ZPool – Jupiter Broadcasting

A fast-moving botnet that appeared over the weekend has already infected thousands of Android devices with potentially destructive malware that mines digital coins on behalf of the unknown attackers, researchers said.

Early Warning: ADB.Miner A Mining Botnet Utilizing Android ADB Is Now Rapidly Spreading

Google Cloud Platform Blog: 12 best practices for user account, authorization and password management

Account management, authorization and password management can be tricky. For many developers, account management is a dark corner that doesn’t get enough attention. For product managers and customers, the resulting experience often falls short of expectations.

The Future of Network Security: BeyondCorp

Operation FreeNAS Rescue

eSata vs new Hardware rig.
Staged upgrade, move the USB Internal header drive FreeNAS drive.
Slide in the new disks, and power it up!

After it booted, and we verified it saw the drives.. It was time to create our pool.

Feedback / Follow Up

Google’s partnership with WordPress aims to jump-start the platform’s support of the latest web technologies — particularly those involving performance & mobile experience. And they’re hiring WordPress experts.

The post Operation FreeNAS Rescue | TechSNAP 355 first appeared on Jupiter Broadcasting.

Certifiable Authority | TechSNAP 238

chris — Thu, 29 Oct 2015 14:44:39 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

TalkTalk gets compromised, Hackers make cars safer & Google plays hardball with Symantec.

Plus a great batch of your questions, a rocking round up & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

TalkTalk compromise and ransom

“TalkTalk, a British phone and broadband provider with more than four million customers, disclosed Friday that intruders had hacked its Web site and may have stolen personal and financial data. Sources close to the investigation say the company has received a ransom demand of approximately £80,000 (~USD $122,000), with the attackers threatening to publish the TalkTalk’s customer data unless they are paid the amount in Bitcoin.”
“In a statement on its Web site, TalkTalk said a criminal investigation was launched by the Metropolitan Police Cyber Crime Unit following “a significant and sustained cyberattack on our website.””
That sounds more like a DDoS, but those same words could be used to describe a persistent compromise, where the attackers were inside the TalkTalk network for a long time
Possibly compromised information includes: names, addresses, date of birth, phone numbers, email addresses, TalkTalk account information, credit card details and/or bank details
“We are continuing to work with leading cyber crime specialists and the Metropolitan Police to establish exactly what happened and the extent of any information accessed.”
So it sounds like they have no way of telling how much data was taken, and are hoping forensic analysis after the fact will tell them. Obviously they didn’t have good audit controls in place
“A source close to the investigation who spoke on condition of anonymity told KrebsOnSecurity that the hacker group who demanded the £80,000 ransom provided TalkTalk with copies of the tables from its user database as evidence of the breach. The database in question, the source said, appears related to at least 400,000 people who have recently undergone credit checks for new service with the company. However, TalkTalk’s statement says it’s too early to say exactly how many customers were impacted. “Identifying the extent of information accessed is part of the investigation that’s underway,” the company said.”
“It appears that multiple hacker collectives have since claimed responsibility for the hack, including one that the BBC described as a “Russian Islamist group” — although sources say there is absolutely no evidence to support that claim at this time.”
With the way things are today, lots of people will try to take credit for an attack. That is why the group demanding the ransom provided a sample of the data as proof that they actually had it
Of course, the real attackers could have posted the data to an underground forum, and multiple groups could have the data
“Separately, promises to post the stolen data have appeared on AlphaBay, a Deep Web black market that specialized in selling stolen goods and illicit drugs. The posting was made by someone using the nickname “Courvoisier.” This member, whose signature describes him as “Level 6 Fraud and Drugs seller,” appears to be an active participant in the AlphaBay market with many vouches from happy customers who’ve turned to him for illegal drugs and stolen credit cards, among other goods and services.”
“It seems likely that Courvoisier is not bluffing, at least about posting some subset of TalkTalk customer data. According to a discussion thread on Reddit.com dedicated to explaining AlphaBay’s new Levels system, an AlphaBay seller who has reached the status of Level 6 has successfully consummated at least 500 sales worth a total of at least $75,000, and achieved a 90% positive feedback rating or better from previous customers.”
Additional Coverage — The Independant
Additional Coverage — ArsTechnica: TalkTalk hit by cyberattack
Additional Coverage — The Register: TalkTalk: Our cybersecurity is head and shoulders above our competitors
Additional Coverage — ArsTechnica: TalkTalk says it was not legally required to encrypt customer data
Additional Coverage — ArsTechnica: 15 year old boy arrested in connection with talktalk breach
Video from TalkTalk CEO
If you do end up having money stolen from your account, TalkTalk, “on a case-by-case basis”, will wait the termination fee if you decide you no longer want to be a TalkTalk customer
New rule: if you are hacked via OWASP Top 10, you’re not allowed to call it “advanced” or “sophisticated”
“Significant and sustained cyber attack” “sophisticated”… arrest 15 yr old kid as the hacker

Hackers make cars safer

“Virtually every new car sold today has some sort of network connection. Most of us are aware of these connections because of the remarkable capabilities they place at our fingertips—things like hands-free communication, streaming music, advanced safety features, and navigation. Today’s cars are a rolling network of small computers that control the drivetrain, braking, and other systems. And just like the entertainment and navigation systems, these computers are “connected,” too.”
“This connectivity within—and between—vehicles will allow transformative innovations like self-driving cars. But it also will make our cars targets for hackers. The security research community can play a valuable role in helping the auto industry stay ahead of these threats. But rather than encouraging collaboration, Congress is discussing legislation that would make illegal the kind of research that already has helped improve the industry’s approach to security.”
Last week, “the House Energy and Commerce Committee begins a hearing on a bill to reform the National Highway Traffic Safety Administration. However, tucked into a section concerning the cybersecurity and data collection of automobiles is language that unintentionally could create greater risks for American drivers.”
“Now the industry has established an Intelligence Sharing and Analysis Center (ISAC) to exchange cyber threat information. This initiative is a good start. It would provide a central point of contact and collaboration about what threats are out there and how automakers can respond to them. If done well, the ISAC also could improve security standards among auto manufacturers, benefiting all consumers. (More on that here and here.)”
“The auto industry is taking promising steps toward better security, but the bill before the Energy and Commerce Committee would be a setback. It would make it illegal for security researchers to examine the code written into today’s cars and identify security vulnerabilities or manipulations designed to thwart environmental regulations. This will make our cars more vulnerable by discouraging responsible research and chilling innovation in car security at a critical time. Moreover, tying the hands of white hat researchers will do nothing to prevent bad actors from finding the same vulnerabilities and exploiting them in potentially harmful ways.”
“The auto industry would be better served by following the lead of information technology industry which has developed ways to work with responsible security researchers instead of against them. For years technology companies fought a losing battle on security by threatening hackers, and now many firms have established bounty programs and conferences where researchers are invited to find and report flaws in programs and products. They recognize that bringing researchers to the table and crowd sourcing solutions can be effective in staying ahead of cyber threats. Stopping research before it can start sets a terrible precedent. Rather than make it illegal, Congress should try to spur collaboration between the automakers and the increasingly valuable research community.”
US Regulators grant DMCA exemption to legalize vehicle software tinkering
Additional Coverage: NPR
The ruling uses the terms “good faith security research” and “lawful modification.”
“The government defined good-faith security research as means of “accessing a computer program solely for purposes of good-faith testing, investigation and/or correction of a security flaw or vulnerability, where such activity is carried out in a controlled environment designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices or machines on which the computer program operates, or those who use such devices or machines, and is not used or maintained in a manner that facilitates copyright infringement.””
“The “lawful modification” of vehicle software was authorized “when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair or lawful modification of a vehicle function; and where such circumvention does not constitute a violation of applicable law, including without limitation regulations promulgated by the Department of Transportation or the Environmental Protection Agency; and provided, however, that such circumvention is initiated no earlier than 12 months after the effective date of this regulation.””
Under the ruling, both exemptions don’t become law for at least a year

Google plays hardball with Symantec over TLS certificates

“Google has given Symantec an offer it can’t refuse: give a thorough accounting of its ailing certificate authority process or risk having the world’s most popular browser—Chrome—issue scary warnings when end users visit HTTPS-protected websites that use Symantec credentials. The ultimatum, made in a blog post published Wednesday afternoon, came five weeks after Symantec fired an undisclosed number of employees caught issuing unauthorized TLS certificates. The mis-issued certificates made it possible for the holders to impersonate HTTPS-protected Google web pages.”
Google’s Blog Post
Symantec Report
“Following our notification, Symantec published a report in response to our inquiries and disclosed that 23 test certificates had been issued without the domain owner’s knowledge covering five organizations, including Google and Opera. However, we were still able to find several more questionable certificates using only the Certificate Transparency logs and a few minutes of work. We shared these results with other root store operators on October 6th, to allow them to independently assess and verify our research.”
It seems like Symantec was trying to downplay the incident, and gloss over its failings
“Symantec performed another audit and, on October 12th, announced that they had found an additional 164 certificates over 76 domains and 2,458 certificates issued for domains that were never registered.”
“The mis-issued certificates represented a potentially critical threat to virtually the entire Internet population because they made it possible for the holders to cryptographically impersonate the affected sites and monitor communications sent to and from the legitimate servers.”
This brings up serious questions about the management and oversight of the Symantec certificate authority
“It’s obviously concerning that a CA would have such a long-running issue and that they would be unable to assess its scope after being alerted to it and conducting an audit. Therefore we are firstly going to require that as of June 1st, 2016, all certificates issued by Symantec itself will be required to support Certificate Transparency. In this case, logging of non-EV certificates would have provided significantly greater insight into the problem and may have allowed the problem to be detected sooner. After this date, certificates newly issued by Symantec that do not conform to the Chromium Certificate Transparency policy may result in interstitials or other problems when used in Google products”
“More immediately, we are requesting of Symantec that they further update their public incident report with:”
A post-mortem analysis that details why they did not detect the additional certificates that we found.
Details of each of the failures to uphold the relevant Baseline Requirements and EV Guidelines and what they believe the individual root cause was for each failure.
“We are also requesting that Symantec provide us with a detailed set of steps they will take to correct and prevent each of the identified failures, as well as a timeline for when they expect to complete such work. Symantec may consider this latter information to be confidential and so we are not requesting that this be made public.”
“Following the implementation of these corrective steps, we expect Symantec to undergo a Point-in-time Readiness Assessment and a third-party security audit.”
It is good to see Google using its muscle to make the CA industry smarten up and fly right

Feedback:

Round up:

The post Certifiable Authority | TechSNAP 238 first appeared on Jupiter Broadcasting.

Bitrot Group Therapy | BSD Now 95

chris — Thu, 25 Jun 2015 12:10:53 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be talking some ZFS with Sean Chittenden. He’s been using it on FreeBSD at Groupon, and has some interesting stories about how it’s saved his data. Answers to your emails and all of this week’s headlines, on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

OpenBSD httpd rewrite support

One of the most-requested features of OpenBSD’s new HTTP daemon (in fact, you can hear someone asking about it in the video just above) is rewrite support
There were concerns about regex code being too complicated and potentially allowing another attack surface, so that was out
Instead, Reyk ported over an implementation of lua pattern matching while on the flight back from BSDCan, turning it into a C API without the lua bindings
In the mailing list post, he shows an example of how to use it for redirects and provides the diff if you’d like to give it a try now
It’s since been committed to -current, so you can try it out with a snapshot too

SSH 2FA on FreeBSD

We’ve discussed different ways to lock down SSH access to your BSD boxes before – use keys instead of passwords, whitelist IPs, or even use two-factor authentication
This article serves as a sort of “roundup” on different methods to set up two-factor authentication on FreeBSD
It touches on key pairs with a server-side password, google authenticator and a few other variations
While the article is focused on FreeBSD, a lot of it can be easily applied to the others too
OpenSSH has a great security record, but two-factor authentication is always a good thing to have for the most important systems

NetBSD 7.0-RC1 released

NetBSD has just announced the first release candidate for the 7.0 branch, after a long delay since the initial beta (11 months ago)
Some of the standout features include: improved KMS/DRM with support for modern GPUs, SMP support on ARM, lots of new ARM boards officially supported, GPT support in the installer, Lua kernel scripting, a multiprocessor USB stack, improvements to NPF (their firewall) and, optionally, Clang 3.6.1
They’re looking for as much testing as possible, so give it a try and report your findings to the release engineering team

Interview – Sean Chittenden – seanc@freebsd.org / @seanchittenden

FreeBSD at Groupon, ZFS

News Roundup

OpenSMTPD and Dovecot

We’ve covered a number of OpenSMTPD mail server guides on the show, each with just a little something different to offer than the last
This blog post about it has something not mentioned before: virtual domains and virtual users
This means you can easily have “user1@domain.com” and “user2@otherdomain.com” both go to a local user on the box (or a different third address)
It also covers SSL certificates, blocking spam and setting up IMAP access, the usual
Now might also be a good time to test out OpenSMTPD 5.7.1-rc1, which we’ll cover in more detail when it’s released…

OctoPkg, a QT frontend to pkgng

A PC-BSD user has begun porting over a graphical package management utility from Arch linux called Octopi
Obviously, it needed to be rewritten to use FreeBSD’s pkg system instead of pacman
There are some basic instructions on how to get it built and running on the github page
After some testing, it’ll likely make its way to the FreeBSD ports tree
Tools like this might make it easier for desktop users (who are used to similar things in Ubuntu or related distros) to switch over

AFL vs. mandoc, a quantitative analysis

Ingo Schwarze has written a pretty detailed article about how he and other OpenBSD developers have been fuzzing mandoc with AFL
It’s meant to be accompanying material to his BSDCan talk, which already covered nine topics
mandoc is an interesting example to stress test with fuzzing, since its main job is to take and parse some highly varying input
The article breaks down the 45 different bugs that were found, based on their root cause
If you’re interested in secure coding practices, this’ll be a great one to read

OpenZFS conference video

Videos from the second OpenZFS conference have just started to show up
The first talk is by, you guessed it, Matt Ahrens
In it, he covers some ZFS history, the Oracle takeover, the birth of illumos and OpenZFS, some administration basics and also some upcoming features that are being worked on
There are also videos from Nexenta and HGST, talking about how they use and contribute to OpenZFS

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

The post Bitrot Group Therapy | BSD Now 95 first appeared on Jupiter Broadcasting.

ZFS Armistice | BSD Now 90

chris — Thu, 21 May 2015 09:57:31 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This time on the show, we’ll be chatting with Jed Reynolds about ZFS. He’s been using it extensively on a certain other OS, and we can both learn a bit about the other side’s implementation. Answers to your questions and all this week’s news, coming up on BSD Now – the place to B.. SD.

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Playing with sandboxing

Sandboxing and privilege separation are popular topics these days – they’re the goal of the new “shill” scripting language, they’re used heavily throughout OpenBSD, and they’re gaining traction with the capsicum framework
This blog post explores capsicum in FreeBSD, some of its history and where it’s used in the base system
They also include some code samples so you can verify that capsicum is actually denying the program access to certain system calls
Check our interview about capsicum from a while back if you haven’t seen it already

OpenNTPD on by default

OpenBSD has enabled ntpd by default in the installer
In nearly every case, you’re going to want to have your clock synced via NTP
With the HTTPS constraints feature also enabled by default, this should keep the time checked and accurate, even against spoofing attacks
Lots of problems can be traced back to the time on one system or another being wrong, so this will also eliminate some of those cases
For those who might be curious, they’re using the “pool.ntp.org” cluster of addresses and google for HTTPS constraints (but these can be easily changed)

FreeBSD workshop in Landshut

We mentioned a BSD installfest happening in Germany a few weeks back, and the organizer wrote in with a review of the event
The installfest instead became a “FreeBSD workshop” session, introducing curious new users to some of the flagship features of the OS
They covered when to use UFS or ZFS, firewall options, the release/stable/current branches and finally how to automate installations with Ansible
If you’re in south Germany and want to give similar introduction talks or Q&A sessions about the other BSDs, get in touch
We’ll hear more from him about how it went in the feedback section today

Swap encryption in DragonFly

Doing full disk encryption is very important, but something that people sometimes overlook is encrypting their swap
This can actually be more important than the contents of your disks, especially if an unencrypted password or key hits your swap (as it can be recovered quite easily)
DragonFlyBSD has added a new experimental option to automatically encrypt your swap partition in fstab
There was another way to do it previously, but this is a lot easier
You can achieve similar results in FreeBSD by adding “.eli” to the end of the swap device in fstab, there are a few steps to do it in NetBSD and swap in OpenBSD is encrypted by default
A one-time key will be created and then destroyed in each case, making recovery of the plaintext nearly impossible

Interview – Jed Reynolds – jed@bitratchet.com / @jed_reynolds

Comparing ZFS on Linux and FreeBSD

News Roundup

USB thermometer on OpenBSD

So maybe you’ve got BSD on your server or router, maybe NetBSD on a toaster, but have you ever used a thermometer with one?
This blog post introduces the RDing TEMPer Gold USB thermometer, a small device that can tell the room temperature, and how to get it working on OpenBSD
Wouldn’t you know it, OpenBSD has a native “ugold” driver to support it with the sensors framework
How useful such a device would be is another story though
BSDCan Dan just bought 5 of these to bring to the #EmbeddedBSDCan hackithon. Bring your embedded devices and cool gadgets with you to BSDCan and hang out in the hackers lounge, see what we can put together.

NAS4Free now on ARM

We talk a lot about hardware for network-attached storage devices on the show, but ARM doesn’t come up a lot
That might be changing soon, as NAS4Free has just released some ARM builds
These new (somewhat experimental) images are based on FreeBSD 11-CURRENT
Included in the announcement is a list of fully-supported and partially-supported hardware that they’ve tested it with
If anyone has experience with running a NAS on slightly exotic hardware, write in to us

pkgsrcCon 2015 CFP and info

This year’s pkgsrcCon will be in Berlin, Germany on July 4th and 5th
They’re looking for talk proposals and ideas for things you’d like to see
If you or your company uses pkgsrc, or if you’re just interested in NetBSD in general, it would be a good event to check out

BSDTalk episode 253

BSDTalk has released another new episode
In it, he interviews George Neville-Neil about the 2nd edition of “The Design and Implementation of the FreeBSD Operating System”
They discuss what’s new since the last edition, who the book’s target audience is and a lot more
We’re up to 90 episodes now, slowly catching up to Will…

Feedback/Questions

Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv – if there’s someone you want us to talk to on a future episode, you gotta tell us
Let us know if you guys have any ideas for our big 100th episode

The post ZFS Armistice | BSD Now 90 first appeared on Jupiter Broadcasting.

Signed by Sony | TechSNAP 192

chris — Thu, 11 Dec 2014 18:48:06 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

If we could rebuild the Internet from scratch, what would we change? It’s more than just a thought experiment. We’ll share the details about real world research being done today!

Plus we dig through the Sony hack, answer a ton of great question & a rocking roundup!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Reinventing Computers And The Internet From Scratch, For The Sake Of Security

DARPA funded research is looking at how we might design the Internet if we had to do it over again
Many decisions that were made 30 and 40 years ago when UNIX and TCP/IP were designed, may be done differently today
The overall project has a number of sub-projects:
- CRASH – Clean-Slate Design of Resilient, Adaptive, Secure Hosts
- MRC – Mission-Oriented Resilient Clouds
- CTSRD – Clean Slate Trustworthy Secure Research and Development (Custard)
BERI: Bluespec Extensible RISC Implementation: a open-source hardware-software research and teaching platform: a 64-bit RISC processor implemented in the high-level Bluespec hardware description language (HDL), along with compiler, operating system, and applications
CHERI: capability hardware enhanced RISC instructions: hardware-accelerated in-process memory protection and sandboxing model based on a hybrid capability model
TESLA: temporally enforced security logic assertions: compiler-generated runtime instrumentation continuously validating temporal security properties
SOAAP: security-oriented analysis of application programs: automated program analysis and transformation techniques to help software authors utilize Capsicum and CHERI features
The goal is to design newer secure hosts and networks, without having to maintain backwards compatibility with legacy systems, the biggest problem with changing anything on the Internet
This is why there are still things like SSLv3 (instead of just TLS 1.2+), why we have not switched to IPv6, and why spam is still such a large problem
I for one would definitely like to replaced SMTP, but no one has yet devised a plan for a system that the world could transition to without breaking legacy email while we wait for the rest of the world to upgrade
“Corporations are elevating security experts to senior roles and increasing their budgets. At Facebook, the former mantra “move fast and break things” has been replaced. It is now “move slowly and fix things.””
For performance reasons, when hardware and programming languages were designed 30 and 40 years ago, it was decided that security would be left up to the programmer
The CHERI project aim to change this, by implementing ‘Capabilities’, a sandboxing and security mechanism into the hardware, allowing the hardware rather than the software to enforce protections, preventing unauthorized access or modification of various regions of memory by malicious or compromised applications.
CHERI, and the software side of the project, Capsicum, are based on FreeBSD, but are also being ported to Linux, where Google plans to make extensive use of it in its Chrome and Chromium browsers.
Additional Coverage

Sony Internal Network Hacked

No, this is not Episode 3 of TechSNAP, Sony was hacked, again
Hackers identifying the selves as Guardians of Peace (GOP) claim to have stolen as much as 100TB of data from Sony
One questions how they managed to exfiltrate such a huge amount of data without being noticed. A full 1 GBPS internet connection would have to run at full capacity for 10 days to move that much data. It seems a lot of the data was likely compressible, but unreleased movies etc would not be
At this point, only about 40GB of data has been leaked, mostly internal documents
“The data dump includes employee criminal background checks, salary negotiations, and doctors’ letters explaining the medical rationale for leaves of absence. There are spreadsheets containing the salaries of 6,800 global employees, along with Social Security numbers for 3,500 U.S. staff. And there is extensive documentation of the company’s operations, ranging from the script for an unreleased pilot written by Breaking Bad creator Vince Gilligan to the results of sales meetings with local TV executives.”
When will companies learn that a spread sheet is not a secure place to store sensitive information
In a memo to Employees Sony Pictures Entertainment chiefs Michael Lynton and Amy Pascal said “While we are not yet sure of the full scope of information that the attackers have or might release, we unfortunately have to ask you to assume that information about you in the possession of the company might be in their possession,”
Additional Coverage – CNET – 47,000 Social Security Numbers leaked, Celebrity Data included
Additional Coverage – Sony Employees receive email threats: “your family will be in danger”
Additional Coverage – BuzzFeed – Inside the Sony Data
Additional Coverage – Gizmodo – Sony hack worse than thought
Additional Coverage – Washington Post
Additional Coverage – Edgadget
Additional Coverage – The Verge
George Clooney predicted the Sony Hack in December (in a now leaked email)
Additional Coverage – BitDefender – Take Aways from the Sony Hack
Additional Coverage – ArsTechnica – Attackers also stole certificates to sign malware

Feedback:

Jupiter Dev Summit on Monday the 15th
Remotely activate/disable firewall rules?
AuthPF (works, especially remotely)
FreeNAS/ZFS Filesystem Relationships
Screenshot
Naming software bugs like storms
[ways to use as much bandwidth a possible? ](https://www.reddit.com/r/techsnap/comments/2oftzo/ways_to_use_as_much_bandwidth_a_p
ossible/)
Malware Authorship Language
31C3 – The 31st Chaos Communication Congress Who will be there?

Round Up:

The post Signed by Sony | TechSNAP 192 first appeared on Jupiter Broadcasting.

ZFS War Stories | BSD Now 45

chris — Thu, 10 Jul 2014 12:39:46 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week Allan is at BSDCam in the UK, so we’ll be back with a regular episode next week. For now though, here’s an interview with Josh Paetzel about some crazy experiences he’s had with ZFS.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Interview – Josh Paetzel – josh@ixsystems.com / @bsdunix4ever

Crazy ZFS stories, network protocols, server hardware

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post ZFS War Stories | BSD Now 45 first appeared on Jupiter Broadcasting.

Devious Methods | BSD Now 42

chris — Thu, 19 Jun 2014 11:56:15 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Coming up this week, we’ll be showing you how to chain SSH connections, as well as some cool tricks you can do with it. Going along with that theme, we also have an interview with Bryce Chidester about running a BSD-based shell provider. News, emails and cowsay turkeys, on BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

PIE and ASLR in FreeBSD update

A status update for Shawn Webb’s ASLR and PIE work for FreeBSD
One major part of the code, position-independent executable support, has finally been merged into the -CURRENT tree
“FreeBSD has supported loading PIEs for a while now, but the applications in base weren’t compiled as PIEs. Given that ASLR is useless without PIE, getting base compiled with PIE support is a mandatory first step in proper ASLR support”
If you’re running -CURRENT, just add “WITH_PIE=1” to your /etc/src.conf and /etc/make.conf
The next step is working on the ASLR coding style and getting more developers to look through it
Shawn will also be at EuroBSDCon (in September) giving an updated version of his BSDCan talk about ASLR

Misc. pfSense news

Couple of pfSense news items this week, including some hardware news
Someone’s gotta test the pfSense hardware devices before they’re sold, which involves powering them all on at least once
To make that process faster, they’re building a controllable power board (and include some cool pics)
There will be more info on that device a bit later on
On Friday, June 27th, there will be another video session (for paying customers only…) about virtualized firewalls
pfSense University, a new paid training course, was also announced
A single two-day class costs $2000, ouch

ZFS stripe width

A new blog post from Matt Ahrens about ZFS stripe width
“The popularity of OpenZFS has spawned a great community of users, sysadmins, architects and developers, contributing a wealth of advice, tips and tricks, and rules of thumb on how to configure ZFS. In general, this is a great aspect of the ZFS community, but I’d like to take the opportunity to address one piece of misinformed advice”
Matt goes through different situations where you would set up your zpool differently, each with their own advantages and disadvantages
He covers best performance on random IOPS, best reliability, and best space efficiency use cases
It includes a lot of detail on each one, including graphs, and addresses some misconceptions about different RAID-Z levels’ overhead factor

FreeBSD 9.3-BETA3 released

The third BETA in the 9.3 release cycle is out, we’re slowly getting closer to the release
This is expected to be the final BETA, next will come the RCs
There have mostly just been small bug fixes since BETA2, but OpenSSL was also updated and the arc4random code was updated to match what’s in -CURRENT (but still isn’t using ChaCha20)
The FreeBSD foundation has a blog post about it too
There’s a list of changes between 9.2 and 9.3 as well, but we’ll be sure to cover it when the -RELEASE hits

Interview – Bryce Chidester – brycec@devio.us / @brycied00d

Running a BSD shell provider

Tutorial

Chaining SSH connections

News Roundup

My FreeBSD adventure

A Slackware user from the “linux questions” forum decides to try out BSD, and documents his initial impressions and findings
After ruling out PCBSD due to the demanding hardware requirements and NetBSD due to “politics” (whatever that means, his words) he decides to start off with FreeBSD 10, but also mentions trying OpenBSD later on
In his forum post, he covers the documentation (and how easy it makes it for a switcher), dual booting, packages vs ports, network configuration and some other little things
So far, he seems to really enjoy BSD and thinks that it makes a lot of sense compared to Linux
Might be an interesting, ongoing series we can follow up on later

Even more BSDCan trip reports

BSDCan may be over until next year, but trip reports are still pouring in
This time we have a summary from Li-Wen Hsu, who was paid for by the FreeBSD foundation
He’s part of the “Jenkins CI for FreeBSD” group and went to BSDCan mostly for that
Nice long post about all of his experiences at the event, definitely worth a read
He even talks about… the food

FreeBSD disk partitioning

For his latest book series on FreeBSD’s GEOM system, MWL asked the hackers mailing list for some clarification
This erupted into a very long discussion about fdisk vs gnop vs gpart
So you don’t have to read the tons of mailing list posts, he’s summarized the findings in a blog post
It covers MBR vs GPT, disk sector sizes and how to handle all of them with which tools

BSD Router Project version 1.51

A new version of the BSD Router Project has been released, 1.51
It’s now based on FreeBSD 10-STABLE instead of 10.0-RELEASE
Includes lots of bugfixes and small updates, as well as some patches from pfSense and elsewhere
Check the sourceforge page for the complete list of changes
The minimum disk size requirement has increased to 512MB

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
A special thanks to our viewer Lars for writing most of today’s tutorial and sending it in
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you want to come on for an interview or have a tutorial you’d like to see, let us know
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Devious Methods | BSD Now 42 first appeared on Jupiter Broadcasting.

Edgy BSD Users | BSD Now 31

chris — Thu, 03 Apr 2014 21:02:03 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

This week we\’ll be talking to Richard Stallman about the upcoming GPLv4 and how it will protect our software from being stolen. After that, we\’ll show you how to recover from those pesky ZFS on Linux corruption issues, as well as some tips on how to explain to your boss that all the production boxes were compromised. Your questions and all the latest GNUs, on Linux Now – the place to Lin.. ux.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

Preorders for cool BSD stuff

The 2nd edition of The Design and Implementation of the FreeBSD Operating System is up for preorder
We talked to GNN briefly about it, but he and Kirk have apparently finally finished the book
\”For many years, The Design and Implementation of the FreeBSD Operating System has been recognized as the most complete, up-to-date, and authoritative technical guide to FreeBSD\’s internal structure. Now, this definitive guide has been extensively updated to reflect all major FreeBSD improvements between Versions 5 and Versions 11\”
OpenBSD 5.5 preorders are also up, so you can buy a CD set now
You can help support the project, and even get the -release of the OS before it\’s available publicly
5.5 is a huge release with lots of big changes, so now is the right time to purchase one of these – tell Austin we sent you!

pkgsrcCon 2014 CFP

This year\’s pkgsrcCon is in London, on June 21st and 22nd
There\’s a Call For Papers out now, so you can submit your talks
Anything related to pkgsrc is fine, it\’s pretty informal
Does anyone in the audience know if the talks will be recorded? This con is relatively unknown

BSDMag issue for March 2014

The monthly BSD magazine releases its newest issue
Topics this time include: deploying NetBSD using AWS EC2, creating a multi-purpose file server with NetBSD, DragonflyBSD as a backup server, more GIMP lessons, network analysis with wireshark and a general security article
The Linux article trend seems to continue… hmm

Non-ECC RAM in FreeNAS

We\’ve gotten a few questions about ECC RAM with ZFS
Here we\’ve got a surprising blog post about why someone did not go with ECC RAM for his NAS build
The article mentions the benefits of ECC and admits it is a better choice in nearly all instances, but unfortunately it\’s not very widespread in consumer hardware motherboards and it\’s more expensive
Regular RAM also has \”special\” issues with ZFS and pool corruption
Long post, so check out the whole thing if you\’ve been considering your memory options and weighing the benefits
While we\’re on the topic of FreeNAS…

This episode was brought to you by

Interview – Pierre Pronchery – khorben@edgebsd.org / @khorben

EdgeBSD (slides)

Tutorial

Building an OpenBSD desktop

News Roundup

Getting to know your portmgr-lurkers

This week we get to hear from Frederic Culot, colut@
Originally an OpenBSD user from France, Frederic joined as a ports committer in 2010 and recently joined the portmgr lurkers team
\”FreeBSD is also one of my sources of inspiration when it comes to how
organizations behave and innovate, and I find it very interesting to compare FreeBSD with
the for-profit companies I work for\”
We get to find out a little bit about him, why he loves FreeBSD and what he does for the project

NetBSD on the Playstation 2

Who doesn\’t want to run NetBSD on their old PS2?
The PS2 port of NetBSD was sadly removed in 2009, but it has been revived
It\’s using a slightly unusual MIPS CPU that didn\’t have much GCC support
Hopefully a bootable kernel will be available soon

The FreeBSD Challenge update

Our friend from the Linux Foundation continues his FreeBSD switching journey
This time he starts off by discovering virtual machines suck at keeping accurate time, and some ports weren\’t working because of his clock being way off
After polling the IRC for help, he finally learns the difference between ntpdate and ntpd and both of their use cases
Maybe he should\’ve just read our NTP tutorial!

PCBSD weekly digest

The mount tray icon got lots of updates and fixes
The faulty distribution server has finally been tracked down and… destroyed
New language localization project is in progress
Many many updates to ports and PBIs, new -STABLE builds

Feedback/Questions

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you\’ve got something cool to talk about and want to come on for an interview, shoot us an email
Also if you have any tutorial requests, we\’d be glad to show whatever the viewers want to see
Watch live Wednesdays at 2:00PM Eastern (18:00 UTC)

The post Edgy BSD Users | BSD Now 31 first appeared on Jupiter Broadcasting.

Kickin’ NAS | BSD Now 15

chris — Thu, 12 Dec 2013 22:07:53 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

We\’ll be looking at the new version of FreeNAS, a BSD-based network attached storage solution, as well as talking to Josh Paetzel – one of the key developers of FreeNAS. Actually, he\’s on the FreeBSD release engineering team too, and does quite a lot for the project. We\’ve got answers to viewer-submitted questions and plenty of news to cover, so get ready for some BSD Now – the place to B.. SD.

Thanks to:

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

More faces of FreeBSD

Another installment of the FoF series
This time they talk with Reid Linnemann who works at Spectra Logic
Gives a history of all the different jobs he\’s done, all the programming languages he knows
Mentions how he first learned about FreeBSD, actually pretty similar to Kris\’ story
\”I used the system to build and install ports, and explored, getting actively involved in the mailing lists and forums, studying, passing on my own limited knowledge to those who could benefit from it. I pursued my career in the open source software world, learning the differences in BSD and GNU licensing and the fragmented nature of Linux distributions, realizing the FreeBSD community was more mature and well distributed about industry, education, and research. Everything steered me towards working with and on FreeBSD.\”
Now works on FreeBSD as his day job
The second one covers Brooks Davis
FreeBSD committer since 2001 and core team member from 2006 through 2012
He\’s helped drive our transition from a GNU toolchain to a more modern LLVM-based toolchain
\”One of the reasons I like FreeBSD is the community involved in the process of building a principled, technically-advanced operating system platform. Not only do we produce a great product, but we have fun doing it.\”
Lots more in the show notes

We cannot trust Intel and Via’s chip-based crypto

We woke up to see FreeBSD on the front page of The Register, Ars Technica and Hacker News for their strong stance on security and respecting privacy – good to see big news outlets giving credit where it\’s due
At the EuroBSDCon dev summit, there was some discussion about removing support for hardware-based random number generators.
FreeBSD\’s /dev/random got some updates and, for 10.0, will no longer allow the use of Intel or VIA\’s hardware RNGs as the sole point of entropy
\”It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more\”
Hopefully others will follow FreeBSD\’s example very soon

OpenSMTPD 5.4.1 released

The OpenBSD developers came out with major a new version
Improved config syntax (please check your smtpd.conf before upgrading)
Adds support for TLS Perfect Forward Secrecy and custom CA certificate
MTA, Queue and SMTP server improvements
SNI support confirmed for the next version
Check the show notes for the full list of changes, pretty huge release
Watch Episode 3 for an interview we did with the developers

More getting to know your portmgr

The portmgr secretary, Thomas Abthorpe, interviews… himself!
Joined as -secretary in March 2010, upgraded to full member in March 2011
His inspiration for using BSD is \”I wanted to run a webserver, and I wanted something free. I was going to use something linux, then met up with a former prof from university, and shared my story with him. He told me FreeBSD was the way to go.\”
Mentions how he loves that anyone can contribute and watch it \”go live\”
The second one covers Baptiste Daroussin
The reason for his nick, bapt, is \”Baptiste is too long to type\”
There\’s even a video of bapt joining the team!

Interview – Josh Paetzel – josh@ixsystems.com / @freenasteam

FreeNAS 9.2.0

Tutorial

[FreeNAS walkthrough]

News Roundup

Introducing configinit

CloudInit is \”a system originally written for Ubuntu which performs configuration of a system at boot-time based on user-data provided via EC2\”
Wasn\’t ideal for FreeBSD since it requires python and is designed around the concept of configuring a system by running commands (rather than editing configuration files)
Colin Percival came up with configinit, a FreeBSD alternative
Alongside his new \”firstboot-pkgs\” port, it can spin up a webserver in 120 seconds from \”launch\” of the EC2 instance
Check the show notes for full blog post

OpenSSH support for Ed25519 and bcrypt keys

New Ed25519 key support (hostkeys and user identities) using the public domain ed25519 reference code
SSH private keys were encrypted with a symmetric key that\’s just an MD5 of their password
Now they\’ll be using bcrypt by default
We\’ll get more into this in next week\’s interview

The FreeBSD challenge

A member of the Linux foundation blogs about using FreeBSD
Goes through all the beginner steps, has to \”unlearn\” some of his Linux ways
Only a few posts as of this time, but it\’s a continuing series that may be helpful for switchers
Maybe some day he\’ll be on the FreeBSD foundation instead!

PCBSD weekly digest

GNOME3, cinnamon and mate desktops are in the installer
Compat layer updated to CentOS 6, enables newest Skype
Looking for people to test printers and hplip
Continuing work on grub, but the ability to switch between bootloaders is back

Feedback/Questions

Bostjan writes in: https://slexy.org/view/s20k2gumbP
Jason writes in: https://slexy.org/view/s2PM8tfKfe
John writes in: https://slexy.org/view/s2KgXIKqrJ
Kjell-Aleksander writes in: https://slexy.org/view/s20DLk8bac
Alexy writes in: https://slexy.org/view/s2nmmJHvgR

All the tutorials are posted in their entirety at bsdnow.tv
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)

The post Kickin' NAS | BSD Now 15 first appeared on Jupiter Broadcasting.

Zettabytes for Days | BSD Now 14

chris — Fri, 06 Dec 2013 12:17:54 +0000

This week is the long-awaited episode you\’ve been asking for! We\’ll be giving you a crash course on becoming a ZFS wizard, as well as having a chat with George Wilson about the OpenZFS project\’s recent developments. We have answers to your feedback emails and there are some great news items to get caught up on too, so stay tuned to BSD Now – the place to B.. SD.

Direct Download:

RSS Feeds:

– Show Notes: –

Headlines

pkgng 1.2 released

bapt and bdrewery from the portmgr team released pkgng 1.2 final
New features include an improved build system, plugin improvements, new bootstrapping command, SRV mirror improvements, a new \”pkg config\” command, repo improvements, vuXML is now default, new fingerprint features and much more
Really simple to upgrade, check our pkgng tutorial if you want some easy instructions
It\’s also made its way into Dragonfly
See the show notes for the full list of new features and fixes

ChaCha20 and Poly1305 in OpenSSH

Damien Miller recently committed support for a new authenticated encryption cipher for OpenSSH, chacha20-poly1305
Long blog post explaining what these are and why we need them
This cipher combines two primitives: the ChaCha20 cipher and the Poly1305 MAC
RC4 is broken, we needed an authenticated encryption mode to complement AES-GCM that doesn\’t show the packet length in cleartext
Great explanation of the differences between EtM, MtE and EaM and their advantages
\”Both AES-GCM and the EtM MAC modes have a small downside though: because we no longer desire to decrypt the packet as we go, the packet length must be transmitted in plaintext. This unfortunately makes some forms of traffic analysis easier as the attacker can just read the packet lengths directly.\”

Is it time to dump Linux and move to BSD

ITworld did an article about switching from Linux to BSD
The author\’s interest was sparked from a review he was reading that said \”I feel the BSD communities, especially the FreeBSD-based projects, are where the interesting developments are happening these days. Over in FreeBSD land we have efficient PBI bundles, a mature advanced file system in the form of ZFS, new friendly and powerful system installers, a new package manager (pkgng), a powerful jail manager and there will soon be new virtualization technology coming with the release of FreeBSD 10.0\”
The whole article can be summed up with \”yes\” – ok, next story!

OpenZFS devsummit videos

Kicking off the ZFS episode, we\’ve got…
The OpenZFS developer summit discussion and presentation videos are up
People from various operating systems (FreeBSD, Mac OS X, illumos, etc.) were there to discuss ZFS on their platforms and the challenges they faced
Question and answer session from representatives of every OS – had a couple FreeBSD guys there including one from the foundation
Presentations both about ZFS itself and some hardware-based solutions for implementing ZFS in production
TONS of video, about 6 hours\’ worth
This leads us into our interview, which is…

Interview – George Wilson – Soft Eng at Delphix – wilzun@gmail.com / @zfsdude

KM: Can you tell us a little about yourself how you first got involved with ZFS?
AJ: Which features have you worked on in the past?
KM: Which platform do you personally use ZFS on, and for what tasks?
AJ: So what exactly is the OpenZFS project about?
KM: What do you hope the future of OpenZFS will bring?
AJ: When are we going to see native encryption?
KM: Are there some new features you\’re currently hacking on?
AJ: Is there anything specific you\’d like to see added to ZFS in the future?
KM: How did the developer summit and hackathon go?
AJ: Where can people go to get involved with development, and what\’s currently needed?
KM: Anything else you\’d like to mention?

Tutorial

A crash course on ZFS

Everything you need to know to get acquainted with the world\’s most powerful filesystem on the world\’s most powerful OS
Includes both beginner and advanced topics

News Roundup

ruBSD 2013 information

The ruBSD 2013 conference will take place on Saturday December 14, 2013 at 10:30 AM in Moscow, Russia
Speakers include three OpenBSD developers, Theo de Raadt, Henning Brauer and Mike Belopuhov
Their talks are titled \”The bane of backwards compatibility,\” \”OpenBSD\’s pf: Design, Implementation and Future\” and \”OpenBSD: Where crypto is going?\”
No word on if there will be video recordings, but we\’ll let you know if that changes

DragonFly roadmap, post 3.6

John Marino posted a possible roadmap for DragonFly, now that they\’re past the 3.6 release
He wants some third party vendor software updated from very old versions (WPA supplicant, bmake, binutils)
Plans to replace GCC44 with Clang, but GCC47 will probably be the primary compiler still
Bring in fixes and new stuff from FreeBSD 10

BSDCan 2014 CFP

BSDCan 2014 will be held on May 16-17 in Ottawa, Canada
They\’re now accepting proposals for talks
If you are doing something interesting with a BSD operating system, please submit a proposal
We\’ll be getting lots of interviews there

casperd added to -CURRENT

\”It (and its services) will be responsible forgiving access to functionality that is not available in capability modes and box. The functionality can be precisely restricted.\”
Lists some sysctls that can be controlled

ZFS corruption bug fixed in -CURRENT

Just a quick follow-up from last week, the ZFS corruption bug in FreeBSD -CURRENT was very quickly fixed, before that episode was even uploaded

Feedback/Questions

Chris writes in: https://slexy.org/view/s2JDWKjs7l
SW writes in: https://slexy.org/view/s20BLqxTWD
Jason writes in: https://slexy.org/view/s2939tUOf5
Clint writes in: https://slexy.org/view/s21qKY6qIb
Chris writes in: https://slexy.org/view/s20LWlmhoK

The written versions of the Tor, jails and OpenBSD router tutorials have gotten a few small improvements and fixes
The poudriere and pkgng tutorials have been updated for the new 1.2 repository syntax
All the tutorials are posted in their entirety at bsdnow.tv, including today\’s HUGE ZFS one
Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv
If you have stories about how you or your company uses BSD, interesting things you\’ve done, crazy network stories or cool projects, send them to us!
Watch live Wednesdays at 2:00PM Eastern (19:00 UTC)
Kris\’ Skype video was coming straight from PCBSD this week!

The post Zettabytes for Days | BSD Now 14 first appeared on Jupiter Broadcasting.

Ideal ZFS Configurations | TechSNAP 135

chris — Thu, 07 Nov 2013 17:30:31 +0000

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video

Striking a balance between performance and reliability can be a challenge, we’ll share our thoughts. Hackers figure out how to take over twitter account they want, while Adobe stores your private data in reversible encryption.

Plus your questions, our answers, and much much more.

Thanks to:

Direct Download:

RSS Feeds:

Adobe encrypted passwords, rather than cryptographically hashing them

This is a detail reporters often get wrong, saying that passwords were ‘encrypted’ when they meant ‘hashed’
Turns out, Adobe actually did it WRONG
The Adobe breach gave the attackers access to a 9.3 GB database containing 130 million user accounts and their passwords
The problem is that the passwords are stored using ‘reversible’ encryption (standard symmetric encryption, normally used on files), rather than cryptographic hashes (one-way encryption)
This means that if the attacker manages to get or brute force the private key that was used to encrypt the passwords, they would be able to decrypt EVERY password, in one go
Many of the accounts in the Adobe database belong to government organizations including the FBI, as well as many large corporations
The passwords were encrypted using 3DES (Triple DES)
DES was originally introduced in 1977, and 3DES in 1998 because the 56 bit keys in DES were no longer strong enough
Adobe also used ECB (Electronic Code Book) mode, which is known to leak information about the passwords
3DES was superseded in 2001 by AES
Unliking with a cryptographic hashing algorithm, where the server does not know each users’ password, upgrading from 3DES to AES would have been easy, just decrypt all passwords and encrypt them with the new algorithm
Or better yet, decrypt all passwords, and properly cryptographically hash them and then throw away the plain text
“For more than a year, Adobe’s authentication system has cryptographically hashed customer passwords using the SHA-256 algorithm, including salting the passwords and iterating the hash more than 1,000 times. This system was not the subject of the attack we publicly disclosed on October 3, 2013. The authentication system involved in the attack was a backup system and was designated to be decommissioned. The system involved in the attack used Triple DES encryption to protect all password information stored.”

Hackers Take Limo Service Firm for a Ride

A break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc.
Suggesting that the same attacker(s) may have been involved in all three compromises.
The name on the file archive reads “CorporateCarOnline.”
That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses.
More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts.
Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion.

Researcher finds way to take over ANY twitter account

Security researcher Henry Hoggard discovered a cross-site request forgery (CSRF) vulnerability in Twitter’s “add a mobile device” feature
Using this, he was able to read any user’s tweets and DMs
A victim that went to a malicious page, would unexpectedly authorize a new device to access their twitter account
This should have been prevented by Twitter’s verification step, except it seems that twitter was not actually checking the value, so an attacker would authorize their mobile device on your account by entering any value in place of the verification code
Twitter fixed the issue within 24 hours of it being reported

Feedback:

Round Up:

The post Ideal ZFS Configurations | TechSNAP 135 first appeared on Jupiter Broadcasting.