Show Notes: linuxunplugged.com/467

The post All Hands on Deck | LINUX Unplugged 467 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/249

The post Linux Action News 249 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/245

The post Linux Action News 245 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/237

The post Linux Action News 237 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/231

The post Linux Action News 231 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/218

The post Linux Action News 218 first appeared on Jupiter Broadcasting.

Show Notes: linuxactionnews.com/207

The post Linux Action News 207 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/403

The post Hidden Features of Fedora 34 | LINUX Unplugged 403 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/389

The post Harder Butter Faster Stronger | LINUX Unplugged 389 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/372

The post Distro Triforce | LINUX Unplugged 372 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/365

The post There's a Hole in my Boot! | LINUX Unplugged 365 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/364

The post Linux Arm Wrestling | LINUX Unplugged 364 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/337

The post Mystical Users | LINUX Unplugged 337 first appeared on Jupiter Broadcasting.

Show Notes: linuxunplugged.com/313

The post I Spy With My Little Pi | LINUX Unplugged 313 first appeared on Jupiter Broadcasting.

Show Notes: techsnap.systems/400

The post Supply Chain Attacks | TechSNAP 400 first appeared on Jupiter Broadcasting.

On this weeks episode we cover a UEFI firmware bug that is affecting computers including ThinkPads, tell you how your windows box can be totally pwned even if it’s fully encrypted & talk about the shortcomings of the MD5 checksum. Plus the feedback, the roundup & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

ThinkPwn, Lenovo and possible other vendors vulnerable to UEFI bug

• “This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.”
• an attacker can “disable flash write protection and infect platform firmware, disable Secure Boot, [and] bypass Virtual Secure Mode
• “Vulnerable code of SystemSmmRuntimeRt UEFI driver was copy-pasted by Lenovo from Intel reference code for 8-series chipsets.”
• “Lenovo is engaging all of its IBVs as well as Intel to identify or rule out any additional instances of the vulnerability’s presence in the BIOS provided to Lenovo by other IBVs, as well as the original purpose of the vulnerable code”
• Lenovo Advisory
• The vulnerable code has also been found in HP Pavilion Laptops, some Gigabyte Motherboards (Z68, Z77, Z87, Z97), Fujitsu, and Dell.
• Exploring and exploiting Lenovo firmware secrets
• ThinkPWN, proof of concept exploit

From zero to SYSTEM on a fully encrypted Windows machine

• “Whether you want to protect the operating system components or your personal files, a Full Disk Encryption (FDE) solution allows you to keep track of the confidentiality and integrity. One of the most commonly used FDE solutions is Microsoft Bitlocker®, which due to its integration with the Trusted Platform Module (TPM) as well as the Active Directory environment makes it both user-friendly and manageable in a corporate environment.
  When the system is protected with a FDE solution, without a pre-boot password, the login or lock screen makes sure attackers with physical access are not able to gain access to the system.”
• “In this post we will explain how an attacker with physical access to an active directory integrated system (e.g. through stealing) is able to bypass the login or lock screen, obtain a clear-text version of the user’s password and elevate his privileges to that of a local administrator or SYSTEM. This can be accomplished via two security vulnerabilities which affects all Windows versions (from Vista to 10) and abusing a standard “security” feature.”
• “These two vulnerabilities, discovered with the help of my colleague Tom Gilis were reported to Microsoft however only one vulnerability is patched at the time of writing CVE-2016-0049 / MS16-014.
• “The other one, which allows you to elevate your privileges to that of a local administrator or SYSTEM is still under investigation by Microsoft and is not yet disclosed here.”
• Acknowledgement by Microsoft
• Since the time of this post, the patch has been released. It turns out, it is MS16-072
• You might remember MS16-072 from TechSNAP #272 as the Windows Update that broke Group Policies!
• “Step 1 – Hibernation – Your friendly neighbourhood password dumper”
• “Speaking for myself, and probably a lot of other users, shutting down a laptop has become a thing of the past. In order to be able to rapidly start using your system when travelling from one place to another, we put it into sleep (or hibernation) mode, essentially putting all processes on hold to be easily resumed when needed. Although in order to resume your session after sleep or hibernation, you’ll have to enter your password on the lock screen (or at least I hope so), the system has your password stored somewhere in memory in order to resume the different processes. We want the system to dump the contents of the memory on disk so we can recover it later. Hibernation is there to the rescue, but we need to be able to force the system into hibernation, creating the HIBERFIL.SYS.”
• “Luckily, the default configuration of a laptop running Windows depicts going into hibernation if the battery hits a critical low. This feature, by default at set 5%, ensures you don’t lose any unsaved documents when your battery dies. Once we force the laptop into hibernation mode we reboot it and move to the next step”
• “Step 2 – Bypassing the login or lock screen”
• “If the computer is a member of an AD Domain, and the user has logged in on this machine before, so their password is cached locally, all an attacker needed to do is create a rogue Kerberos server with the targets user account’s password set to a value of choice and indicated as expired. Upon login attempt, Windows would then prompt the user to change the password before continuing”
• “Once the password change procedure is completed, the cached credentials on the machine are updated with the new password set by the attacker. Because the system is not able to establish a secure connection, the password is not updated on the Kerberos server but still allows the attacker to login when the system no longer has an active network connection (using the cached credentials)”
• So, since the attacker set the new password on the Domain Controller (not really, but the computer things they did), they know this password, and when they attempt to login with it, and windows cannot reach the domain controller, it uses this locally cached password, and allows them to login
• “Although the authentication has been bypassed, we still only have the (limited) privileges of the victim’s account (taking into consideration this is not an local administrator). This is where the next step comes in, in which we explain how you can obtain full local administrative privileges just by using standard Windows functionalities and thus not relying on any vulnerable installed software.”
• “Step 3 – Privilege escalation to SYSTEM”
• “We know that the trust between the client and Domain Controller (DC) is not always properly validated, we have a working Active Directory set-up and we have a working rogue DC. The question is are there any other Windows functionality that is failing to properly validate the trust?”
• “How about Group Policies? It works on all supported Windows versions. There is no need for any additional (vulnerable) software. No specific configuration requirements”
• “There are 2 types of Group Policy Objects (GPO), Computer Configuration and User Configuration Policies.”
• “Computer Configuration Policies are applied before logon, the machine account is used to authenticated to the DC in order to retrieve the policies and finally all policies are executed with SYSTEM privileges. Since we don’t know the machine account password using Computer Configuration Policies is not an option.”
• “User Configuration Policies are applied after a user is logged in, user’s account is used to authenticated to the DC to retrieved the User Configuration Policies and the policies are either executed as the current logged-on user or as SYSTEM.”
• “Now this last type of Policy is interesting because we know the password of the user as we reset it to our likings.”
• “Let’s create a Scheduled Task GPO that will execute NetCat as SYSTEM and finally will connect to the listening NetCat service as a the current user.”
• On Windows 7, Immediately game over, you own the system
• “Windows 7 fails to validate if the DC from where the Group Policies are being applied is indeed a trusted DC. It is assumed that the user credentials are sufficient to acknowledge the trust relationship. In this attack all encrypted traffic remains intact and doesn’t require any modification whatsoever.”
• On Windows 10, it didn’t work right out of the box
• It turns out, the Rouge DC needs to have a user object matching the SID of the user that is logging in. Luckily, with Mimikatz, you can edit the SID of the user on the Rouge DC to make it match
• Additional Coverage: Part 2
• Slides
• So, Microsoft has patched both of these vulnerabilities, and we are all safe again, right?
• “Bypassing patch MS16-014: Yes, you’ve read it right! There is still a way to bypass the Windows Login screen and bypass Authentication More details will be released soon!”
• The author has not released the details yet, as they are waiting on Microsoft to release another patch

The MD5 collision is here

• “A while ago a lot of people visited my site (~ 90,000 ) with a post about how easy it is to make two images with same MD5 by using a chosen prefix collision. I used Marc Steven’s HashClash on AWS and estimated the the cost of around $0.65 per collision.”
• “Given the level of interest I expected to see cool MD5 collisions popping up all over the place. Possibly it was enough for most people to know it can be done quite easily and cheaply but also I may have missed out enough details in my original post”
• A 2014 blog post showed how to create two php scripts with the same MD5
• An early 2015 blog post showed two JPGs with the same MD5
• So, this version of the tools was able to make two different .jpg images, that had the same MD5 checksum, but different contents, while still being perfectly valid JPG images
• The post included instructions and an Amazon AWS images to do the number crunching
• That a later follow up post on how to do the same thing with executable files
• Same Binaries Blog Post
• This example shows a C binary that prints an Angel if a condition is true, and a Devil if it is false
• It contains a bunch of filler that can be changed to make the hashes the same in a second version of the file, where the condition is false. The end result is a pair of binaries, with the same MD5 hash, but different output
• Using this same technique, Casey Smith (@subtee) managed to make an Angel.exe that is a copy if mimikatz, a windows password dumping utility, and a devil.exe that just says ‘nothing to see here’
• Demo of the attack
• This means all I need to do is run this tool against my malware, and say, regedit.exe that is on the whitelist in Windows, and now I have a malware binary that will be trusted

Feedback:

• Pete asks about Owncloud

• John tries to troll Noah

• Matt is having ZFS problems

Round Up:

• New Edge Switch
• Reverse engineering the default WPA2 password on UPC UBEE routers
• ViewSonic ThinClient
• Post intrusion, most attackers use the same everyday admin tools that you do
• TP Link Forgets to Renew Domain
• What Air conditioning Tech can teach us about innovation and laziness
• 10 Million Android Phones Rooted
• Your SmartWatch can steal your ATM pin
• Microsoft’s attempt to recruit interns is a barrel of cringe
• Password sharing ruled a crime under the terrible CFAA (Computer Fraud and Abuse Act)
• Avast Acquired AVG for $1.3 billion, now has 400 million endpoints
• Wendy’s POS malware disclosure page, pwned with XSS
• Passthoughts, a new type of password?
• The definition of a sophishticated attack
• Frontier and AT&T to Block Google Fiber
• This cyber security guide from “The Guardian”, is full of AWEFUL advice, don’t do it
• Man builds $53,000 computer that plays Tetris, to visualize the internals

The post Windows Exploit Edition | TechSNAP 274 first appeared on Jupiter Broadcasting.

Drones dropping blood, HTC’s dropping profits & Microsoft’s dropping ASUS rigs.

Plus the end to the latest Bitcoin saga, the FBI labeling TOR users & a Kickstarter you won’t believe!

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Drones to Deliver Medical Supplies in Rwanda – YouTube
• Here’s the Smartest Drone Delivery Idea We’ve Seen Yet
• Holy earnings catastrophe, Batman: HTC revenue falls 64% in Q1
• Podcasts Surge, but Producers Fear Apple Isn’t Listening
• Apple’s actual role in podcasting: be careful what you wish for – Marco.org
• Nvidia’s new graphics cards are a big deal
• Microsoft half-bricks Asus Windows 7 PCs with UEFI boot glitch
• FBI Can Obtain A Warrant If You Run Tor Come Decembe
• Bitcoin ‘creator’ backs out of Satoshi coin move ‘proof’
• Bruce Fenton on Twitter: “With cryptography & blockchain based audits Madoff, who fooled the board of Nasdaq, would have been caught in days rather than 40 years.”
• WikiLeaks on Twitter: “We’d like to thank #Satoshi hoaxer Dr Craig Wright for showing how bankrupt the fact-checking standards are at the BBC, LRB & Economist.”
• PayPal quietly removes buyer protections for Kickstarter, Indiegogo and other crowdfunding platforms

KICKSTARTER OF THE WEEEAAAAK:

• flatev – The Artisan Tortilla Maker by flatev — Kickstarter

The post Queso the Mondays | TTT 243 first appeared on Jupiter Broadcasting.

This week we dive into what the community thinks about putting a server in their pocket, show you some smart tricks with Gimp & some Windows nightmares. Plus some router chat & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Torrent Feed | WebM Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pre-Show:

Smart Gimp Tricks

The Quickmask for adjusting selections: I’m a born-again Quickmask evangelist, because I went so long without realizing that it was there, and it makes selections so much easier.

Decomposing an image and using the components as a mask to select part of an image—that’s an easy way to select skies and get rid of a drab overcast sky, or to change or enhance the color of the sky.

Using the Dodge/Burn tool to make a background really white, for when you want an object to stand out and make the background go away. It can be a lot easier than selecting or erasing.

Feedback:

Noah Hit Something on the Head

“I wish Ubuntu would just use GNOME, and go back to trying to contribute useful bits.”

Now, I have a few extensions installed, but the way I use GNOME isn’t much different from how someone would use Unity; I keep the Dash up at all times, I have those pesky tray apps up in the corner, and so on. This is so close to how I used to work in Unity, OS X, etc., that I’m puzzled at why GNOME gets treated like the red-headed stepchild sometimes.

Now, I know that once in a while the GNOME dev team decides to go off the deep end (Let’s make the filemanager work like old-school Finder and do that by default! Hell, let’s override users’ pre-existing settings, that’s how good it is!) but overall GNOME just keeps getting better.

Windows Secureboot Causes a Mess

I just made a potentially costly mistake: we nuked and repaved my friend’s brand new Lenovo Yoga 500 with Linux… without booting into Windows to disable SecureBoot explicitly. He didn’t want to accept the EULA; and we successfully booted into USB key (Ubuntu MATE 15.10, Ubuntu w/Unity 15.04) so we thought we would just go ahead.

I thought Ubuntu would have been candidate, but apparently not. Is this the correct way? Which distros would work? We tried installing and booting into Ubuntu Unity 15.04 (which is supposed to have the appropriate signature) but after install and reboot, we get the above. Given that Windows has been obliterated at this point, what options do I have?

Unfortunately, he’s leaving in just over a week, so if the conclusion ends up being “install Windows to do this” I’ll take it….. but I’d rather not!

Ever Heard of FriendOS?

I heard yesterday about Friendos. It looks like this: https://youtu.be/Y5n0f5DSbSM?t=16m14s , so it’s like Amiga Workbench in the browser powered by a Linux backend. They releasing public beta as open source this week.It will be able to run both thml5 and native applications. Their website is a little enigmatic right now:

• FriendOS

Rover Log – Live Tracker

Live map of the adventures of Jupiter Broadcasting’s Rover Studio.

TING

• Ting – mobile that makes sense

A Server in Your Pocket

Ocean is a mobile server, a device that combines the portability of a mobile phone with the flexibility of a Linux web server.

Want a portable Linux-powered web server that will fit into your pocket? Look no further than Ocean.

Ocean has been designed from the ground up for portability, and features an integrated battery that allows you to run web and Bluetooth applications in places where direct power is limited.

The device is approximately the size of an iPhone 6, and can easily fit in your pocket.

This bundle costs $149 and ships in February. Higher capacity versions are slated to ship later in the year.

DigitalOcean

Numbers don’t lie—it’s time to build your own router

I’ve noticed a trend lately. Rather than replacing a router when it literally stops working, I’ve needed to act earlier—swapping in new gear because an old router could no longer keep up with increasing Internet speeds available in the area. (Note, I am duly thankful for this problem.) As the latest example, a whole bunch of Netgear ProSafe 318G routers failed me for the last time as small businesses have upgraded from 1.5-9mbps traditional T1 connections to 50mbps coax (cable).

A lot of you are probably muttering, “right, pfSense, sure.” Some of you might even be thinking about smoothwall or untangle NG. I played with most of the firewall distros out there, but I decided to go more basic, more old school: a plain, CLI-only install of Ubuntu Server and a few iptables rules.

Admittedly, this likely isn’t the most practical approach for every reader, but it made sense for me. I have quite a bit of experience finessing iptables and the Linux kernel itself for high throughput at Internet scale, and the fewer shiny features and graphics and clicky things that are put between me and the firewall table, the less fluff I have to get out of the way and the fewer new not-applicable-in-the-rest-of-my-work things I have to learn. Any rule I already know how to create in iptables to manage access to my servers, I also know how to apply to my firewall—if my firewall’s running the same distro as my servers are.

• Cumulus Networks

Cumulus Networks is a system software company founded with the principle of enabling high capacity networks that are easy to deploy and affordable. Led by networking experts and innovators from Cisco and VMware, we provide great networking for layer 2, layer 3 and overlay architectures supported by improved economics and a robust ecosystem — a modern alternative to proprietary vendor-locked stacks that constrain IT innovation.

Linux Academy

• Linux Academy | Linux and AWS Online Training

Gnome Core Apps

It would appear that the GNOME developers are currently in the process of revisiting the desktop environment’s moduleset and defining a clear set of core apps, which should form the default user experience in upcoming releases of the GNOME desktop (most probably starting with GNOME 3.20, which should be available in spring 2016).

At the moment of writing this article, the GNOME developers have only managed to announce that the Cheese webcam viewer app has been integrated as a core GNOME app as it is required by the GNOME Control Center, GNOME Initial Setup and GNOME Contacts components. They are also in talks with the developers of the Gedit text editor to make it a core app too.

Furthermore, the GNOME Color Manager component will also be pushed to the core apps moduleset, as the GNOME Control Center software requires it. However, the GNOME developers will also define a set of non-core apps, which they don’t recommend GNU/Linux OS vendors to include in their distributions when using the GNOME desktop environment by default.

Support Jupiter Broadcasting on Patreon

Post Show:

Phoenix OS

Google Android may have been developed as a smartphone operating system (and later ported to tablets, TVs, watches, and other platforms), but over the past few years we’ve seen a number of attempts to turn it into a desktop operating system.

One of the most successful has been Remix OS, which gives Android a taskbar, start menu, and an excellent window management system. The Remix OS team has also generated a lot of buzz over the past year, and this week the operating system gained a lot of new alpha testers thanks to a downloadable version of Remix OS that you can run on many recent desktop or notebook computers.

But Remix OS isn’t the only game in town. Phoenix OS is another Android-as-desktop operating system, and while it’s still pretty rough around the edges, there are a few features that could make it a better option for some testers.

• Phoenix OS is (another) Android-as-a-desktop

• Peppermint OS

The post Is that a server in your pocket? | LINUX Unplugged 128 first appeared on Jupiter Broadcasting.

This week on the show, we’ll be talking with Peter Toth. He’s got a jail management system called “iocage” that’s been getting pretty popular recently. Have we finally found a replacement for ezjail? We’ll see how it stacks up.

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | HD Vid Feed | HD Torrent Feed

– Show Notes: –

Headlines

FreeBSD on Olimex RT5350F-OLinuXino

• If you haven’t heard of the RT5350F-OLinuXino-EVB, you’re not alone (actually, we probably couldn’t even remember the name if we did know about it)
• It’s a small board with a MIPS CPU, two ethernet ports, wireless support and… 32MB of RAM
• This blog series documents installing FreeBSD on the device, but it is quite a DIY setup at the moment
• In part two of the series, he talks about the GPIO and how you can configure it
• Part three is still in the works, so check the site later on for further progress and info

The modern OpenBSD home router

• In a new series of blog posts, one guy takes you through the process of building an OpenBSD-based gateway for his home network
• “It’s no secret that most consumer routers ship with software that’s flaky at best, and prohibitively insecure at worst”
• Armed with a 600MHz Pentium III CPU, he shows the process of setting up basic NAT, firewalling and even getting hostap mode working for wireless
• This guide also covers PPP and IPv6, in case you have those requirements
• In a similar but unrelated series, another user does a similar thing – his post also includes details on reusing your consumer router as a wireless bridge
• He also has a separate post for setting up an IPSEC VPN on the router

NetBSD at Open Source Conference 2015 Kansai

• The Japanese NetBSD users group has teamed up with the Kansai BSD users group and Nagoya BSD users group to invade another conference
• They had NetBSD running on all the usual (unusual?) devices, but some of the other BSDs also got a chance to shine at the event
• Last time they mostly had ARM devices, but this time the centerpiece was an OMRON LUNA88k
• They had at least one FreeBSD and OpenBSD device, and at least one NetBSD device even had Adobe Flash running on it
• And what conference would be complete without an LED-powered towel

OpenSSH 7.0 released

• The OpenSSH team has just finished up the 7.0 release, and the focus this time is deprecating legacy code
• SSHv1 support is disabled, 1024 bit diffie-hellman-group1-sha1 KEX is disabled and the v00 cert format authentication is disabled
• The syntax for permitting root logins has been changed, and is now called “prohibit-password” instead of “without-password” (this makes it so root can login, but only with keys) – all interactive authentication methods for root are also disabled by default now
• If you’re using an older configuration file, the “without-password” option still works, so no change is required
• You can now control which public key types are available for authentication, as well as control which public key types are offered for host authentications
• Various bug fixes and documentation improvements are also included
• Aside from the keyboard-interactive and PAM-related bugs, this release includes one minor security fix: TTY permissions were too open, so users could write messages to other logged in users
• In the next release, even more deprecation is planned: RSA keys will be refused if they’re under 1024 bits, CBC-based ciphers will be disabled and the MD5 HMAC will also be disabled

Interview – Peter Toth – peter.toth198@gmail.com / @pannonp

Containment with iocage

News Roundup

More c2k15 reports

• A few more hackathon reports from c2k15 in Calgary are still slowly trickling in
• Alexander Bluhm’s up first, and he continued improving OpenBSD’s regression test suite (this ensures that no changes accidentally break existing things)
• He also worked on syslogd, completing the TCP input code – the syslogd in 5.8 will have TLS support for secure remote logging
• Renato Westphal sent in a report of his very first hackathon
• He finished up the VPLS implementation and worked on EIGRP (which is explained in the report) – the end result is that OpenBSD will be more easily deployable in a Cisco-heavy network
• Philip Guenther also wrote in, getting some very technical and low-level stuff done at the hackathon
• His report opens with “First came a diff to move the grabbing of the kernel lock for soft-interrupts from the ASM stubs to the C routine so that mere mortals can actually push it around further to reduce locking.” – not exactly beginner stuff
• There were also some C-state, suspend/resume and general ACPI improvements committed, and he gives a long list of random other bits he worked on as well

FreeBSD jails, the hard way

• As you learned from our interview this week, there’s quite a selection of tools available to manage your jails
• This article takes the opposite approach, using only the tools in the base system: ZFS, nullfs and jail.conf
• Unlike with iocage, ZFS isn’t actually a requirement for this method
• If you are using it, though, you can make use of snapshots for making template jails

OpenSSH hardware tokens

• We’ve talked about a number of ways to do two-factor authentication with SSH, but what if you want it on both the client and server?
• This blog post will show you how to use a hardware token as a second authentication factor, for the “something you know, something you have” security model
• It takes you through from start to finish: formatting the token, generating keys, getting it integrated with sshd
• Most of this will apply to any OS that can run ssh, and the token used in the example can be found online for pretty cheap too

LibreSSL 2.2.2 released

• The LibreSSL team has released version 2.2.2, which signals the end of the 5.8 development cycle and includes many fixes
• At the c2k15 hackathon, developers uncovered dozens of problems in the OpenSSL codebase with the Coverity code scanner, and this release incorporates all those: dead code, memory leaks, logic errors (which, by the way, you really don’t want in a crypto tool…) and much more
• SSLv3 support was removed from the “openssl” command, and only a few other SSLv3 bits remain – once workarounds are found for ports that specifically depend on it, it’ll be removed completely
• Various other small improvements were made: DH params are now 2048 bits by default, more old workarounds removed, cmake support added, etc
• It’ll be in 5.8 (due out earlier than usual) and it’s in the FreeBSD ports tree as well

Feedback/Questions

• James writes in
• Stuart writes in

• Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
• BSD Now tshirts are now available to preorder, and will be shipping in September (you have until the end of August to place an order, then they’re gone)
• Next week’s episode will be a shorter prerecorded one, since Allan’s going to BSDCam

The post May Contain ZFS | BSD Now 102 first appeared on Jupiter Broadcasting.

Thunderbolt 3 promise to unify the connector and usher in peace and tranquility. But when will we see it ship? Microsoft has prices & ship dates for Windows 10, Apple has a major Mac Flaw & Google wants to kinda give you better privacy controls.

Direct Download:

MP3 Audio | OGG Audio | Video | HD Video | Torrent | YouTube

RSS Feeds:

MP3 Feed | OGG Feed | iTunes Feed | Video Feed | Video Feed | Torrent Feed

Become a supporter on Patreon

Show Notes:

• Intel Announces Thunderbolt 3 With USB-C, Single-Cable Support for Dual 4K Displays at 60Hz – Mac Rumors
• Thunderbolt 3 embraces USB Type-C connector, doubles bandwidth to 40Gbps | Ars Technica UK
• Apple, Feeling Heat From Spotify, to Offer Streaming Music Service – WSJ
• New exploit leaves most Macs vulnerable to permanent backdooring | Ars Technica
• Google Centralizes Privacy And Security Controls On New Web Dashboard | TechCrunch
• Hello World: Windows 10 Available on July 29
• Microsoft: Windows 10 Home costs $119, Pro costs $199
• Blocks Wearables will start taking orders for its modular smartwatch this summer | The Verge

The post Google's Creepiness Controls | Tech Talk Today 177 first appeared on Jupiter Broadcasting.