only BSD conference around that area
• The “call for papers” was issued, so if you’re around Argentina and use BSD, consider submitting a talk
• Sysadmins, developers and regular users are, of course, all welcome to come to the event

Feedback/Questions

• Maruf writes in
• Solomon writes in
• Silas writes in
• Bert writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Just a reminder for those who don’t check the website, you’ll also find contact information for every guest we’ve ever had in the show notes – so if you have follow up questions for them, it’s easy to get in touch
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)
• Congrats to Matt Ahrens for getting FreeBSD commit access – hopefully lots of great ZFS stuff to come
• A special 21st happy birthday to FreeBSD

The post Package Design | BSD Now 43 first appeared on Jupiter Broadcasting.

Coming up this week, we’ll be showing you how to chain SSH connections, as well as some cool tricks you can do with it. Going along with that theme, we also have an interview with Bryce Chidester about running a BSD-based shell provider. News, emails and cowsay turkeys, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

PIE and ASLR in FreeBSD update

• A status update for Shawn Webb’s ASLR and PIE work for FreeBSD
• One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
• “FreeBSD has supported loading PIEs for a while now, but the applications in base weren’t compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support”
• If you’re running -CURRENT, just add “WITH_PIE=1” to your /etc/src.conf and /etc/make.conf
• The next step is working on the ASLR coding style and getting more developers to look through it
• Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR

Misc. pfSense news

• Couple of pfSense news items this week, including some hardware news
• Someone’s gotta test the pfSense hardware devices before they’re sold, which involves powering them all on at least once
• To make that process faster, they’re building a controllable power board (and include some cool pics)
• There will be more info on that device a bit later on
• On Friday, June 27th, there will be another video session (for paying customers only…) about virtualized firewalls
• pfSense University, a new paid training course, was also announced
• A single two-day class costs $2000, ouch

ZFS stripe width

• A new blog post from Matt Ahrens about ZFS stripe width
• “The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice”
• Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
• He covers best performance on random IOPS, best reliability, and best space efficiency use cases
• It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels’ overhead factor

FreeBSD 9.3-BETA3 released

• The third BETA in the 9.3 release cycle is out, we’re slowly getting closer to the release
• This is expected to be the final BETA, next will come the RCs
• There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what’s in -CURRENT (but still isn’t using ChaCha20)
• The FreeBSD foundation has a blog post about it too
• There’s a list of changes between 9.2 and 9.3 as well, but we’ll be sure to cover it when the -RELEASE hits

Interview – Bryce Chidester – brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

• A Slackware user from the “linux questions” forum decides to try out BSD, and documents his initial impressions and findings
• After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to “politics” (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
• In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
• So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
• Might be an interesting, ongoing series we can follow up on later

Even more BSDCan trip reports

• BSDCan may be over until next year, but trip reports are still pouring in
• This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
• He’s part of the “Jenkins CI for FreeBSD” group and went to BSDCan mostly for that
• Nice long post about all of his experiences at the event, definitely worth a read
• He even talks about… the food

FreeBSD disk partitioning

• For his latest book series on FreeBSD’s GEOM system, MWL asked the hackers mailing list for some clarification
• This erupted into a very long discussion about fdisk vs gnop vs gpart
• So you don’t have to read the tons of mailing list posts, he’s summarized the findings in a blog post
• It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools

BSD Router Project version 1.51

• A new version of the BSD Router Project has been released, 1.51
• It’s now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
• Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
• Check the sourceforge page for the complete list of changes
• The minimum disk size requirement has increased to 512MB

Feedback/Questions

• Fongaboo writes in
• David writes in
• Kristian writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• A special thanks to our viewer Lars for writing most of today’s tutorial and sending it in
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you’d like to see, let us know
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Devious Methods | BSD Now 42 first appeared on Jupiter Broadcasting.

On this week\’s episode, we\’ll be giving you an introductory guide on OpenBSD\’s ports and package system.

There\’s also a pretty fly interview with Karl Lehenbauer, about how they use FreeBSD at FlightAware.

Lots of interesting news and answers to all your emails, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan 2014 talks and reports, part 2

• More presentations and trip reports are still being uploaded
• Ingo Schwarze, New Trends in mandoc
• Vsevolod Stakhov, The Architecture of the New Solver in pkg
  
• Julio Merino, The FreeBSD Test Suite
• Zbigniew Bodek, Transparent Superpages for FreeBSD on ARM
• There\’s also a trip report from Michael Dexter and another (very long and detailed) trip report from our friend Warren Block that even gives us some linkage, thanks!

Beyond security, getting to know OpenBSD\’s real purpose

• Michael W Lucas (who, we learn through this video, has been using BSD since 1986) gave a \”webcast\” last week, and the audio and slides are finally up
• It clocks in at just over 30 minutes, managing to touch on a lot of OpenBSD topics
• Some of those topics include: what is OpenBSD and why you should care, the philosophy of the project, how it serves as a \”pressure cooker for ideas,\” briefly touches on GPL vs BSDL, their \”do it right or don\’t do it at all\” attitude, their stance on NDAs and blobs, recent LibreSSL development, some of the security functions that OpenBSD enabled before anyone else (and the ripple effect that had) and, of course, their disturbing preference for comic sans
• Here\’s a direct link to the slides
• Great presentation if you\’d like to learn a bit about OpenBSD, but also contains a bit of information that long-time users might not know too

FreeBSD vs Linux, a comprehensive comparison

• Another blog post covering something people seem to be obsessed with – FreeBSD vs Linux
• This one was worth mentioning because it\’s very thorough in regards to how things are done behind the scenes, not just the usual technical differences
• It highlights the concept of a \”core team\” and their role vs \”contributors\” and \”committers\” (similar to a presentation Kirk McKusick did not long ago)
• While a lot of things will be the same on both platforms, you might still be asking \”which one is right for me?\” – this article weighs in with some points for both sides and different use cases
• Pretty well-written and unbiased article that also mentions areas where Linux might be better, so don\’t hate us for linking it

Expand FreeNAS with plugins

• One of the things people love the most about FreeNAS (other than ZFS) is their cool plugin framework
• With these plugins, you can greatly expand the feature set of your NAS via third party programs
• This page talks about a few of the more popular ones and how they can be used to improve your NAS or media box experience
• Some examples include setting up an OwnCloud server, Bacula for backups, Maraschino for managing a home theater PC, Plex Media Server for an easy to use video experience and a few more
• It then goes into more detail about each of them, how to actually install plugins and then how to set them up

Interview – Karl Lehenbauer – karl@flightaware.com / @flightaware

FreeBSD at FlightAware, BSD history, various topics

Tutorial

Ports and packages in OpenBSD

News Roundup

Code review culture meets FreeBSD

• In most of the BSDs, changes need to be reviewed by more than one person before being committed to the tree
• This article describes Phabricator, an open source code review system that we briefly mentioned last week
• Instructions for using it are on the wiki
• While not approved by the core team yet for anything official, it\’s in a testing phase and developers are encouraged to try it out and get their patches reviewed
• Just look at that fancy interface!!

Michael Lucas\’ next tech books

• Sneaky MWL somehow finds his way into both our headlines and the news roundup
• He gives us an update on the next BSD books that he\’s planning to release
• The plan is to release three (or so) books based on different aspects of FreeBSD\’s storage system(s) – GEOM, UFS, ZFS, etc.
• This has the advantage of only requiring you to buy the one(s) you\’re specifically interested in
• \”When will they be released? When I\’m done writing them. How much will they cost? Dunno.\”
• It\’s not Absolute FreeBSD 3rd edition…

CARP failover and high availability on FreeBSD

• If you\’re running a cluster or a group of servers, you should have some sort of failover in place
• But the question comes up, \”how do you load balance the load balancers!?\”
• This video goes through the process of giving more than one machine the same IP, how to set up CARP, securing it and demonstrates a node dying
• Also mentions DNS-based load balancing as another option

PCBSD weekly digest

• This time in PCBSD land, we\’re getting ready for the 10.0.2 release (ISOs here)
• AppCafe got a good number of fixes, and now shows 10 random highlighted applications
• EasyPBI added a \”bulk\” mode to create PBIs of an entire FreeBSD port category
• Lumina, the new desktop environment, is still being worked on and got some bug fixes too

Feedback/Questions

• Paul writes in
• Matt writes in
• Kjell writes in
• Paul writes in
• Tom writes in

• All the tutorials are posted in their entirety at bsdnow.tv
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you want to come on for an interview or have a tutorial you\’d like to see, let us know
• Just a reminder, if you\’re using vnd (vnconfig) on OpenBSD for encryption, it\’s being retired for 5.7 – start planning to migrate your data to softraid
• There were also some security advisories for FreeBSD recently, make sure you\’re all patched up
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post AirPorts & Packages | BSD Now 40 first appeared on Jupiter Broadcasting.

OpenBSD launches LibreSSL, but what challenges do they face? And how much progress have they made? We’ll report!

Apple is struck with its own woes, Heartbleed is used to bypass two-factor authentication, and then its a great batch of your questions and our answers!

On this week’s episode of TechSNAP!

Thanks to:

— Show Notes: —

OpenBSD launches LibreSSL

• The team behind OpenBSD has formalized their fork of OpenSSL and called it LibreSSL
• The goal is to update the coding standards, to use more modern and safer C programming practises
• The impetus for this was infact not Heartbleed, but the mitigation countermeasures discovered by OpenBSD developers before Heartbleed was found
• The way much of OpenSSL is constructed makes it harder to audit with tools like Coverient and Valgrind, and the lack of consistent style, naming etc, makes it exceptionally hard to audit by hand
• There were many bugs in the OpenSSL bug tracker that had been open for as much as 4 years and never addressed
• Bob Beck of the OpenBSD project says that most of the actual crypto code in OpenSSL is very good, as it was written by cryptographers, but a lot of the plumbing is very old and needs serious updating
• Part of the 90,000 lines of code removed in LibreSSL was the FIPS compliance module, which has not been maintained for nearly 20 years
• So far, all of the changes have been API compatible, so any application that can use OpenSSL can still use LibreSSL
• The OpenBSD Foundation is soliciting donations to continue the work on LibreSSL and develop a portable version for other operating systems
• LibreSSL site, complete with working tag

Apple fixes major SSL flaw that could have allowed an attacker to intercept data over an encrypted connection, or inject their own data into the connection

• Apple has fixed a serious security flaw that’s present in many versions of both iOS and OSX and could allow an attacker to intercept data on SSL connections. The bug is one of many that the company fixed Tuesday
• In a ‘triple handshake’ attack, it was possible for an attacker to establish two connections which had the same encryption keys and handshake, insert the attacker’s data in one connection, and renegotiate so that the connections may be forwarded to each other,” the Apple
• The vulnerability affects OS X Mountain Lion 10.8.5, OS X Mavericks 10.9.2, as well as iOS 7.1 and earlier. The bug joins a list of serious problems that have affected SSL in recent months, most notably the OpenSSL heartbleed vulnerability disclosed earlier this month.
• OSX also contains two separate vulnerabilities that could enable an attacker to bypass ASLR, one of the key exploit mitigations built into the operating system. One of the flaws is in the IOKit kernel while the other is in the OSX kernel. The IOKit kernel ASLR bypass also affects iOS 7.1 users.
• Among the other flaws Apple patched in its new releases are a number other severe vulnerabilities. For OSX Mavericks users, the two most concerning issues are a pair of buffer overflows that could lead to remote code execution. One of the bugs is in the font parser and the second is in the imageIO component. The upshot of the vulnerabilities is that opening a malicious PDF or JPEG could lead to arbitrary code execution.

Heartbleed used to defeat 2 factor authentication

• Security nightmares sparked by the Heartbleed OpenSSL vulnerability continue. According to Mandiant, now a unit of FireEye
• An attacker was able to leverage the Heartbleed vulnerability against the VPN appliance of a customer and hijack multiple active user sessions.
• The attack bypassed both the organization\’s multifactor authentication and the VPN client software used to validate that systems connecting to the VPN were owned by the organization and running specific security software.
• \”Specifically, the attacker repeatedly sent malformed heartbeat requests to the HTTPS web server running on the VPN device, which was compiled with a vulnerable version of OpenSSL, to obtain active session tokens for currently authenticated users,\” Mandiant\’s Christopher Glyer explained.
• With an active session token, the attacker successfully hijacked multiple active user sessions and convinced the VPN concentrator that he/she was legitimately authenticated.
• After connecting to the VPN, the attacker attempted to move laterally and escalate his/her privileges within the victim organization, Mandiant said.
• Additional Coverage

Feedback:

• 2 Questions for Allan and Chris

• SSL Certificate rating questions

• How does Tarsnap\’s dedupe work?

• How to protect apache httpd against ddos?

• How to protect apache httpd from (D)DoS attacks?

• Using Varnish to block DDoS or DoS

Round Up:

• North America is down to its last IPv4 address block
• Heartbleed used to steal SSL private key from Swedish VPN provider mullvad
• ICS-CERT issues advisory about heartbleed vulnerabilities in siemens SCADA/ICS gear
• Healthcare.gov preventatively resets all passwords
• F.B.I. Informant Is Tied to Cyberattacks Abroad
• Heartbleed highlights contradicition of the web
• Intel\’s next-gen Thunderbolt rumored to hit 40Gbps transfer speeds with new connector
• The value of, and problems with, CRLs and OCSP
• Google is working on end-to-end encryption for Gmail
• Java fixes critical SSL flaws

The post Heartbleed Fallout | TechSNAP 160 first appeared on Jupiter Broadcasting.

We sit down with Jim Brown from the BSD Certification group to talk about the BSD exams. Following that, we\’ll be showing you how to build OpenBSD binary packages in bulk, a la poudriere. There\’s a boatload of news and we\’ve got answers to your questions, coming up on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

BSDCan schedule, speakers and talks

• This year\’s BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone\’s looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo\’s talk, \”Releasing NetBSD: So Many Targets, So Little Time\”
• Dru Lavigne\’s talk, \”ZFS Management Tools in FreeNAS and PC-BSD\”
• Scott Long\’s talk, \”Serving one third of the Internet via FreeBSD\”
• Michael W. Lucas\’ talk, \”BSD Breaking Barriers\”

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal\’s second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they\’ve already gotten over 1000 subscribers! It\’s available on Google Play, iTunes, Amazon, etc
• \”We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD\”
• Check our interview with GNN for more information about the journal

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There\’s been a pretty vicious response from security experts all across the internet and in all of the BSD projects – and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: \”Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL\’s bug tracker is only used to park bugs, not fix them\”
• Sounds like someone else was having fun with the bug for a while too
• There\’s also another OpenSSL bug that\’s possibly worse that OpenBSD patched – it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out – we\’re seeing a fork in real time (over 55000 lines of code removed as of yesterday evening)

Interview – Jim Brown – info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new \”signify\” tool in OpenBSD
• Now there\’s a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There\’s also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• \”Update Center\” is getting a lot of development and improvements
• Lots of misc. bug fixes and updates

Feedback/Questions

• There\’s a reddit thread we wanted to highlight – a user wants to show his friend BSD and why it\’s great
• Brad writes in
• Sha\’ul writes in
• iGibbs writes in
• Matt writes in

• All the tutorials are posted in their entirety at bsdnow.tv – there\’s a couple new ones on the site now that we\’ll be covering in future episodes
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
• Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
• If you\’re in or around Colorado in the US, there\’s a brand new BSD users group that was just formed and announced – they\’ll be having meetings and doing tutorials, so check out their site (also, if you have a local BUG, let us know!)
• Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Certified Package Delivery | BSD Now 33 first appeared on Jupiter Broadcasting.

We explore some common misconceptions about Linux security. Plus the 0-Day hitting Microsoft Office users…

A great big batch of your questions, our answers, and much much more!

On this week’s episode, of TechSNAP.

Thanks to:

— Show Notes: —

Exploring the misconceptions of Linux Security

• “There is a perception out there that Linux systems don\’t need additional security”
• As Linux grows more and more mainstream, attacks become more prominent
• We have already seen malware with variants targeting Linux desktop users, Flash and Java exploits with Linux payloads
• Linux servers have been under attack for more than a decade, but these incidents are rarely publicized
• The most common attacks are not 0day exploits against the kernel or some critical service, but compromised web applications, or plain old brute force password cracking
• However, it is still important to keep services up to date as well (openssh, openssl, web server, mail server, etc)
• Typical ‘best practice’ involves having firewalls, web application firewalls and intrusion detection systems. These systems cannot prevent every type of attack.
• Firewalls generally do not help attacks against web applications, because they operate at layer 3 & 4 and can no detect an attempted exploit
• Web Application Firewalls operate at layer 7 and inspect HTTP traffic before it is sent to the application and attempt to detect exploit or SQL injection attempts. These are limited by definitions of what is an attack, and are also often limited to providing protection for specific applications, since protecting an application generally means knows exactly what legitimate traffic will look like
• Intrusion detection systems again rely on detecting specific patterns and are often unable to detect an attack, or detect so many false positives that the attack is buried in a report full of noise and isn’t recognized
• Linux backdoors have become remarkably sophisticated, taking active steps to avoid detection, including falling silent when an administrator logs in, and suspending exfiltration when an interface is placed in promiscuous mode (such as when tcpdump is run)
• Linux servers are often out of date, because most distributions do not have something similar to Microsoft’s “Patch Tuesday”. Security updates are often available more frequently, but the irregular cadence can cause operational issues. Most enterprise patch management systems do not include support for Linux, and it is often hard to tell if a Linux server is properly patched
• “The main problem is that these system administrators think their [Linux] systems are so secure, when they haven\’t actually done anything to secure them,” David Jacoby, a senior security researcher for the Global Research and Analysis Team at Kaspersky Lab said. For example, the default Linux configuration for most distributions does not restrict login attempts, Jacoby warned. Attackers can attempt to brute-force passwords by running through a list of possibilities without having to worry about locking out the account or getting disconnected from the server. This is something the administrator has to configure manually, and many don\’t, Jacoby said.

0day exploit in MS Word triggered by Outlook preview

• Microsoft issued a warning on Monday of a new 0day exploit against MS Word being exploited in the wild
• Microsoft has released an emergency Fix-It Solution until a proper patch can be released
• This attack is especially bad since it doesn’t not require the victim to open the malicious email, looking at the message in Outlook’s preview mode will trigger the exploit
• According to Microsoft’s advisory the flaw is also present in Word 2003, 2007, 2010, 2013, Word Viewer and Office for Mac 2011
• The attack uses a malicious RTF (Rich-Text file), Outlook renders RTF files with MS Word by default
• The Fix-It solution disables automatically opening emails with RTF content with MS Word
• This attack can also be worked around by configuring your email client to view all emails in plain-text only
• Instructions for Office 2003, 2007 and 2010
• Instructions for Outlook 2013
• “The attack is very sophisticated, making use of an ASLR bypass, ROP techniques (bypassing the NX bit and DEP), shellcode, and several layers of tools designed to detect and defeat analysis”
• The code attempts to determine if it is running in a sandbox and will fail to execute, to hamper analysis and reverse engineering
• The exploit also checks how recently windows updates have been installed on the machine. “The shellcode will not perform any additional malicious action if there are updates installed after April, 8 2014”
• Additional Coverage – ThreatPost

Feedback:

• Multiple ISPs

• Securing my fortress

• Can you please explain some basic terms

• Is better/safer to use keys than passwords?

• Proper use of SSH keys

• SSH: Best Practices | HowtoForge – Linux Howtos and Tutorials

• IPv6

Round Up:

• Tarsnap now accepts Bitcoin
• Fake GPG keys for crypto developers found in the wild
• Apps with millions of Google Play downloads covertly mine cryptocurrency
• More holes in SCADA systems, 7600 power, chemical and petrochemical plants at risk
• Gordon Lyon reboots the Full Disclosure mailing list
• Deanonymizing tor with denial of service attacks
• Sony Pictures Plans Movie About Brian Krebs
• Robbing ATMs using SMS messages
• Hackers transform EA Web page into Apple ID phishing scheme
• Cabling done right More cable porn
• WPA2 vulnerabilities found in deauthentication phase, may allow an attacker to temporarily gain access to the network
• Trendjacking – New phishing campaign against governement targets using MH-370
• California DMV breach leaks credit cards

The post Misconceptions of Linux Security | TechSNAP 155 first appeared on Jupiter Broadcasting.

We\’ve got some great news for OpenBSD, as well as the scoop on FreeBSD 10.0-RELEASE – yes it\’s finally here! We\’re gonna talk to Colin Percival about running FreeBSD 10 on EC2 and lots of other interesting stuff. After that, we\’ll be showing you how to do some bandwidth monitoring and network performance testing in a combo tutorial. We\’ve got a round of your questions and the latest news, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD 10.0-RELEASE is out

• The long awaited, giant release of FreeBSD is now official and ready to be downloaded
• One of the biggest releases in FreeBSD history, with tons of new updates
• Some features include: LDNS/Unbound replacing BIND, Clang by default (no GCC anymore), native Raspberry Pi support and other ARM improvements, bhyve, hyper-v support, AMD KMS, VirtIO, Xen PVHVM in GENERIC, lots of driver updates, ZFS on root in the installer, SMP patches to pf that drastically improve performance, Netmap support, pkgng by default, wireless stack improvements, a new iSCSI stack, FUSE in the base system… the list goes on and on
• Start up your freebsd-update or do a source-based upgrade right now!

OpenSSH 6.5 CFT

• Our buddy Damien Miller announced a Call For Testing for OpenSSH 6.5
• Huge, huge release, focused on new features rather than bugfixes (but it includes those too)
• New ciphers, new key formats, new config options, see the mailing list for all the details
• Should be in OpenBSD 5.5 in May, look forward to it – but also help test on other platforms!
• We\’ll talk about it more when it\’s released

DIY NAS story, FreeNAS 9.2.1-BETA

• Another new blog post about FreeNAS!
• \”I did briefly consider suggesting nas4free for the EconoNAS blog, since it’s essentially a fork off the FreeNAS tree but may run better on slower hardware, but ultimately I couldn’t recommend anything other than FreeNAS\”
• Really long article with lots of nice details about his setup, why you might want a NAS, etc.
• Speaking of FreeNAS, they released 9.2.1-BETA with lots of bugfixes

OpenBSD needed funding for electricity.. and they got it

• Briefly mentioned at the end of last week\’s show, but has blown up over the internet since
• OpenBSD in the headlines of major tech news sites: slashdot, zdnet, the register, hacker news, reddit, twitter.. thousands of comments
• They needed about $20,000 to cover electric costs for the server rack in Theo\’s basement
• Lots of positive reaction from the community helping out so far, and it appears they have reached their goal and got $100,000 in donations
• From Bob Beck, \”we have in one week gone from being in a dire situation to having a commitment of approximately $100,000 in donations to the foundation\”
• This is a shining example of the BSD community coming together, and even the Linux people realizing how critical BSD is to the world at large

This episode was brought to you by

Interview – Colin Percival – cperciva@freebsd.org / @twitter

FreeBSD on Amazon EC2, backups with Tarsnap, 10.0-RELEASE, various topics

Tutorial

Bandwidth monitoring and testing

News Roundup

pfSense talk at Tokyo FreeBSD Benkyoukai

• Isaac Levy will be presenting \”pfSense Practical Experiences: from home routers, to High-Availability Datacenter Deployments\”
• He\’s also going to be looking for help to translate the pfSense documentation into Japanese
• The event is on February 17, 2014 if you\’re in the Tokyo area

m0n0wall 1.8.1 released

• For those who don\’t know, m0n0wall is an older BSD-based firewall OS that\’s mostly focused on embedded applications
• pfSense was forked from it in 2004, and has a lot more active development now
• They switched to FreeBSD 8.4 for this new version
• Full list of updates in the changelog
• This version requires at least 128MB RAM and a disk/CF size of 32MB or more, oh no!

Ansible and PF, plus NTP

• Another blog post from our buddy Michael Lucas
• There\’ve been some NTP amplification attacks recently in the news
• The post describes how he configured ntpd on a lot of servers without a lot of work
• He leverages pf and ansible for the configuration
• OpenNTPD is, not surprisingly, unaffected – use it

ruBSD videos online

• Just a quick followup from a few weeks ago
• Theo and Henning\’s talks from ruBSD are now available for download
• There\’s also a nice interview with Theo

PCBSD weekly digest

• 10.0-RC4 images are available
• Wine PBI is now available for 10
• 9.2 systems will now be able to upgrade to version 10 and keep their PBI library

Feedback/Questions

• Sha\’ul writes in: https://slexy.org/view/s2WQXwMASZ
• Kjell-Aleksander writes in: https://slexy.org/view/s2H0FURAtZ
• Mike writes in: https://slexy.org/view/s21eKKPgqh
• Charlie writes in (and gets a reply): https://slexy.org/view/s21UMLnV0G
• Kevin writes in: https://slexy.org/view/s2SuazcfoR

Contest

• We\’ll be giving away a handmade FreeBSD pillow – yes you heard right
• All you need to do is write a tutorial for the show
• Submit your BSD tutorial write-ups to feedback@bsdnow.tv
• Check bsdnow.tv/contest for all the rules, details, instructions and a picture of the pillow.

• All the tutorials are posted in their entirety at bsdnow.tv
• The poudriere tutorial got a couple fixes and modernizations
• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Stop commenting on the Jupiterbroadcasting pages and Youtube! We don\’t read those!
• Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Tendresse for Ten | BSD Now 21 first appeared on Jupiter Broadcasting.

It was a tough week for the cloud, we’ll run down the list and summarize what happened to the services we all depend on so much!

Plus a big batch of your questions, our answers, and a rocking round-up!

All that and a lot more, on this week’s TechSNAP.

Thanks to:

Use our codes TechSNAP10 to save 10% at checkout, or TechSNAP20 to save 20% on hosting!

SPECIAL OFFER! Save 20% off your order!
Code: go20off5

Pick your code and save:
techsnap7: $7.49 .com
techsnap10: 10% off
techsnap11: $1.99 hosting for the first 3 months
techsnap20: 20% off 1, 2, 3 year hosting plans
techsnap40: $10 off $40
techsnap25: 25% off new Virtual DataCenter plans
techsnapx: 20% off .xxx domains

 

Support the Show: