Show Notes: linuxactionnews.com/242

The post Linux Action News 242 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/449

The post Bugfix and Chill | LINUX Unplugged 449 first appeared on Jupiter Broadcasting.

Show Notes/Links: https://www.bsdnow.tv/336

The post Archived Knowledge | BSD Now 336 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

Episode Links:

linuxactionnews.com/70

The post Linux Action News 70 first appeared on Jupiter Broadcasting.

##Headlines
###FreeBSD 11.2-RELEASE Available

• FreeBSD 11.2 was released today (June 27th) and is ready for download
• Highlights:

OpenSSH has been updated to version 7.5p1.
OpenSSL has been updated to version 1.0.2o.
The clang, llvm, lldb and compiler-rt utilities have been updated to version 6.0.0.
The libarchive(3) library has been updated to version 3.3.2.
The libxo(3) library has been updated to version 0.9.0.
Major Device driver updates to:

• cxgbe(4) – Chelsio 10/25/40/50/100 gigabit NICs – version 1.16.63.0 supports T4, T5 and T6
• ixl(4) – Intel 10 and 40 gigabit NICs, updated to version 1.9.9-k
• ng_pppoe(4) – driver has been updated to add support for user-supplied Host-Uniq tags

New drivers:
+ drm-next-kmod driver supporting integrated Intel graphics with the i915 driver.

• mlx5io(4) – a new IOCTL interface for Mellanox ConnectX-4 and ConnectX-5 10/20/25/40/50/56/100 gigabit NICs
• ocs_fc(4) – Emulex Fibre Channel 8/16/32 gigabit Host Adapters
• smartpqi(4) – HP Gen10 Smart Array Controller Family

The newsyslog(8) utility has been updated to support RFC5424-compliant messages when rotating system logs
The diskinfo(8) utility has been updated to include two new flags, -s which displays the disk identity (usually the serial number), and -p which displays the physical path to the disk in a storage controller.
The top(1) utility has been updated to allow filtering on multiple user names when the -U flag is used
The umount(8) utility has been updated to include a new flag, -N, which is used to forcefully unmount an NFS mounted filesystem.
The ps(1) utility has been updated to display if a process is running with capsicum(4) capability mode, indicated by the flag ‘C’
The service(8) utility has been updated to include a new flag, -j, which is used to interact with services running within a jail(8). The argument to -j can be either the name or numeric jail ID
The mlx5tool(8) utility has been added, which is used to manage Connect-X 4 and Connect-X 5 devices supported by mlx5io(4).
The ifconfig(8) utility has been updated to include a random option, which when used with the ether option, generates a random MAC address for an interface.
The dwatch(1) utility has been introduced
The efibootmgr(8) utility has been added, which is used to manipulate the EFI boot manager.
The etdump(1) utility has been added, which is used to view El Torito boot catalog information.
The linux(4) ABI compatibility layer has been updated to include support for musl consumers.
The fdescfs(5) filesystem has been updated to support Linux®-specific fd(4) /dev/fd and /proc/self/fd behavior
Support for virtio_console(4) has been added to bhyve(4).
The length of GELI passphrases entered when booting a system with encrypted disks is now hidden by default. See the configuration options in geli(8) to restore the previous behavior.

• In addition to the usual CD/DVD ISO, Memstick, and prebuilt VM images (raw, qcow2, vhd, and vmdk), FreeBSD 11.2 is also available on:
  • Amazon EC2
  • Google Compute Engine
  • Hashicorp/Atlas Vagrant
  • Microsoft Azure
• In addition to a generic ARM64 image for devices like the Pine64 and Raspberry Pi 3, specific images are provided for:
  • GUMSTIX
  • BANANAPI
  • BEAGLEBONE
  • CUBIEBOARD
  • CUBIEBOARD2
  • CUBOX-HUMMINGBOARD
  • RASPBERRY PI 2
  • PANDABOARD
  • WANDBOARD
• Full Release Notes

###Setting up an MTA Behind Tor

This article will document how to set up OpenSMTPD behind a fully Tor-ified network. Given that Tor’s DNS resolver code does not support MX record lookups, care must be taken for setting up an MTA behind a fully Tor-ified network. OpenSMTPD was chosen because it was easy to modify to force it to fall back to A/AAAA lookups when MX lookups failed with a DNS result code of NOTIMP (4).

Note that as of 08 May 2018, the OpenSMTPD project is planning a configuration file language change. The proposed change has not landed. Once it does, this article will be updated to reflect both the old language and new.

The reason to use an MTA behing a fully Tor-ified network is to be able to support email behind the .onion TLD. This setup will only allow us to send and receive email to and from the .onion TLD.

• Requirements:

• A fully Tor-ified network

• HardenedBSD as the operating system

• A server (or VM) running HardenedBSD behind the fully Tor-ified network.

• /usr/ports is empty

• Or is already pre-populated with the HardenedBSD Ports tree

• Why use HardenedBSD? We get all the features of FreeBSD (ZFS, DTrace, bhyve, and jails) with enhanced security through exploit mitigations and system hardening. Tor has a very unique threat landscape and using a hardened ecosystem is crucial to mitigating risks and threats.

Also note that this article reflects how I’ve set up my MTA. I’ve included configuration files verbatim. You will need to replace the text that refers to my .onion domain with yours.

On 08 May 2018, HardenedBSD’s version of OpenSMTPD just gained support for running an MTA behind Tor. The package repositories do not yet contain the patch, so we will compile OpenSMTPD from ports.

• Steps
• Installation
• Generating Cryptographic Key Material
• Tor Configuration
• OpenSMTPD Configuration
• Dovecot Configuration
• Testing your configuration
• Optional: Webmail Access

iXsystems
https://www.forbes.com/sites/forbestechcouncil/2018/06/21/strings-attached-knowing-when-and-when-not-to-accept-vc-funding/#30f9f18f46ec
https://www.ixsystems.com/blog/self-2018-recap/

###Running pfSense on a Digital Ocean Droplet

I love pfSense (and opnSense, no discrimination here). I use it for just about anything, from homelab to large scale deployments and I’ll give out on any fancy <enter brand name fw appliance here> for a pfSense setup on a decent hardware.

I also love DigitalOcean, if you ever used them, you know why, if you never did, head over and try, you’ll understand why.
<shameless plug: head over to JupiterBroadcasting.com, the best technology content out there, they have coupon codes to get you started with DO>.

Unfortunately, while DO offers tremendous amount of useful distros and applications, pfSense isn’t one of them. But, where there’s a will, there’s a way, and here’s how to get pfSense up and running on DO so you can have it as the gatekeeper to your kingdom.

Start by creating a FreeBSD droplet, choose your droplet size (for modest setups, I find the 5$ to be quite awesome):

There are many useful things you can do with pfSense on your droplet, from OpenVPN, squid, firewalling, fancy routing, url filtering, dns black listing and much much more.

• One note though, before we wrap up:

You have two ways to initiate the initial setup wizard of the web-configurator:
Spin up another droplet, log into it and browse your way to the INTERNAL ip address of the internal NIC you’ve set up. This is the long and tedious way, but it’s also somewhat safer as it eliminates the small window of risk the second method poses.
or
Once your WAN address is all setup, your pfSense is ready to accept https connection to start the initial web-configurator setup.
Thing is, there’s a default, well known set of credential to this initial wizard (admin:pfsense), so, there is a slight window of opportunity that someone can swoop in (assuming they know you’ve installed pfsense + your wan IP address + the exact time window between setting up the WAN interface and completing the wizard) and do <enter scary thing here>.

I leave it up to you which of the path you’d like to go, either way, once you’re done with the web-configurator wizard, you’ll have a shiny new pfSense installation at your disposal running on your favorite VPS.

Hopefully this was helpful for someone, I hope to get a similar post soon detailing how to get FreeNAS up and running on DO.
Many thanks to Tubsta and his blogpost as well as to Allan Jude, Kris Moore and Benedict Reuschling for their AWESOME and inspiring podcast, BSD Now.

##News Roundup
###One year of C

It’s now nearly a year that I started writing non-trivial amounts of C code again (the first sokol_gfx.h commit was on the 14-Jul-2017), so I guess it’s time for a little retrospective.

In the beginning it was more of an experiment: I wanted to see how much I would miss some of the more useful C++ features (for instance namespaces, function overloading, ‘simple’ template code for containers, …), and whether it is possible to write non-trivial codebases in C without going mad.

Here are all the github projects I wrote in C:

• sokol: a slowly growing set of platform-abstraction headers
• sokol-samples – examples for Sokol
• chips – 8-bit chip emulators
• chips-test – tests and examples for the chip- emulators, including some complete home computer emulators (minus sound)

All in all these are around 32k lines of code (not including 3rd party code like flextGL and HandmadeMath). I think I wrote more C code in the recent 10 months than any other language.

So one thing seems to be clear: yes, it’s possible to write a non-trivial amount of C code that does something useful without going mad (and it’s even quite enjoyable I might add).

• Here’s a few things I learned:

• Pick the right language for a problem

• C is a perfect match for WebAssembly

• C99 is a huge improvement over C89

• The dangers of pointers and explicit memory management are overrated

• Less Boilerplate Code

• Less Language Feature ‘Anxiety’

• Conclusion

All in all my “C experiment” is a success. For a lot of problems, picking C over C++ may be the better choice since C is a much simpler language (btw, did you notice how there are hardly any books, conferences or discussions about C despite being a fairly popular language? Apart from the neverending bickering about undefined behaviour from the compiler people of course There simply isn’t much to discuss about a language that can be learned in an afternoon.

I don’t like some of the old POSIX or Linux APIs as much as the next guy (e.g. ioctl(), the socket API or some of the CRT library functions), but that’s an API design problem, not a language problem. It’s possible to build friendly C APIs with a bit of care and thinking, especially when C99’s designated initialization can be used (C++ should really make sure that the full C99 language can be used from inside C++ instead of continuing to wander off into an entirely different direction).

###Configuring OpenBGPD to announce VM’s virtual networks

We use BGP quite heavily at work, and even though I’m not interacting with that directly, it feels like it’s something very useful to learn at least on some basic level. The most effective and fun way of learning technology is finding some practical application, so I decided to see if it could help to improve networking management for my Virtual Machines.

My setup is fairly simple: I have a host that runs bhyve VMs and I have a desktop system from where I ssh to VMs, both hosts run FreeBSD. All VMs are connected to each other through a bridge and have a common network 10.0.1/24. The point of this exercise is to be able to ssh to these VMs from desktop without adding static routes and without adding vmhost’s external interfaces to the VMs bridge.

I’ve installed openbgpd on both hosts and configured it like this:

vmhost: /usr/local/etc/bgpd.conf
AS 65002
router-id 192.168.87.48
fib-update no

network 10.0.1.1/24

neighbor 192.168.87.41 {
    descr "desktop"
    remote-as 65001
}

Here, router-id is set vmhost’s IP address in my home network (192.168.87/24), fib-update no is set to forbid routing table update, which I initially set for testing, but keeping it as vmhost is not supposed to learn new routes from desktop anyway. network announces my VMs network and neighbor describes my desktop box. Now the desktop box:

desktop: /usr/local/etc/bgpd.conf
AS 65001
router-id 192.168.87.41
fib-update yes

neighbor 192.168.87.48 {                                                                                                                                                                                           
        descr "vmhost"                                                                                                                                                                                             
        remote-as 65002                                                                                                                                                                                            
}

It’s pretty similar to vmhost’s bgpd.conf, but no networks are announced here, and fib-update is set to yes because the whole point is to get VM routes added. Both hosts have to have the openbgpd service enabled:

/etc/rc.conf.local
openbgpd_enable="YES"

• Conclusion

As mentioned already, similar result could be achieved without using BGP by using either static routes or bridging interfaces differently, but the purpose of this exercise is to get some basic hands-on experience with BGP. Right now I’m looking into extending my setup in order to try more complex BGP schema. I’m thinking about adding some software switches in front of my VMs or maybe adding a second VM host (if budget allows). You’re welcome to comment if you have some ideas how to extend this setup for educational purposes in the context of BGP and networking.

As a side note, I really like openbgpd so far. Its configuration file format is clean and simple, documentation is good, error and information messages are clear, and CLI has intuitive syntax.

Digital Ocean

###The Power to Serve

All people within the IT Industry should known where the slogan “The Power To Serve” is exposed every day to millions of people. But maybe too much wishful thinking from me. But without “The Power To Serve” the IT industry today will look totally different. Companies like Apple, Juniper, Cisco and even WatsApp would not exist in their current form.

I provide IT architecture services to make your complex IT landscape manageable and I love to solve complex security and privacy challenges. Complex challenges where people, processes and systems are heavily interrelated. For this knowledge intensive work I often run some IT experiments. When you run experiments nowadays you have a choice:

• Rent some cloud based services or
• DIY (Do IT Yourself) on premise

Running your own developments experiments on your own infrastructure can be time consuming. However smart automation saves time and money. And by creating your own CICD pipeline (Continuous Integration, Continuous Deployment) you stay on top of core infrastructure developments. Even hands-on. Knowing how things work from a technical ‘hands-on’ perspective gives great advantages when it comes to solving complex business IT problems. Making a clear distinguish between a business problem or IT problem is useless. Business and IT problems are related. Sometimes causal related, but more often indirect by one or more non linear feedback loops. Almost every business depends of IT systems. Bad IT means often that your customers will leave your business.

One of the things of FeeBSD for me is still FreeBSD Jails. In 2015 I had luck to attend to a presentation of the legendary hacker Poul-Henning Kamp . Check his BSD bio to see what he has done for the FreeBSD community! FreeBSD jails are a light way to visualize your system without enormous overhead. Now that the development on Linux for LXD/LXD is more mature (lxd is the next generation system container manager on linux) there is finally again an alternative for a nice chroot Linux based system again. At least when you do not need the overhead and management complexity that comes with Kubernetes or Docker.

FreeBSD means control and quality for me. When there is an open source package I need, I want to install it from source. It gives me more control and always some extra knowledge on how things work. So no precompiled binaries for me on my BSD systems! If a build on FreeBSD fails most of the time this is an alert regarding the quality for me.

If a complex OSS package is not available at all in the FreeBSD ports collection there should be a reason for it. Is it really that nobody on the world wants to do this dirty maintenance work? Or is there another cause that running this software on FreeBSD is not possible…There are currently 32644 ports available on FreeBSD. So all the major programming language, databases and middleware libraries are present. The FreeBSD organization is a mature organization and since this is one of the largest OSS projects worldwide learning how this community manages to keep innovation and creates and maintains software is a good entrance for learning how complex IT systems function.

FreeBSD is of course BSD licensed. It worked well! There is still a strong community with lots of strong commercial sponsors around the community. Of course: sometimes a GPL license makes more sense. So beside FreeBSD I also love GPL software and the rationale and principles behind it. So my hope is that maybe within the next 25 years the hard battle between BSD vs GPL churches will be more rationalized and normalized. Principles are good, but as all good IT architects know: With good principles alone you never make a good system. So use requirements and not only principles to figure out what OSS license fits your project. There is never one size fits all.

June 19, 1993 was the day the official name for FreeBSD was agreed upon. So this blog is written to celebrate 25th anniversary of FreeBSD.

###Dave’s BSDCan trip report

• So far, only one person has bothered to send in a BSDCan trip report. Our warmest thanks to Dave for doing his part.

Hello guys! During the last show, you asked for a trip report regarding BSDCan 2018.
This was my first time attending BSDCan. However, BSDCan was my second BSD conference overall, my first being vBSDCon 2017 in Reston, VA.
Arriving early Thursday evening and after checking into the hotel, I headed straight to the Red Lion for the registration, picked up my badge and swag and then headed towards the ‘DMS’ building for the newbies talk. The only thing is, I couldn’t find the DMS building! Fortunately I found a BSDCan veteran who was heading there themselves. My only suggestion is to include the full building name and address on the BSDCan web site, or even a link to Google maps to help out with the navigation. The on-campus street maps didn’t have ‘DMS’ written on them anywhere. But I digress.
Once I made it to the newbies talk hosted by Dan Langille and Michael W Lucas, it highlighted places to meet, an overview of what is happening, details about the ‘BSDCan widow/widower tours’ and most importantly, the 6-2-1 rule!
The following morning, we were present with tea/coffee, muffins and other goodies to help prepare us for the day ahead.
The first talk, “The Tragedy of systemd” covered what systemd did wrong and how the BSD community could improve on the ideas behind it.
With the exception of Michael W Lucas, SSH Key Management and Kirk McKusick, The Evolution of FreeBSD Governance talk, I pretty much attended all of the ZFS talks including the lunchtime BoF session, hosted by Allan Jude. Coming from FreeNAS and being involved in the community, this is where my main interest and motivation lies. Since then I have been able to share some of that information with the FreeNAS community forums and chatroom.
I also attended the “Speculating about Intel” lunchtime BoF session hosted by Theo de Raddt, which proved to be “interesting”.
The talks ended with the wrap up session with a few words from Dan, covering the record attendance and made very clear there “was no cabal”. Followed by the the handing over of Groff the BSD goat to a new owner, thank you’s from the FreeBSD Foundation to various community committers and maintainers, finally ending with the charity auction, where a things like a Canadian $20 bill sold for $40, a signed FreeBSD Foundation shirt originally worn by George Neville-Neil, a lost laptop charger, Michael’s used gelato spoon, various books, the last cookie and more importantly, the second to last cookie!
After the auction, we all headed to the Red Lion for food and drinks, sponsored by iXsystems.
I would like to thank the BSDCan organizers, speakers and sponsors for a great conference. I will certainly hope to attend next year!
Regards,
Dave (aka m0nkey_)

• Thanks to Dave for sharing his experiences with us and our viewers

##Beastie Bits

• Robert Watson (from 2008) on how much FreeBSD is in Mac OS X
• Why Intel Skylake CPUs are sometimes 50% slower than older CPUs
• Kristaps Dzonsons is looking for somebody to maintain this as mentioned at this link
• camcontrol(8) saves the day again! Formatting floppy disks in a USB floppy disk drive
• 32+ great indie games now playable on OpenBSD -current; 7 currently on sale!
• Warsaw BSD User Group. June 27 2018 18:30-21:00, Wheel Systems Office, Aleje Jerozolimskie 178, Warsaw

Tarsnap

##Feedback/Questions

• Ron – Adding a disk to ZFS
• Marshall – zfs question
• Thomas – Allan, the myth perpetuator
• Ross – ZFS IO stats per dataset

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Goes to 11.2 | BSD Now 252 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

OpenSSH CLI escape sequences

• Notes from when Dan was experimenting with this: Only work if ~ is the first character you type; typing something, then backspace, then ~ will not invoke the escape sequence. Must be the first character after ENTER.

Kaspersky Confirms It Downloaded Classified Docs, Blames NSA Contractor’s Dumb Mistake

• According to Kaspersky, the fault rests of the shoulders of the NSA contractor, who allegedly brought home government surveillance tools and then decided to activate their consumer antivirus software

• The analyst’s computer was infected with malware while Kaspersky’s product was disabled

• When Kaspersky’s product was re-enabled, the user apparently scanned their system multiple times

• A 7-zip archive of documents was retrieved for analysis because the user had set the software to send reports of malicious detections.

‘I Forgot My PIN’: An Epic Tale of Losing $30,000 in Bitcoin

• Spent $3,000 to buy 7.4 bitcoins. Saved them to Trezor hardware wallet. Wrote down a 24-word recovery key. Saved a PIN.

• Paper went missing

• Could not remember PIN

• Tried many times.

• Tried an exploit…..

Feedback

• Backup to tapes

• Feedback on Krack Updates

  • KRACK Test Python Script

• It is worth reporting malware etc?

Round Up:

• grafana – Datasources as configuration

• curl statistics made simple: davecheney/httpstat (written in GO) refers to reorx/httpstat (written in Python) which is in FreeBSD Ports as net/py-httpstat – Dan tweeted his test case

• Gentoo system ransomware’d

• Backblaze Hard Drive Stats for Q3 2017

• ​A flaw in Google’s bug database exposed private security vulnerability reports – original blog post

• Staging Best Practices

• Protocol standards not publicly available

• Oracle ZFS man calls for Big Red to let filesystem upstream into Linux – sounds like Oracle wants to get ZFS into Linux

• Things You Can Do on the Dark Web That Aren’t Illegal

The post Low Security Pillow Storage | TechSNAP 343 first appeared on Jupiter Broadcasting.

RSS Feeds:

HD Video Feed | MP3 Feed | iTunes Feed

Become a supporter on Patreon:

• Mint to add Flatpak support — The project says the upcoming release of Linux Mint 18.3 will come with “full support” for Flatpak out of the box.
  This will include integration with the Linux Mint Software Manager.
• Drop KDE edition — The Linux Mint crew has confirmed today they will be discontinuing future releases of their KDE spin following next month’s Linux Mint 18.3 release.
• Oracle Could Still Make ZFS A First-Class Upstream Linux File-System — Mark wants to see ZFS become a core part of Linux. He wants it to become “the file-system of Linux” and “that could happen” for “core Linux.” He later said, “it’s a possibility… but I can’t say how strong of a possibility,” that includes talking with Oracle lawyers about the code license of both ZFS and Solaris.
• Open ZFS File-System Running On Windows
• Google Play Protect isn’t very good at spotting malware — When exposed to recent Android malware samples, six of the 20 software suites sampled correctly flagged every single one as evil and prevented them from running. Eight more managed a 99 per cent or higher hit rate. Google’s own system, Play Protect, only detected 65.8 per cent of threats.
• Mozilla helps out TOR and so can you — Today we’re launching our end-of-year crowdfunding campaign, “Powering Digital Resistance,” highlighting Tor’s work protecting essential human rights around the world.
  As part of this end-of-year campaign, Mozilla is matching donations up to a total of $500,000 — so your donation to the Tor Project will go twice as far!
• Solus looking for help with aesthetics for Solus 4 — If you wanna help us improve the default experience for the next ISO, or you’ve some mad creative skills, let us know!
• Steam VR Marketshare Already Larger Than Steam Linux Marketshare — Valve developer Pierre-Loup Griffais‏ who is heavily involved in their Linux efforts as well as those around virtual reality has commented the VR market-share is already larger than the entire Steam Linux market-share.
• Putin Will Require Cryptocurrency Miners to Register With the Government — After months of conflicting statements, Russia has finally outlined its plan for cryptocurrencies.

The post Linux Action News 25 first appeared on Jupiter Broadcasting.

MP3 Feed | iTunes Feed | Video Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Follow Up / Catch Up

Tor 0.3.2.1-alpha is released, with support for next-gen onion services and KIST scheduler

Tor 0.3.2.1-alpha is the first release in the 0.3.2.x series. It includes support for our next-generation (“v3”) onion service protocol, and adds a new circuit scheduler for more responsive forwarding decisions from relays. There are also numerous other small features and bugfixes here.

Introducing Keybase Teams

But Keybase teamwork is end-to-end encrypted, which means you don’t have to worry about server hacks

An open letter to the W3C Director, CEO, team and membership | Electronic Frontier Foundation

Effective today, EFF is resigning from the W3C.

Firefox, Thunderbird and VLC Are the Most Popular Apps Among Ubuntu Users

Canonical’s Dustin Kirkland attended this year’s UbuCon Europe conference for Ubuntu users and developers in Paris, France, where he revealed the results of the Ubuntu desktop survey and the apps that users want to see by default in future Ubuntu releases.

Dustin Shares Software Survey Results for the First time

Linux Academy

• Linux Academy | Linux and AWS Online Training

Launching PipeWire!

Pipewire, the linux multimedia gamechanger, is here! – https://t.co/ayXhrCF6eu

— Christian Schaller (@Uraeus2) September 19, 2017

We are finally ready to formally launch pipewire as a project and have created a Pipewire website and logo.

• Wim Taymans (@wtaymans) | Twitter

Wim Taymans

DigitalOcean

• DigitalOcean: SSD Cloud Server, VPS Server, Simple Cloud Hosting

Linux “Journalism” is in a Nose Dive

More than ever I believe very deeply that Linux “journalism” is in a nose dive of quality. Fewer and fewer “reporters” are going to the story or creating anything new, and instead have chosen the easy and lazy route of clickbait, virtue signaling journalism. It’s a well proven business model after all, and saves quite a bit of time.

ACCESS TO THE BATCAVE VIA BATPOLES#AdamWestDay pic.twitter.com/kaaoyIzjpr

— Batman 66 Labels (@BatLabels) September 19, 2017

TING

• Ting – mobile that makes sense

Linux Foundation Head Calls 2017 ‘Year of the Linux Desktop’… While Running Apple’s macOS Himself

Sitting on a plane, watching Jim Zemlin use OS X.

— Matthew Garrett (@mjg59) July 23, 2013

Perhaps I am creating unnecessary controversy. Perhaps this simply should be ignored.

The post Pulse of PipeWire | LINUX Unplugged 215 first appeared on Jupiter Broadcasting.

HD Video Feed | MP3 Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Low-latency satellite broadband gets approval to serve US residents

UK Cops Say Visiting the Dark Web Is a Potential Sign of Terrorism

• Dark web was mentioned in a leaflet amongst other items to watch

• Police in the capital (London) have reportedly been handing out leaflets listing what authorities deem as suspicious activity, in the hope that vigilant community members can continue to provide helpful information to law enforcement.

https://krebsonsecurity.com/2017/06/got-robocalled-dont-get-mad-get-busy/

Feedback

• Black and white print tracking dots: document forgery and counterfitting is not limited to cash, nor is the desire to track. – Joe

Round Up:

• Windows 10 Lock Screen Leaks Clipboard Contents

• The Elgin rectangle: why couldn’t people lock their cars in Carlton?

• How to use BeyondCorp to ditch your VPN, improve security and go to the cloud

• Australia advocates weakening strong crypto at upcoming “Five Eyes” meeting FIve eyes? What’s that?

• 25 Microchips That Shook the World

The post Broadband from Space | TechSNAP 326 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Russians Engineer a Brilliant Slot Machine Cheat—And Casinos Have No Fix

• In this case, it was the accountants who noticed something was wrong.

• What? No centralised real-time monitoring?

• IN EARLY JUNE 2014, accountants at the Lumiere Place Casino in St. Louis noticed that several of their slot machines had—just for a couple of days—gone haywire. The government-approved software that powers such machines gives the house a fixed mathematical edge, so that casinos can be certain of how much they’ll earn over the long haul—say, 7.129 cents for every dollar played. But on June 2 and 3, a number of Lumiere’s machines had spit out far more money than they’d consumed, despite not awarding any major jackpots, an aberration known in industry parlance as a negative hold. Since code isn’t prone to sudden fits of madness, the only plausible explanation was that someone was cheating.

• Casino security pulled up the surveillance tapes and eventually spotted the culprit, a black-haired man in his thirties who wore a Polo zip-up and carried a square brown purse. Unlike most slots cheats, he didn’t appear to tinker with any of the machines he targeted, all of which were older models manufactured by Aristocrat Leisure of Australia. Instead he’d simply play, pushing the buttons on a game like Star Drifter or Pelican Pete while furtively holding his iPhone close to the screen.

• He’d walk away after a few minutes, then return a bit later to give the game a second chance. That’s when he’d get lucky. The man would parlay a $20 to $60 investment into as much as $1,300 before cashing out and moving on to another machine, where he’d start the cycle anew. Over the course of two days, his winnings tallied just over $21,000. The only odd thing about his behavior during his streaks was the way he’d hover his finger above the Spin button for long stretches before finally jabbing it in haste; typical slots players don’t pause between spins like that.

• On June 9, Lumiere Place shared its findings with the Missouri Gaming Commission, which in turn issued a statewide alert. Several casinos soon discovered that they had been cheated the same way, though often by different men than the one who’d bilked Lumiere Place. In each instance, the perpetrator held a cell phone close to an Aristocrat Mark VI model slot machine shortly before a run of good fortune.

• By examining rental-car records, Missouri authorities identified the Lumiere Place scammer as a 37-year-old Russian national. He had flown back to Moscow on June 6, but the St. Petersburg–based organization he worked for, which employs dozens of operatives to manipulate slot machines around the world, quickly sent him back to the United States to join another cheating crew. The decision to redeploy him to the US would prove to be a rare misstep for a venture that’s quietly making millions by cracking some of the gaming industry’s most treasured algorithms.

• Russia has been a hotbed of slots-related malfeasance since 2009, when the country outlawed virtually all gambling. (Vladimir Putin, who was prime minister at the time, reportedly believed the move would reduce the power of Georgian organized crime.) The ban forced thousands of casinos to sell their slot machines at steep discounts to whatever customers they could find. Some of those cut-rate slots wound up in the hands of counterfeiters eager to learn how to load new games onto old circuit boards. Others apparently went to the supect’s bosses in St. Petersburg, who were keen to probe the machines’ source code for vulnerabilities.

• By early 2011, casinos throughout central and eastern Europe were logging incidents in which slots made by the Austrian company Novomatic paid out improbably large sums. Novomatic’s engineers could find no evidence that the machines in question had been tampered with, leading them to theorize that the cheaters had figured out how to predict the slots’ behavior. “Through targeted and prolonged observation of the individual game sequences as well as possibly recording individual games, it might be possible to allegedly identify a kind of ‘pattern’ in the game results,” the company admitted in a February 2011 notice to its customers.

• Recognizing those patterns would require remarkable effort. Slot machine outcomes are controlled by programs called pseudorandom number generators that produce baffling results by design. Government regulators, such as the Missouri Gaming Commission, vet the integrity of each algorithm before casinos can deploy it.

• But as the “pseudo” in the name suggests, the numbers aren’t truly random. Because human beings create them using coded instructions, PRNGs can’t help but be a bit deterministic. (A true random number generator must be rooted in a phenomenon that is not manmade, such as radioactive decay.) PRNGs take an initial number, known as a seed, and then mash it together with various hidden and shifting inputs—the time from a machine’s internal clock, for example—in order to produce a result that appears impossible to forecast. But if hackers can identify the various ingredients in that mathematical stew, they can potentially predict a PRNG’s output. That process of reverse engineering becomes much easier, of course, when a hacker has physical access to a slot machine’s innards.

• Knowing the secret arithmetic that a slot machine uses to create pseudorandom results isn’t enough to help hackers, though. That’s because the inputs for a PRNG vary depending on the temporal state of each machine. The seeds are different at different times, for example, as is the data culled from the internal clocks. So even if they understand how a machine’s PRNG functions, hackers would also have to analyze the machine’s gameplay to discern its pattern. That requires both time and substantial computing power, and pounding away on one’s laptop in front of a Pelican Pete is a good way to attract the attention of casino security.

• On December 10, not long after security personnel spotted the suspect inside the Hollywood Casino in St. Louis, four scammers were arrested. Because he and his cohorts had pulled their scam across state lines, federal authorities charged them with conspiracy to commit fraud. The indictments represented the first significant setbacks for the St. Petersburg organization; never before had any of its operatives faced prosecution.

• The Missouri and Singapore cases appear to be the only instances in which scammers have been prosecuted, though a few have also been caught and banned by individual casinos. At the same time, the St. Petersburg organization has sent its operatives farther and farther afield. In recent months, for example, at least three casinos in Peru have reported being cheated by Russian gamblers who played aging Novomatic Coolfire slot machines.

• The economic realities of the gaming industry seem to guarantee that the St. Petersburg organization will continue to flourish. The machines have no easy technical fix. As Hoke notes, Aristocrat, Novomatic, and any other manufacturers whose PRNGs have been cracked “would have to pull all the machines out of service and put something else in, and they’re not going to do that.” (In Aristocrat’s statement to WIRED, the company stressed that it has been unable “to identify defects in the targeted games” and that its machines “are built to and approved against rigid regulatory technical standards.”) At the same time, most casinos can’t afford to invest in the newest slot machines, whose PRNGs use encryption to protect mathematical secrets; as long as older, compromised machines are still popular with customers, the smart financial move for casinos is to keep using them and accept the occasional loss to scammers.

• So the onus will be on casino security personnel to keep an eye peeled for the scam’s small tells. A finger that lingers too long above a spin button may be a guard’s only clue that hackers in St. Petersburg are about to make another score.

Netgear Exploit Found in 31 Models Lets Hackers Turn Your Router Into a Botnet

• This came to our attention from Shawn
• For most people, routers are the little boxes which sit between you and your ISP. They do NAT, possibly firewall, and general stop the outside world from getting in without your permission. Well, that’s what they are supposed to do. The issue, long standing, is updates. When vulnerabilities are found, the code needs to be patched. With these devices, that issues can be troublesome, given that everyday consumers cannot be expected to update them. For us geeks, this isn’t so much as an issue, if the updates are made available to us
• We patch our own systems already, patching the firmware on a device… we can do that too.
• The vast majority of router users are unaware that they require an update. They sit there waiting, and sometimes they are found. When they are found to have a vulnerability, they can become part of a bot-net, a huge collection of devices ready to do the bidding of those with ill-intent. These bot-nets can be used for a variety of malicious purposes. Why do this? Most often, it’s money.
• This story is about someone discovering a problem with their router, and then exploring it.

GitLab.com melts down after wrong directory deleted, backups fail

• This also came from Shawn

• Source-code hub GitLab.com is in meltdown after experiencing data loss as a result of what it has suddenly discovered are ineffectual backups.

• On Tuesday evening, Pacific Time, the startup issued a sobering series of tweets we’ve listed below. Behind the scenes, a tired sysadmin, working late at night in the Netherlands, had accidentally deleted a directory on the wrong server during a frustrating database replication process: he wiped a folder containing 300GB of live production data that was due to be replicated.

• Just 4.5GB remained by the time he canceled the rm -rf command. The last potentially viable backup was taken six hours beforehand.

• That Google Doc mentioned in the last tweet notes: “This incident affected the database (including issues and merge requests) but not the git repos (repositories and wikis).”

• So some solace there for users because not all is lost. But the document concludes with the following:

• So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.

• The world doesn’t contain enough faces and palms to even begin to offer a reaction to that sentence. Or, perhaps, to summarise the mistakes the startup candidly details as follows:

  • LVM snapshots are by default only taken once every 24 hours. YP happened to run one manually about 6 hours prior to the outage

  • Regular backups seem to also only be taken once per 24 hours, though YP has not yet been able to figure out where they are stored. According to JN these don’t appear to be working, producing files only a few bytes in size.

  • SH: It looks like pg_dump may be failing because PostgreSQL 9.2 binaries are being run instead of 9.6 binaries. This happens because omnibus only uses Pg 9.6 if data/PG_VERSION is set to 9.6, but on workers this file does not exist. As a result it defaults to 9.2, failing silently. No SQL dumps were made as a result. Fog gem may have cleaned out older backups.

  • Disk snapshots in Azure are enabled for the NFS server, but not for the DB servers.

  • The synchronisation process removes webhooks once it has synchronised data to staging. Unless we can pull these from a regular backup from the past 24 hours they will be lost

  • The replication procedure is super fragile, prone to error, relies on a handful of random shell scripts, and is badly documented

  • Our backups to S3 apparently don’t work either: the bucket is empty

• Making matters worse is the fact that GitLab last year decreed it had outgrown the cloud and would build and operate its own Ceph clusters. GitLab’s infrastructure lead Pablo Carranza said the decision to roll its own infrastructure “will make GitLab more efficient, consistent, and reliable as we will have more ownership of the entire infrastructure.”

• See also GitLab.com Database Incident

• see also Catastrophic Failure – Myth Weavers – My thanks to Rikai for bringing this to our attention.

• example of why making sure your backup solution is solid as hell is extremely important

• The guy is completly honest and takes ownership of the mistakes he made. Hopefully others can learn from his mistakes.

• For context, myth-weavers is a website that handles things like the creation/managing and sharaing of D&D (and other tabletop RPG) character sheets online ( https://www.myth-weavers.com/sheetindex.php ), they lost about 6 months of data.

• Backup automation is good, because people will fail and skip steps more often than computers will, and this is a perfect example of that.

• The trick is getting it done RIGHT and having it NOTIFY you when something ISN’T right. As well as making it consistent, reproducible and redundant if possible. This is also an example of why if you have data you care about, that step should not be skipped.

• Automated backups are a lot of up-front work that people often avoid doing, at least partially and regret it later. This is a well documented postmortem of what happens when you do that and why you should set aside the time and get it done

• Not exactly mission-critical data, but still very important data for the audience they cater too. Handcrafted, imagination-related kinda stuff

• This GitLab outage and database deletion & lack of backups is a great reminder to routinely test your disaster recovery strategies

• Dataloss at GitLab

• Thoughts On Gitlab Data Incident

• Blameless PostMortems and a Just Culture

Feedback:

• Mesos and software that is impossible to back up

• Windows backup to FreeNAS

• FreeNAS Transmission Permissions

Round Up:

• AT&T and Verizon just got a free pass from the FCC to divide up the internet

• These 10 cities have the worst malware infection rates in the US

• Anonymous Hacks and Takes Down 10,613 Dark Web Portals

• We don’t want to alarm you, but PostScript makes your printer an attack vector – From Shawn

• A Hacker Just Pwned Over 150,000 Printers Left Exposed Online

• Dark net markets moving to adopt bug bounty programs

• FOSDEM video recordings

• 70% of D.C. CCTV cameras infected with Ransomware 8-days before presidential inauguration

• iOS Cracking Tools Allegedly Stolen from Cellebrite Get Dumped Online by Hackers

• Microsoft’s DRM can expose Windows-on-Tor users’ IP address

• Got an OpenBSD Web server? Better patch it

• LibTLS: Rethinking the TLS/SSL API

The post Gambling with Code | TechSNAP 305 first appeared on Jupiter Broadcasting.

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Malware authors have found a way to evade URL-blocking systems by swapping bad domain names with unknown ones

• Malware is often hosted on pop-up domains (bought specifically for the purpose, and with very odd names). Othertimes, it is resident on compromised hosts (PYS!). As such hosting locations/domains are discovered, they are added to blacklists.
• The criminals have yet anotherfound a way to avoid the blacklists – spoofing
• Spoofing is not knew: think of it as pretending to be someone else.
• What seems to be new is deception in the TCP packets, or more specifcally, the TCP headers.
• For some time now URL filtering techniques have provided a fairly reliable way for organizations to block traffic into their network from domains that are known to be malicious. But as with almost every defense mechanism, threat actors appear to have found a way around that as well.
• Security researchers from Cyren are warning about a new tactic for fooling Web security and URL–filtering systems. The technique, which Cyren has dubbed “Ghost Host,” is designed to evade host and domain blacklists by swapping bad domain names and inserting random, non-malicious host names in the HTTP host field instead.
• The objective is to evade host and domain blacklists by resetting the host name with a benign one, even when the actual connection is to a malicious command and control IP, according to a Cyren blog post today.
• “Ghost hosts are unknown or known-benign host names used by malware for evading host and URL blacklists,” says Geffen Tzur, a security researcher at Cyren.
• Tzur says there have been no previously reported incidents he knows of where malware actors have attempted to fool detection systems by inserting benign names in the HTTP host field.

Feedback:

• @TechSNAP_Dan How’d you first get into BSD?
  • Why I wanted FreeBSD before I knew it existed
  • How I found FreeBSD
  • The installation

Round Up:

• Android Was 2016’s Most Vulnerable Product
• FTC issues the IoT security challenge. Design the best service or device to manage the security of various IoT devices in a home, and win the $25,000 prize
• Ultrasound Tracking Could Be Used to Deanonymize Tor Users

The post The Next Generation | TechSNAP 301 first appeared on Jupiter Broadcasting.

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: Linux Academy

Fedora 25

Fedora 25 released! – Fedora Magazine

Fedora 25 provides many bug fixes and tweaks to these underlying components, as well as new and enhanced packages, including:

• Docker 1.12 for building and running containerized applications
• Node.js 6.9.1, the latest version of the popular server-side JavaScript engine
• Support for Rust, a faster and more stable system programming language
• PHP 7, offering improved performance and reduced memory usage
• Multiple Python versions — 2.6, 2.7, 3.3, 3.4 and 3.5 — to help run test suites across several Python configurations, as well as PyPy, PyPy3, and Jython

Wayland in Fedora 25

• Fedora 25 Linux arrives with Wayland display support

The big news for desktop users in Workstation is the Wayland display server has finally replaced the legacy X11 Window server. Wayland has been in the works since 2008. The point of Wayland is to provide a smoother, richer experience for graphical environments. X also had a huge amount of functionality that was no longer being used.

On top of Wayland, Fedora 25 Workstation runs GNOME 3.22. This latest desktop claims to offer multiple file renaming, a redesigned keyboard settings tool, and additional user interface improvements. If, like me, you’re not a GNOME fan, Fedora 25 also supports spins with other default desktops. These include KDE, XFCE, LXDE, MATE, and Cinnamon.

• Changes/WaylandByDefault – FedoraProject

How To Test

1. Boot a fresh F25 workstation install.
2. Verify that the login screen is running under Wayland (you can do so by looking for a process called gdm-wayland-session in ps -ef output)
3. Verify that the session chooser offers ‘GNOME’, ‘GNOME on X11’ and ‘GNOME Classic’, and that ‘GNOME’ is selected by default.

4. Log into all three of these sessions and verify that ‘GNOME’ gives you Wayland (you can verify this by bringing up the GTK+ inspector in a gtk3 application and checking what backend is used), while the other two end up with X11.

5. Change the gdm configuration by adding WaylandEnable=false and reboot

6. Verify that the login screen comes up under X

7. Verify that only X-based sessions are offered in the session chooser

8. Log into the Wayland-based session again

9. Use the desktop normally, and verify that there are no obvious instabilities, or Wayland-specific bugs or performance problems

• FreeMedia

The Fedora Free Media Program is a volunteer initiative by local Fedora Ambassadors and contributors to distribute Fedora Media (DVDs) for free to individuals who can’t afford to buy or download Fedora. There is no funding from Fedora for this initiative. The media comes from volunteers from around the globe that coordinate their efforts using Fedora Infrastructure.

• Questions – Ask Fedora:

— PICKS —

Runs Linux

My Mower Runs Linux

After about 6 months of doing research on hardware and embedded systems I finally have a decent working prototype and it runs LINUX! All design, programming, GIS tools, and supporting tools, like field HUD, are all linux (Arch and Ubuntu).

• Open Source at DigitalOcean: Introducing go-qemu and go-libvirt

Desktop App Pick

Midnight Commander

After last week’s app pick many wrote in to suggest we take a look at…

GNU Midnight Commander is a visual file manager, licensed under GNU General Public License and therefore qualifies as Free Software. It’s a feature rich full-screen text mode application that allows you to copy, move and delete files and whole directory trees, search for files and run commands in the subshell. Internal viewer and editor are included.
Midnight Commander is based on versatile text interfaces, such as Ncurses or S-Lang, which allows it to work on a regular console, inside an X Window terminal, over SSH connections and all kinds of remote shells.

Spotlight

The $89 ARM Laptop

Sent in by Dennis K.

PINEBOOK is a 11″ or 14″ notebook powered by the same Quad-Core ARM Cortex A53 64-Bit Processor used in our popular PINE A64 Single Board Computer. It is lightweight and comes with a full size keyboard and large multi-touch touchpad for students and makers.

Using the mini HDMI port, the PINEBOOK can be connected to a larger external HDMI diplay or TV for presentations.

Build-in MicroSD Card slot allows users to expand their data storage up to 256 GB with a microSD Card (SD, SDHC, SDXC).

Stickers – Super Key Sticker with Any LAS Sticker While They Last!

• JB Stickers – Imgur

Chris’ Personal YouTube Channel – MeetBSD and Behind the Scenes Noah Vist Videos Soon

— NEWS —

• Do you want nerdy, boring, file syste… – Straw Poll

Tor Phone Is The “Super-secure Version Of Android”, Developed By Tor Project

Aptly named Tor Phone, this new phone has been designed by Tor developer Mike Perry. It’s based on Copperhead OS, an Android distribution that comes with multiple security enhancement. In the past, Google’s Android security team has accepted many Copperhead patches in their Android code base.

• Mission Improbable: Hardening Android for Security And Privacy | The Tor Blog

Systemic Threats to Software Freedom

Unfortunately, not only is Copperhead the only Android rebuild that supports Verified Boot, but the Google Nexus/Pixel hardware is the only Android hardware that allows the user to install their own keys to retain both the ability to modify the device, as well as have the filesystem security provided by verified boot.

This, combined with Google’s _increasing hostility_towards Android as a fully Open Source platform, as well as the difficulty for _external entities_to keep up with Android’s surprise release and opaque development processes, means that the ability for end-users to _use, study, share, and improve_the Android system are all in great jeopardy.

UbuCon Europe 2016 – Welcome & UBports Announcement – YouTube

• FSOSS 2016 – YouTube

Debian putting everything on the /usr

One of the reasons for the change is that the current hierarchy _creates “busy work”_for developers, as Russ Allbery explained in January. He argued the change would mean “we don’t have to try to harass a thousand package maintainers into doing essentially untestable busy-work to try to move things around between __/usr_, _/bin_, and _/lib__to support a tiny handful of systems for which other approaches are available.”

• UsrMerge – Debian Wiki

• The Case for the /usr Merge

Jay (Microsoft project manager) knows the score when it comes to Linux performance

Tor Phone – The Secure Android

The Tor Project has released Tor Phone–a privacy-focused and secure version of Android mobile OS. It’s based on Copperhead OS, a hardened Android distribution. Tor Phone also uses OrWall to force all the connections over Tor network.

Upcoming XFS Work in Linux v4.8 v4.9 and v4.10+, by Darrick Wong )

For the past year I have been working on a bunch of new features for the
XFS filesystem on Linux. Modern-day XFS is a direct descendant of the
original XFS code from SGI Irix that was donated long ago. The goals
are the same — XFS is intended to behave consistently as it scales to
large storage and many files.

Feedback:

RogueBots – System76

Mail Bag

• Name: Craig

• Subject: UPS that Will Come via UPS

Message:

Hey Dudes,

Not a direct related Linux question, but it does have to do with my System76 Ratel so there is that. So I have been using my Ratel for a few months now. Real nice machine. plug plug. With the winter approaching and possible electricity failures due to ice and snow, etc.; I am now serious on the lookout for a Uninterrupted Power Supply for my Ratel. Not sure where to start. You guys are IT Gurus, what would you suggest my options should be?

Thanks for LAS and all the shows!

• Amazon.com: CyberPower OR700LCDRM1U Smart App LCD UPS 700VA 400W SNMP/HTTP Rackmount: Electronics

• Name: Peter D.

• Subject: Arch Trackpad Problems solved by GDM
  Message:

Noah,

I recently installed Antergos on my Oryx Pro and experienced similar problems with the trackpad.

I found that by replacing LightDM with GDM fixed the problems with the trackpad. After switching to GDM, additional setting show up for the trackpad including tap to click.

Also after switching to GDM, the two finger scrolling worked better in particular the horizontal scrolling.

Call in: 1-877-347-0011

Catch the show LIVE SUNDAY:

• Noon Pacific
• https://jblive.tv
• Network Calendar

— CHRIS’ STASH —

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux
• Altispeed Technologies
• System76 – system76

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

The post Hats Off to Wayland | LAS 445 first appeared on Jupiter Broadcasting.

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

Links:

• Miyamoto Proves His Point, Eats a Hamburger While Playing Super Mario Run – GameSpot
• Samsung Galaxy Note 7 explodes in New York, burns six-year-old boy | Ars Technica
• The iPhone 7 is the walled-off computer Apple has always wanted
• Microsoft Lumia to end sales this year – SlashGear
• Long-Secret Stingray Manuals Detail How Police Can Spy on Phones
• Hands-on: Blue Hydra can expose the all-too-unhidden world of Bluetooth | Ars Technica
• movrcx on Twitter: “The 0day impacting all deployments of the Tor Browser has been confirmed. In 96 hours we will be taking the next action.”
• Netflix asks FCC to declare data caps “unreasonable” | Ars Technica
• Microsoft just approved an NES emulator on Xbox One | TechRadar
• Fidget Cube: A Vinyl Desk Toy by Matthew and Mark McLachlan — Kickstarter

The post Satisfy your Fidgeting | TTT 259 first appeared on Jupiter Broadcasting.

Is the “Dark Cloud” hype, or a real technology? Using DNS tunneling for remote command and control & the big problem with 1-Day exploits.

Plus your great question, our answers, a breaking news roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

APT Groups still successfully exploiting Microsoft Office flaw patched 6 months ago

• “A Microsoft Office vulnerability patched six months ago continues to be a valuable tool for APT gangs operating primarily in Southeast Asia and the Far East.”
• “CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1.”
• “The error enables an attacker to execute arbitrary code using a specially crafted EPS image file. The exploit uses PostScript and can evade Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) protection methods.”
• One of the groups using the exploit targeted the Japanese military industrial complex
• “In December 2015, Kaspersky Lab became aware of a targeted attack against the Japanese defense sector. In order to infect victims, the attacker sent an email with an attached DOCX file exploiting the CVE-2015-2545 vulnerability in Microsoft Office using an embedded EPS (Encapsulated Postscript) object. The EPS object contained a shellcode that dropped and loaded a 32-bit or 64-bit DLL file depending on the system architecture. This, in turn exploited another vulnerability to elevate privileges to Local System (CVE-2015-1701) and download additional malware components from the C&C server.”
• “The C&C server used in the attack was located in Japan and appears to have been compromised. However, there is no indication that it has ever been used for any other malicious purpose. Monitoring of the server activity for a period of several months did not result in any new findings. We believe the attackers either lost access to the server or realized that it resulted in too much attention from security researchers, as the attack was widely discussed by the Japanese security community.”
• The report details a number of different teams, with different targets
• Some or all of the teams may be related
• “The attackers used at least one known 1-day exploit: the exploit for CVE-2015-2545 – EPS parsing vulnerability in EPSIMP32.FLT module, reported by FireEye, and patched by Microsoft on 8 September 2015 with MS15-099. We are currently aware of about four different variants of the exploit. The original one was used in August 2015 against targets in India by the Platinum (TwoForOne) APT group.”
• Kaspersky Lab Report

Krebs investigates the “Dark Cloud”

• “Crooks who peddle stolen credit cards on the Internet face a constant challenge: Keeping their shops online and reachable in the face of meddling from law enforcement officials, security firms, researchers and vigilantes.”
• “In this post, we’ll examine a large collection of hacked computers around the world that currently serves as a criminal cloud hosting environment for a variety of cybercrime operations, from sending spam to hosting malicious software and stolen credit card shops.”
• How do you keep your site online while hosting it on hacked machines you do not control
• How do you keep the data secure? Who is going to pay for stolen credit cards when they can just hack one of the compromised machines hosting your site?
• “I first became aware of this botnet, which I’ve been referring to as the “Dark Cloud” for want of a better term, after hearing from Noah Dunker, director of security labs at Kansas City-based vendor RiskAnalytics. Dunker reached out after watching a Youtube video I posted that featured some existing and historic credit card fraud sites. He asked what I knew about one of the carding sites in the video: A fraud shop called “Uncle Sam,” whose home page pictures a pointing Uncle Sam saying “I want YOU to swipe.””
• “I confessed that I knew little of this shop other than its existence, and asked why he was so interested in this particular crime store. Dunker showed me how the Uncle Sam card shop and at least four others were hosted by the same Dark Cloud, and how the system changed the Internet address of each Web site roughly every three minutes. The entire robot network, or “botnet,” consisted of thousands of hacked home computers spread across virtually every time zone in the world, he said.”
• So, most of these hacked machines are likely just “repeaters”, accepting connections from end users and then relaying those connections back to the secret central server
• This also works fairly well as a DDoS mitigation mechanism
• “the Windows-based malware that powers the botnet assigns infected hosts different roles, depending on the victim machine’s strengths or weaknesses: More powerful systems might be used as DNS servers, while infected systems behind home routers may be infected with a “reverse proxy,” which lets the attackers control the system remotely”
• “It’s unclear whether this botnet is being used by more than one individual or group. The variety of crimeware campaigns that RiskAnalytics has tracked operated through the network suggests that it may be rented out to multiple different cybercrooks. Still, other clues suggests the whole thing may have been orchestrated by the same gang.”
• A more indepth report on the botnet is expected next week
• “If you liked this story, check out this piece about another carding forum called Joker’s Stash, which also uses a unique communications system to keep itself online and reachable to all comers.”

Wekby APT gang using DNS tunneling for C&C

• “Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.”
• “Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit.”
• “The malware used by the Wekby group has ties to the HTTPBrowser malware family, and uses DNS requests as a command and control mechanism. Additionally, it uses various obfuscation techniques to thwart researchers during analysis. Based on metadata seen in the discussed samples, Palo Alto Networks has named this malware family ‘pisloader’.”
• “The initial dropper contains very simple code that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable. Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. This is likely to deter detection and analysis of the sample.”
• “The payload is heavily obfuscated using a return-oriented programming (ROP) technique, as well as a number of garbage assembly instructions. In the example below, code highlighted in red essentially serves no purpose other than to deter reverse-engineering of the sample. This code can be treated as garbage and ignored. The entirety of the function is highlighted in green, where two function offsets are pushed to the stack, followed by a return instruction. This return instruction will point code execution first at the null function, which in turn will point code execution to the ‘next_function’. This technique is used throughout the runtime of the payload, making static analysis difficult.”
• “The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a subdomain that will be used in a subsequent DNS request for a TXT record.”
• “The use of DNS as a C2 protocol has historically not been widely adopted by malware authors.”
• “The use of DNS as a C2 allows pisloader to bypass certain security products that may not be inspecting this traffic correctly.”
• “The C2 server will respond with a TXT record that is encoded similar to the initial request. In the response, the first byte is ignored, and the remaining data is base32-encoded. An example of this can be found below.”
• The Malware also looks for specific flags in the DNS response, to prevent it being spoofed by a DNS server not run by the authors. Palo Alto Networks has reverse engineered the malware and found the special flags
• The following commands, and their descriptions are supported by the malware:
  • sifo – Collect victim system information
  • drive – List drives on victim machine
  • list – List file information for provided directory
  • upload – Upload a file to the victim machine
  • open – Spawn a command shell
• “The Wekby group continues to target various high profile organizations using sophisticated malware. The pisloader malware family uses various novel techniques, such as using DNS as a C2 protocol, as well as making use of return-oriented programming and other anti-analysis tactics.”
• Palo Alto Networks Report

Feedback:

• Colo

• Snapshot best practices

• SELinux is cruel to animals

• Work in IT, got this in the mail today.

• Parts of a computer labeled by someone who thinks they know how a computer works

Round up:

• Tor To Use Distributed RNG To Generate Truly Random Numbers
• Skimmers Found at Walmart: A Closer Look
• Foxconn replaces ‘60,000 factory workers with robots’
• FBI warns of wireless keystroke loggers that look like harmless USB chargers
• A third of new cellular customers last quarter were cars
• NIST publishes guide on: Security for Full Virtualization Technologies
• Google aims to kill passwords by the end of this year
• DARPA gives out 7 multi-million dollar grants for research into DDoS mitigation
• Fox ‘Stole’ a Game Clip, Used it in Family Guy & DMCA’d the Original
• Analog malicious hardware, how to slip a backdoor into a chip
• Microsoft promises to stop tricking people into upgrading to Windows 10 when they clearly do not want to
• Google might name and shame slow-to-update Android vendors
• Foul-mouthed worm takes control of wireless ISPs around the globe

The post PIS Poor DNS | TechSNAP 268 first appeared on Jupiter Broadcasting.

Drones dropping blood, HTC’s dropping profits & Microsoft’s dropping ASUS rigs.

Plus the end to the latest Bitcoin saga, the FBI labeling TOR users & a Kickstarter you won’t believe!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Drones to Deliver Medical Supplies in Rwanda – YouTube
• Here’s the Smartest Drone Delivery Idea We’ve Seen Yet
• Holy earnings catastrophe, Batman: HTC revenue falls 64% in Q1
• Podcasts Surge, but Producers Fear Apple Isn’t Listening
• Apple’s actual role in podcasting: be careful what you wish for – Marco.org
• Nvidia’s new graphics cards are a big deal
• Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch
• FBI Can Obtain A Warrant If You Run Tor Come Decembe
• Bitcoin ‘creator’ backs out of Satoshi coin move ‘proof’
• Bruce Fenton on Twitter: “With cryptography & blockchain based audits Madoff, who fooled the board of Nasdaq, would have been caught in days rather than 40 years.”
• WikiLeaks on Twitter: “We’d like to thank #Satoshi hoaxer Dr Craig Wright for showing how bankrupt the fact-checking standards are at the BBC, LRB & Economist.”
• PayPal quietly removes buyer protections for Kickstarter, Indiegogo and other crowdfunding platforms

KICKSTARTER OF THE WEEEAAAAK:

• flatev – The Artisan Tortilla Maker by flatev — Kickstarter

The post Queso the Mondays | TTT 243 first appeared on Jupiter Broadcasting.

We go 350ft into the air to find out how Linux powers a wireless ISP (WISP). Get an inside look at how a modern services business can be built around Linux.

Plus our thoughts on Chrome OS & Android merging, what it means for desktop Linux, new secure messaging options & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | WebM Torrent | MP3 Audio | OGG Audio | YouTube | HD Torrent

RSS Feeds:

HD Video Feed | Large Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

Brought to you by: System76

LAS Visits a WISP Powered by Linux

— PICKS —

Runs Linux

Rugged vehicle-PC runs Linux

Acrosser’s latest rugged vehicle-PC runs Linux on a 5th Gen Intel Core Broadwell-U processor, offering sufficient power to run multiple, simultaneous apps.

Desktop App Pick

Cutegram

Cutegram is a free and opensource telegram clients for Linux, Windows, OS X and OpenBSD, focusing on user friendly, compatibility with desktop environments.
Cutegram using Qt5, QML, libqtelegram, libappindication, AsemanQtTools technologies and Faenza icons and Twitter emojies graphic sets.
It’s free and released under GPLv3 license.

Weekly Spotlight

Chromixium OS

Chromixium combines the elegant simplicity of the Chromebook with the flexibility and stability of Ubuntu’s Long Term Support release. Chromixium puts the web front and center of the user experience. Web and Chrome apps work straight out of the browser to connect you to all your personal, work and education networks. Sign into Chromium to sync all your apps and bookmarks. When you are offline or when you need more power, you can install any number of applications for work or play, including LibreOffice, Skype, Steam and a whole lot more. Security updates are installed seamlessly and effortlessly in the background and will be supplied until 2019. You can install Chromixium in place of any existing operating system, or alongside Windows or Linux.

— NEWS —

Google Plans to Introduce Android Laptops, Replacing Chrome as OS

• Starting next year, the company will work with partners to build personal computers that run on Android, according to sources familiar with the company’s plans. The Chrome browser and operating systems aren’t disappearing — PC makers that produce Chromebooks will still be able to use Chrome. But they will now have the choice of Android.

• Even back in 2009, when they launched Chrome, co-founder emeritus Sergey Brin suggested the two systems may merge. The convergence momentum began two years ago when Sundar Pichai took the reins of both operating systems. Last year, after Pichai was promoted to SVP of all products, he appointed Hiroshi Lockheimer, his anointed successor, as engineering lead for Android and the Chrome OS.

• The company even gave us a hint. At its recent Nexus event, Google released its first Pixel C tablet that runs on Android. On the company earnings call last week, Pichai, now CEO, gave another, telling investors “mobile as a computing paradigm is eventually going to blend with what we think of as desktop today.”

• “Mobile gives us unique opportunities in terms of better understanding users,” Pichai said on the earnings call. “My long-term view on this is it is as compelling or, in fact, even better than desktop, but it will take us time to get there and we are going to be focused until we get there.”

• The SVP of Android, Chromecast, and Chrome OS Hiroshi Lockheimer Tweeted*

There’s a ton of momentum for Chromebooks and we are very committed to Chrome OS. I just bought two for my kids for schoolwork!

— Hiroshi Lockheimer (@lockheimer) October 30, 2015

Later he Tweeted..

.@jeffjarvis I've also been using Chromebooks for yrs & don't want that to change! Every model gets sw updates automatically for 5 yrs BTW.

— Hiroshi Lockheimer (@lockheimer) October 30, 2015

• Google readying Android for desktops, laptops

Ever since Google unveiled Material Design, which works well on just about any size application, from full-screen tablets applications to small smartphone applications, and everything in between, it was clear to me Google was looking into expanding Android beyond smartphones and tablets.

Major Fedora KDE maintainer burns out

Kevin Kofler. An Italian, who lives in Austria

the way the Fedora Project has been treating KDE since Fedora 21 (when
“Fedora.Next” was introduced) makes me feel like a second-class citizen
in the Fedora community. After years of fighting for equal treatment of KDE
in Fedora, Fedora.Next with its “Fedora is now more focused” (on GNOME)
message was a major setback and a huge disappointment. (Another symptom of
this evolution is how the PackageKit backend was rewritten with only the
exact feature set GNOME Software happens to need, leaving Apper utterly
broken.)

Tor Project launches encrypted anonymous chat app to the public

The Tor Project says Instantbird was chosen as its transport protocols are written in a “memory safe” language — Javascript — and already supports a number of languages, as well as the fact Instantbird is an XUL application. While the client lacked off-the-record (ORT) cryptographical protocol support, Tor has implemented the new features within the beta Tor messenger.

• Instantbird

Twitch Installs Arch Linux

• Twitch’s latest insane adventure: Installing Arch

The project kicks off on Saturday October 31 at 4pm Eastern. If it all gets a bit much, the tremendously relaxing Bob Ross marathon will still be running and is highly recommended.

re: shutdown pic.twitter.com/zfwAFvY1tx

— Twitch Installs Arch (@twitchinstalls) November 1, 2015

openSUSE 42.1 Leap and Fedora 23 Release next week

• openSUSE News

Next week users worldwide will be able to enjoy the power and stability of openSUSE’s newest release when it is unveiled at SUSECon in Amsterdam on Nov. 4. Until then, here is a preview of the features in Leap.

• F23 is Go! Plus, internships, Atomic job opening, a Fedora book, and … systemd total conversion. – Fedora Magazine

After last week’s schedule adjustment, and a last minute panic where we discovered that the installer wasn’t actually showing help when you pressed the help button (thanks everyone who scrambled to fix that!), we’re on schedule for a release on Tuesday, November 3rd. Check back here for the release announcement, or just go straight to https://getfedora.org after 10am US/Eastern (15:00 UTC).

Feedback:

• https://slexy.org/view/s2TAG90mHy

• https://slexy.org/view/s2KQJa0x1p

• https://slexy.org/view/s2q4Da7mjE

Rover Log Playlist

Watch the adventures, productions, road trips, trails, mistakes, and fun of the Jupiter Broadcasting mobile studio.

• Support Jupiter Broadcasting on Patreon

Chris’s Twitter account has changed, you’ll need to follow!

Chris Fisher (@ChrisLAS) | Twitter

— CHRIS’ STASH —

Hang in our chat room:

irc.geekshed.net #jupiterbroadcasting

— NOAH’S STASH —

Noah’s Day Job

Altispeed Technologies

Contact Noah

noah [at] jupiterbroadcasting.com

Find us on Google+

• Chris
• Noah J. Chelliah
• Jupiter Broadcasting’s Page

Find us on Twitter

• Chris – ChrisLAS
• Noah – Kernellinux

Follow us on Facebook

• Jupiter Broadcasting on Facebook
• Noah – Kernellinux

Catch the show LIVE Friday:

• https://jblive.tv
• Network Calendar

The post The Linux WiFI Tower | LAS 389 first appeared on Jupiter Broadcasting.

This time on the show, we’ll be talking with Ed Schouten about CloudABI. It’s a new application binary interface with a strong focus on isolation and restricted capabilities. As always, all this week’s BSD news and answers to your emails, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD quarterly status report

• The FreeBSD team has posted a report of the activities that went on between January and March of this year
• As usual, it’s broken down into separate reports from the various teams in the project (ports, kernel, virtualization, etc)
• The ports team continuing battling the flood of PRs, closing quite a lot of them and boasting nearly 7,000 commits this quarter
• The core team and cluster admins dealt with the accidental deletion of the Bugzilla database, and are making plans for an improved backup strategy within the project going forward
• FreeBSD’s future release support model was also finalized and published in February, which should be a big improvement for both users and the release team
• Some topics are still being discussed internally, mainly MFCing ZFS ARC responsiveness patches to the 10 branch and deciding whether to maintain or abandon C89 support in the kernel code
• Lots of activity is happening in bhyve, some of which we’ve covered recently, and a number of improvements were made this quarter
• Clang, LLVM and LLDB have been updated to the 3.6.0 branch in -CURRENT
• Work to get FreeBSD booting natively on the POWER8 CPU architecture is also still in progress, but it does boot in KVM for the time being
• The project to replace forth in the bootloader with lua is in its final stages, and can be used on x86 already
• ASLR work is still being done by the HardenedBSD guys, and their next aim is position-independent executable
• The report also touches on multipath TCP support, the new automounter, opaque ifnet, pkgng updates, secureboot (which should be in 10.2-RELEASE), GNOME and KDE on FreeBSD, PCIe hotplugging, nested kernel support and more
• Also of note: work is going on to make ARM a Tier 1 platform in the upcoming 11.0-RELEASE (and support for more ARM boards is still being added, including ARM64)

OpenBSD 5.7 released

• OpenBSD has formally released another new version, complete with the giant changelog we’ve come to expect
• In the hardware department, 5.7 features many driver improvements and fixes, as well as support for some new things: USB 3.0 controllers, newer Intel and Atheros wireless cards and some additional 10gbit NICs
• If you’re using one of the Soekris boards, there’s even a new driver to manipulate the GPIO and LEDs on them – this has some fun possibilities
• Some new security improvements include: SipHash being sprinkled in some areas to protect hashing functions, big W^X improvements in the kernel space, static PIE on all architectures, deterministic “random” functions being replaced with strong randomness, and support for remote logging over TLS
• The entire source tree has also been audited to use reallocarray, which unintentionally saved OpenBSD’s libc from being vulnerable to earlier attacks affecting other BSDs’ implementations
• Being that it’s OpenBSD, a number of things have also been removed from the base system: procfs, sendmail, SSLv3 support and loadable kernel modules are all gone now (not to mention the continuing massacre of dead code in LibreSSL)
• Some people seem to be surprised about the removal of loadable modules, but almost nothing utilized them in OpenBSD, so it was really just removing old code that no one used anymore (very different from FreeBSD or Linux in this regard, where kernel modules are used pretty heavily)
• BIND and nginx have been taken out, so you’ll need to either use the versions in ports or switch to Unbound and the in-base HTTP daemon
• Speaking of httpd, it’s gotten a number of new features, and has had time to grow and mature since its initial debut – if you’ve been considering trying it out, now would be a great time to do so
• This release also includes the latest OpenSSH (with stronger fingerprint types and host key rotation), OpenNTPD (with the HTTPS constraints feature), OpenSMTPD, LibreSSL and mandoc
• Check the errata page for any post-release fixes, and the upgrade guide for specific instructions on updating from 5.6
• Groundwork has also been laid for some major SMP scalability improvements – look forward to those in future releases
• There’s a song and artwork to go along with the release as always, and CDs should be arriving within a few days – we’ll show some pictures next week
• Consider picking one up to support the project (and it’s the only way to get puffy stickers)
• For those of you paying close attention, the banner image for this release just might remind you of a certain special episode of BSD Now…

Tor-BSD diversity project

• We’ve talked about Tor on the show a few times, and specifically about getting more of the network on BSD (Linux has an overwhelming majority right now)
• A new initiative has started to do just that, called the Tor-BSD diversity project
• “Monocultures in nature are dangerous, as vulnerabilities are held in common across a broad spectrum. Diversity means single vulnerabilities are less likely to harm the entire ecosystem. […] A single kernel vulnerability in GNU/Linux that impacting Tor relays could be devastating. We want to see a stronger Tor network, and we believe one critical ingredient for that is operating system diversity.”
• In addition to encouraging people to put up more relays, they’re also continuing work on porting the Tor Browser Bundle to BSD, so more desktop users can have easy access to online privacy
• There’s an additional progress report for that part specifically, and it looks like most of the work is done now
• Engaging the broader BSD community about Tor and fixing up the official documentation are also both on their todo list
• If you’ve been considering running a node to help out, there’s always our handy tutorial on getting set up

PC-BSD 10.1.2-RC1 released

• If you want a sneak peek at the upcoming PC-BSD 10.1.2, the first release candidate is now available to grab
• This quarterly update includes a number of new features, improvements and even some additional utilities
• PersonaCrypt is one of them – it’s a new tool for easily migrating encrypted home directories between systems
• A new “stealth mode” option allows for a one-time login, using a blank home directory that gets wiped after use
• Similarly, a new “Tor mode” allows for easy tunneling of all your traffic through the Tor network (hopefully through some BSD nodes, as we just mentioned..)
• IPFW is now the default firewall, offering improved VIMAGE capabilities
• The life preserver backup tool now allows for bare-metal restores via the install CD
• ISC’s NTP daemon has been replaced with OpenNTPD, and OpenSSL has been replaced with LibreSSL
• It also includes the latest Lumina desktop, and there’s another post dedicated to that
• Binary packages have also been updated to fresh versions from the ports tree
• More details, including upgrade instructions, can be found in the linked blog post

Interview – Ed Schouten – ed@freebsd.org / @edschouten

CloudABI

News Roundup

Open Household Router Contraption

• This article introduces OpenHRC, the “Open Household Router Contraption”
• In short, it’s a set of bootstrapping scripts to turn a vanilla OpenBSD install into a feature-rich gateway device
• It also makes use of Ansible playbooks for configuration, allowing for a more “mass deployment” type of setup
• Everything is configured via a simple text file, and you end up with a local NTP server, DHCP server, firewall (obviously) and local caching DNS resolver – it even does DNSSEC validation
• All the code is open source and on Github, so you can read through what’s actually being changed and put in place
• There’s also a video guide to the entire process, if you’re more of a visual person

OPNsense 15.1.10 released

• Speaking of BSD routers, if you’re looking for a more “prebuilt and ready to go” option, OPNsense has just released a new version
• 15.1.10 drops some of the legacy patches they inherited from pfSense, aiming to stay closer to the mainline FreeBSD source code
• Going along with this theme, they’ve redone how they do ports, and are now kept totally in sync with the regular ports tree
• Their binary packages are now signed using the fingerprint-style method, various GUI menus have been rewritten and a number of other bugs were fixed
• NanoBSD-based images are also available now, so you can try it out on hardware with constrained resources as well
• Version 15.1.10.1 was released shortly thereafter, including a hotfix for VLANs

IBM Workpad Z50 and NetBSD

• Before the infamous netbook fad came and went, IBM had a handheld PDA device that looked pretty much the same
• Back in 1999, they released the Workpad Z50 with Windows CE, sporting a 131MHz MIPS CPU, 16MB of RAM and a 640×480 display
• You can probably tell where this is going… the article is about installing NetBSD it
• “What prevents me from taking my pristine Workpad z50 to the local electronics recycling facility is NetBSD. With a little effort it is possible to install recent versions of NetBSD on the Workpad z50 and even have XWindows running”
• The author got pkgsrc up and running on it too, and cleverly used distcc to offload the compiling jobs to something a bit more modern
• He’s also got a couple videos of the bootup process and running Xorg (neither of which we’d call “speedy” by any stretch of the imagination)

FreeBSD from the trenches

• The FreeBSD foundation has a new blog post up in their “from the trenches” series, detailing FreeBSD in some real-world use cases
• In this installment, Glen Barber talks about how he sets up all his laptops with ZFS and GELI
• While the installer allows for an automatic ZFS layout, Glen notes that it’s not a one-size-fits-all thing, and goes through doing everything manually
• Each command is explained, and he walks you through the process of doing an encrypted installation on your root zpool

Broadwell in DragonFly

• DragonFlyBSD has officially won the race to get an Intel Broadwell graphics driver
• Their i915 driver has been brought up to speed with Linux 3.14’s, adding not only Broadwell support, but many other bugfixes for other cards too
• It’s planned for commit to the main tree very soon, but you can test it out with a git branch for the time being

Feedback/Questions

• Bostjan writes in
• Hunter writes in
• Hrishi writes in
• Clint writes in
• Sergei writes in

Mailing List Gold

• How did you guess

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – we’d love to hear from you guys if you’re working on anything cool
• The OpenBSD router tutorial has been reorganized and updated for 5.7, it has a new section on bandwidth statistics and has finally gotten so big that it now has a table of contents
• This year’s vBSDCon has been formally announced, and will take place between September 11th-13th in Reston, Virginia (eastern USA)
• There’s no official call for papers, but they do welcome people to submit talk ideas for consideration
• If you’re in Michigan, there’s a new BSD users group just starting up – LivBUG
• If there’s a local BUG in your area, let us know and we’ll be glad to mention it

The post Below the Clouds | BSD Now 88 first appeared on Jupiter Broadcasting.

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

— Show Notes: —

How to make secret phone calls

• “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
• “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
• The article sets out the steps required to conduct untraceable phone calls
• The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
• “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
• Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
• Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
• After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
• Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
• Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
• Wipe down and destroy handset.
• “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
• “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
• “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
• “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
• “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
• “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100”
• Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
• “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
• Guide to creating and using One-Time Pads
• John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

• “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
• “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
• “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
• “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
• Level 3 then worked to block the malicious traffic
• “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
• “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
• “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
• “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
• Remote root login should never be allowed anyway
• Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

• A question I often get is “how do I get into InfoSec”
• Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
• Luckily, someone who is in that space, finally wrote it all down
• “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
  • So, keep watching TechSNAP
• Basic Steps:
• Education (Sysadmin, Networking, Development)
• Building Your Lab (VMs, VPSs from Digital Ocean)
• You Are Your Projects (Build something)
• Have a Presence (Website, Blog, Twitter, etc)
• Certifications (“Things have the value that others place on them”)
• Networking With Others (Find a mentor, be an intern)
• Conferences (Go to Conferences. Speak at them)
• Mastering Professionalism (Dependability, Well Written, Good Speaker)
• Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
• Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
• Becoming Guru
• It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
• Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

• Data Delivery/Syncing over WAN

• TOR Question

• Upgrading password hash algorithm

Round Up:

• Announcing Git Large File Storage (LFS)
• Amazon EFS
• One in seven employees will self corporate passwords for $150 or less
• Hidden backdoor API to root privileges in Apple OS X
• Vulnerability in Firefox forced Mozilla to disable opportunistic encryption
• The FBI Has Its Own Secret Brand of Malware
• AT&T Call Center staff sold hundres of thousands of customer records to criminals
• Expired SSL certificate
• Google lets the Root CA certificate that issues the smtp.gmail.com certificate expire
• Congress must end mass NSA surveillance with next Patriot Act vote
• Greenwald criticized universities which open up their campuses to government agencies in exchange for funding
• 8 Ways You Didn’t Know Hackers Could Steal Your Identity
• Apple did not remove CNNIC Root CA from trust lists in latest security update
• Every Wi-Fi Router Should Look Like The USS Enterprise
• IT Security in a nutshell

The post Day-0 of an InfoSec Career | TechSNAP 209 first appeared on Jupiter Broadcasting.

We’re back from AsiaBSDCon! This week on the show, we’ll be talking to Lawrence Teo about how Calyptix uses OpenBSD in their line of commercial routers. They’re getting BSD in the hands of Windows admins who don’t even realize it. We also have all this week’s news and answer to your emails, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

Using OpenBGPD to distribute pf table updates

• For those not familiar, OpenBGPD is a daemon for the Border Gateway Protocol – a way for routers on the internet to discover and exchange routes to different addresses
• This post, inspired by a talk about using BGP to distribute spam lists, details how to use the protocol to distribute some other useful lists and information
• It begins with “One of the challenges faced when managing our OpenBSD firewalls is the distribution of IPs to pf tables without manually modifying /etc/pf.conf on each of the firewalls every time. This task becomes quite tedious, specifically when you want to distribute different types of changes to different systems (eg administrative IPs to a firewall and spammer IPs to a mail server), or if you need to distribute real time blacklists to a large number of systems.”
• If you manage a lot of BSD boxes, this might be an interesting alternative to some of the other ways to distribute configuration files
• OpenBGPD is part of the OpenBSD base system, but there’s also an unofficial port to FreeBSD and a “work in progress” pkgsrc version

Mounting removable media with autofs

• The FreeBSD foundation has a new article in the “FreeBSD from the trenches” series, this time about the sponsored autofs tool
• It’s written by one of the autofs developers, and he details his work on creating and using the utility
• “The purpose of autofs(5) is to mount filesystems on access, in a way that’s transparent to the application. In other words, filesystems get mounted when they are first accessed, and then unmounted after some time passes.”
• He talks about all the components that need to work together for smooth operation, how to configure it and how to enable it by default for removable drives
• It ends with a real-world example of something we’re all probably familiar with: plugging in USB drives and watching the magic happen
• There’s also some more advanced bonus material on GEOM classes and all the more technical details

The Tor Browser on BSD

• The Tor Project has provided a “browser bundle” for a long time, which is more or less a repackaged Firefox with many security and privacy-related settings preconfigured and some patches applied to the source
• Just tunneling your browser through a transparent Tor proxy is not safe enough – many things can lead to passive fingerprinting or, even worse, anonymity being completely lost
• It has, however, only been released for Windows, OS X and Linux – no BSD version
• “[…] we are pushing back against an emerging monoculture, and this is always a healthy thing. Monocultures are dangerous for many reasons, most importantly to themselves.”
• Some work has begun to get a working port on BSD going, and this document tells about the process and how it all got started
• If you’ve got porting skills, or are interested in online privacy, any help would be appreciated of course (see the post for details on getting involved)

OpenSSH 6.8 released

• Continuing their “tick tock” pattern of releases alternating between new features and bugfixes, the OpenSSH team has released 6.8 – it’s a major upgrade, focused on new features (we like those better of course)
• Most of the codebase has gone through refactoring, making it easier for regression tests and improving the general readability
• This release adds support for SHA256-hashed, base64-encoded host key fingerprints, as well as making that the default – a big step up from the previously hex-encoded MD5 fingerprints
• Experimental host key rotation support also makes it debut, allowing for easy in-place upgrading of old keys to newer (or refreshed) keys
• You can now require multiple, different public keys to be verified for a user to authenticate (useful if you’re extra paranoid or don’t have 100% confidence in any single key type)
• The native version will be in OpenBSD 5.7, and the portable version should hit a ports tree near you soon
• Speaking of the portable version, it now has a configure option to build without OpenSSL or LibreSSL, but doing so limits you to Ed25519 key types and ChaCha20 and AES-CTR ciphers

NetBSD at AsiaBSDCon

• The NetBSD guys already have a wrap-up of the recent event, complete with all the pictures and weird devices you’d expect
• It covers their BoF session, the six NetBSD-related presentations and finally their “work in progress” session
• There was a grand total of 34 different NetBSD gadgets on display at the event

Interview – Lawrence Teo – lteo@openbsd.org / @lteo

OpenBSD at Calyptix

News Roundup

HardenedBSD introduces Integriforce

• A little bit of background on this one first: NetBSD has something called veriexec, used for checking file integrity at the kernel level
• By doing it at the kernel level, similar to securelevels, it offers some level of protection even when the root account is compromised
• HardenedBSD has introduced a similar mechanism into their “secadm” utility
• You can list binaries in the config file that you want to be protected from changes, then specify whether those can’t be run at all, or if they just print a warning
• They’re looking for some more extensive testing of this new feature

More s2k15 hackathon reports

• A couple more Australian hackathon reports have poured in since the last time
• The first comes from Jonathan Gray, who’s done a lot of graphics-related work in OpenBSD recently
• He worked on getting some newer “Southern Islands” and “Graphics Core Next” AMD GPUs working, as well as some OpenGL and DRM-related things
• Also on his todo list was to continue hitting various parts of the tree with American Fuzzy Lop, which ended up fixing a few crashes in mandoc
• Ted Unangst also sent in a report to detail what he hacked on at the event
• With a strong focus on improving SMP scalability, he tackled the virtual memory layer
• His goal was to speed up some syscalls that are used heavily during code compilation, much of which will probably end up in 5.8
• All the trip reports are much more detailed than our short summaries, so give them a read if you’re interested in all the technicalities

DragonFly 4.0.4 and IPFW3

• DragonFly BSD has put out a small point release to the 4.x branch, 4.0.4
• It includes a minor list of fixes, some of which include a HAMMER FS history fix, removing the no-longer-needed “new xorg” and “with kms” variables and a few LAGG fixes
• There was also a bug in the installer that prevented the rescue image from being installed correctly, which also gets fixed in this version
• Shortly after it was released, their new IPFW2 firewall was added to the tree and subsequently renamed to IPFW3 (since it’s technically the third revision)

NetBSD gets Raspberry Pi 2 support

• NetBSD has announced initial support for the second revision of the ever-popular Raspberry Pi board
• There are -current snapshots available for download, and multiprocessor support is also on the way
• The NetBSD wiki page about the Raspberry Pi also has some more information and an installation guide
• The usual Hacker News discussion on the subject
• If anyone has one of these little boards, let us know – maybe write up a blog post about your experience with BSD on it

OpenIKED as a VPN gateway

• In our first discussion segment, we talked about a few different ways to tunnel your traffic
• While we’ve done full tutorials on things like SSH tunnels, OpenVPN and Tor, we haven’t talked a whole lot about OpenBSD’s IPSEC suite
• This article should help fill that gap – it walks you through the complete IKED setup
• From creating the public key infrastructure to configuring the firewall to configuring both the VPN server and client, this guide’s got it all

Feedback/Questions

• Gary writes in
• Robert writes in
• Joris writes in
• Mike writes in
• Anders writes in

Mailing List Gold

• Can you hear me now
• He must be GNU here
• I’ve seen some…

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• If you’re in or around the Troy, New York area, our listener Brian is giving a presentation about ports on OpenBSD at the Rensselaer Polytechnic Institute this Friday at 4:00PM
• If anyone else in the audience is doing something similar or organizing any kind of BSD event, let us know and we’ll be glad to mention it
• Look forward to seeing the AsiaBSDCon interviews in upcoming episodes

The post Puffy in a Box | BSD Now 81 first appeared on Jupiter Broadcasting.

Coming up this time on the show, we’ll be talking to Sean Bruno. He’s been using poudriere and QEMU to cross compile binary packages, and has some interesting stories to tell about it. We’ve also got answers to viewer-submitted questions and all this week’s news, on BSD Now – the place to B.. SD.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

AsiaBSDCon 2015 schedule

• Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up
• This year’s conference will be between 12-15 March at the Tokyo University of Science in Japan
• The first and second days are for tutorials, as well as the developer summit and vendor summit
• Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again
• Not counting the ones that have yet to be revealed (as of the day we’re recording this), there will be thirty-six different talks in all – four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD
• Summaries of all the presentations are on the timetable page if you scroll down a bit

FreeBSD foundation updates and more

• The FreeBSD foundation has posted a number of things this week, the first of which is their February 2015 status update
• It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform
• There’s a FOSDEM recap and another update of their fundraising goal for 2015
• They also have two new blog posts: a trip report from SCALE13x and a featured “FreeBSD in the trenches” article about how a small typo caused a lot of ZFS chaos in the cluster
• “Then panic ensued. The machine didn’t panic — I did.”

OpenBSD improves browser security

• No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser
• Ted Unangst writes in to the OpenBSD misc list to introduce a new project he’s working on, simply titled “improving browser security”
• He gives some background on the W^X memory protection in the base system, but also mentions that some applications in ports don’t adhere to it
• For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT engine) needs to be fixed to use it
• “A system that is ‘all W^X except where it’s not’ is the same as a system that’s not W^X. We’ve worked hard to provide a secure foundation for programs; we’d like to see them take advantage of it.”
• The work is being supported by the OpenBSD foundation, and we’ll keep you updated on this undertaking as more news about it is released
• There’s also some discussion on Hacker News and Undeadly about it

NetBSD at Open Source Conference 2015 Tokyo

• The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo
• There’s even a spreadsheet of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around)

• If you just can’t get enough strange devices running BSD, check the mailing list post for lots of pictures

• Their next target is, as you might guess, AsiaBSDCon 2015 – maybe we’ll run into them

Interview – Sean Bruno – sbruno@freebsd.org / @franknbeans

Cross-compiling packages with poudriere and QEMU

News Roundup

The Crypto Bone

• The Crypto Bone is a new device that’s aimed at making encryption and secure communications easier and more accessible
• Under the hood, it’s actually just a Beaglebone board, running stock OpenBSD with a few extra packages
• It includes a web interface for configuring keys and secure tunnels
• The source code is freely available for anyone interested in hacking on it (or auditing the crypto), and there’s a technical overview of how everything works on their site
• If you don’t want to teach your mom how to use PGP, buy her one of these(?)

BSD in the 2015 Google Summer of Code

• For those who don’t know, GSoC is a way for students to get paid to work on a coding project for an open source organization
• Good news: both FreeBSD and OpenBSD were accepted for the 2015 event
• FreeBSD has a wiki page of ideas for people to work on
• OpenBSD also has an ideas page where you can see some of the initial things that might be interesting
• If you’re a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it
• Who knows, you may even end up on the show if you work on a cool project
• GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you’d like to hack on

pfSense 2.3 roadmap

• The pfSense team has posted a new blog entry, detailing some of their plans for future versions
• PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions
• PBIs are scheduled to be replaced with native pkgng packages
• Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely
• 3.0 will focus on having a REST API, and separating the GUI from the actual implementation of the configuration
• The ultimate goal is to have pfSense be a package you can just install on top of a regular FreeBSD Install

PCBSD 10.1.2 security features

• PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post
• A new “personacrypt” utility is introduced, which allows for easy encryption and management of external drives for your home directory
• Going along with this, it also has a “stealth mode” that allows for one-time temporary home directories (but it doesn’t self-destruct, don’t worry)
• The LibreSSL integration also continues, and now packages will be built with it by default
• If you’re using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update
• They’ve also been working on introducing some new options to enable tunneling your traffic through Tor
• There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week
• A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity
• Look forward to Kris wearing a Tor shirt in future episodes

Feedback/Questions

• Antonio writes in
• Chris writes in
• Van writes in
• Stu writes in

Mailing List Gold

• H
• Pay up, mister Free
• Heritage protected
• Blind leading the blind
• What are the chances

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• Next week’s episode will be prerecorded since we’ll be at AsiaBSDCon in Tokyo
• Be sure to say hello if you’re at the event – we’ve got at least two interviews confirmed already

The post Just Add QEMU | BSD Now 79 first appeared on Jupiter Broadcasting.