Skip to main content.

Episode 110 - Firmware Fights

2015-10-07

Direct Download:

Video | HD Video | MP3 Audio | OGG Audio | Torrent

This episode was brought to you by

iXsystems - Enterprise Servers and Storage for Open SourceDigitalOcean - Simple Cloud Hosting, Built for DevelopersTarsnap - Online Backups for the Truly Paranoid


Headlines

EuroBSDCon Videos


A series of OpenSMTPd patches fix multiple vulnerabilities

  • Qualys recently published an audit of the OpenSNMPd source code
  • The fixes for these vulnerabilities were released as 5.7.2
  • After its release, two additional vulnerabilities were found. One, in the portable version, newer code that was added after the audit started
  • All users are strongly encouraged to upgrade to 5.7.3
  • OpenBSD users should apply the latest errata or upgrade to the newest snapshot

FreeBSD updates in -CURRENT


OpenBSD Initial Support for Broadwell Graphics

  • OpenBSD joins DragonFly now with initial support for broadwell GPUs landing in their development branch
  • This brings Open up to Linux 3.14.52 DRM, and Mark Kettenis mentions that it isn.t perfect yet, and may cause some issues with older hardware, although no major regressions yet

OpenBSD Slides for TAME and libTLS APIs

  • The first set of slides are from a talk Theo de Raadt gave in Croatia, they describe the history and impetus for tame
  • Theo specifically avoids comparisons to other sandboxing techniques like capsicum and seccomp, because he is not impartial
  • tame() itself is only about 1200 lines of code
  • Sandboxing the file(1) command with systrace: 300 lines of code, with tame: 4 lines
  • Theo makes the point that .optional security. is irrelevant. If a mitigation feature has a knob to turn it off, some program will break and advise users to turn the feature off. Eventually, no one uses the feature, and it dies
  • This has lead to OpenBSD.s policy: .Once working, these features cannot be disabled. Application bugs must be fixed.
  • The second talk is by Bob Beck, about LibreSSL
  • when LibreSSL was forked from OpenSSL 1.0.1g, it contained 388,000 lines of C code
  • 30 days in LibreSSL, they had deleted 90,000 lines of C
  • OpenSSL 1.0.2d has 432,000 lines of C (728k total), and OpenSSL Current has 411,000 lines of C (over 1 million total)
  • LibreSSL today, contains 297,000 lines of C (511k total)
  • None of the high risk CVEs against OpenSSL (there have been 5) have affected LibreSSL. It turns out removing old code and unneeded features is good for security.
  • The talk focuses on libtls, an alternative to the OpenSSL API, designed to be easier to use and less error prone
  • In the libtls api, if -1 is returned, it is always an error. In OpenSSL, it might not be an error, needs additional code to check errno
  • In OpenBSD: ftp, nc, ntpd, httpd, spamd, syslog have been converted to the new API
  • The OpenBSD Foundation is looking for donations in order to sponsor 2-3 developers to spend 6 months dedicated to LibreSSL

Interview - Benno Rice - benno@FreeBSD.org / @jeamland

Isilon and building products on top of FreeBSD


News Roundup

ReLaunchd

  • This past week we got a heads up about another init/launchd replacement, this time .Relaunchd.
  • The goals of this project appear to be keeping launchd functionality, while being portable enough to run on FreeBSD / Linux, etc.
  • It also has aspirations of being .container-aware. with support for jailed services, ala-docker, as well as cluster awareness.
  • Written in ruby :(, it also maintains that it wishes to NOT take over PID1 or replace the initial system boot scripts, but extend / leverage them in new ways.

Static Intrusion Detection in NetBSD

  • Alistar Crooks has committed a new .sid. utility to NetBSD, which allows intrusion detection by comparing the file-system contents to a database of known good values
  • The utility can compare the entire root file system of a modest NetBSD machine in about 15 seconds
  • The following parameters of each file can be checked: atime, block count, ctime, file type, flags, group, inode, link target, mtime, number of links, permissions, size, user, crc32c checksum, sha256 checksum, sha512 checksum
  • A JSON report is issued at the end, for any detected variances

LibreSSL 2.3.0 in PC-BSD

  • If you.re running PC-BSD 10.2-EDGE or October's -CURRENT image, LibreSSL 2.3.0 is now a thing
  • Thanks to the hard work of Bernard Spil and others, we have merged in the latest LibreSSL which actually removes SSL support in favor of TLS
  • Quite a number of bugs have been fixed, as well as patches brought over from OpenBSD to fix numerous ports.
  • Allan has started a patchset that sets the OpenSSL in base to "private"
  • This hides the library so that applications and ports cannot find it, so only tools in the base system, like fetch, will be able to use it. This makes OpenSSL no longer part of the base system ABI, meaning the version can be upgraded without breaking the stable ABI promise. This feature may be important in the future as OpenSSL versions now have EoL dates, that may be sooner than the EoL on the FreeBSD stable branches.

PC-BSD and boot-environments without GRUB

  • In this month.s -CURRENT image of PC-BSD, we began the process of moving back from the GRUB boot-loader, in favor of FreeBSD.s
  • A couple of patches have been included, which enables boot-environment support via the 4th menus (Thanks Allan) and support for booting ZFS on root via UEFI
  • "beadm" has also been updated to seamlessly support both boot-loaders
  • No full-disk encryption support yet (hopefully soon), but GRUB is still available on installer for those who need it

Import of IWM wireless to DragonFly

  • Matthew Dillon has recently imported the newer if_iwm driver from FreeBSD -> DragonFly
  • Across the internet, users with newer Intel chipsets rejoiced!
  • Coupled with the latest Broadwell DRM improvements, DragonFly sounds very ready for the latest laptop chipsets
  • Also, looks like progress is being made on i386 removal

Feedback/Questions


  • Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

Latest News

New announcement

2017-05-25

Hi, Mr. Dexter. Also, we understand that Brad Davis thinks there should be more real news....

Two Year Anniversary

2015-08-08

We're quickly approaching our two-year anniversary, which will be on episode 105. To celebrate, we've created a unique t-shirt design, available for purchase until the end of August. Shirts will be shipped out around September 1st. Most of the proceeds will support the show, and specifically allow us to buy...

New discussion segment

2015-01-17

We're thinking about adding a new segment to the show where we discuss a topic that the listeners suggest. It's meant to be informative like a tutorial, but more of a "free discussion" format. If you have any subjects you want us to explore, or even just a good name...

How did you get into BSD?

2014-11-26

We've got a fun idea for the holidays this year: just like we ask during the interviews, we want to hear how all the viewers and listeners first got into BSD. Email us your story, either written or a video version, and we'll read and play some of them for...


Episode 220: Opening ZFS in 2017

2017-11-15

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines The First PS4 Kernel Exploit: Adieu The First PS4 Kernel Exploit: Adieu Plenty of time has passed since we first demonstrated Linux running on the PS4. Now we will step back a bit and explain how we managed to jump...

Episode 219: We love the ARC

2017-11-08

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines Papers We Love: ARC: A Self-Tuning, Low Overhead Replacement Cache Ever wondered how the ZFS ARC (Adaptive Replacement Cache) works? How about if Bryan Cantrill presented the original paper on its design? Today is that day. Slides It starts by looking back at a fundamental paper...

Episode 218: A KRACK in the WiFi

2017-11-01

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines FreeBSD 10.4-RELEASE Available FreeBSD 10.4-RELEASE is out. The FreeBSD Project dedicates the FreeBSD 10.4-RELEASE to the memory of Andrey A. Chernov. Some of the highlights: 10.4-RELEASE is the first FreeBSD release to feature full support for eMMC storage, including eMMC partitions, TRIM...

Episode 217: Your questions, part II

2017-10-25

Direct Download:HD VideoMP3 AudioTorrent This episode was brought to you by Headlines OpenBSD 6.2 Released OpenBSD continues their six month release cadence with the release of 6.2, the 44th release On a disappointing note, the song for 6.2 will not be released until December Highlights: Improved hardware support on modern platforms including ARM64/ARMv7 and octeon,...