This episode was brought to you by

Headlines

BSDCan 2015 videos

• BSDCan just ended last week, but some of the BSD-related presentation videos are already online
• Allan Jude, UCL for FreeBSD
• Andrew Cagney, What happens when a dwarf and a daemon start dancing by the light of the silvery moon?
• Andy Tanenbaum, A reimplementation of NetBSD using a MicroKernel
• Brooks Davis, CheriBSD: A research fork of FreeBSD
• Giuseppe Lettieri, Even faster VM networking with virtual passthrough
• Joseph Mingrone, Molecular Evolution, Genomic Analysis and FreeBSD
• Olivier Cochard-Labbe, Large-scale plug&play x86 network appliance deployment over Internet
• Peter Hessler, Using routing domains / routing tables in a production network
• Ryan Lortie, a stitch in time: jhbuild
• Ted Unangst, signify: Securing OpenBSD From Us To You
• Many more still to come... ***

Documenting my BSD experience

• Increasingly common scenario: a long-time Linux user (since the mid-90s) decides it's finally time to give BSD a try
• "That night I came home, I had been trying to find out everything I could about BSD and I watched many videos, read forums, etc. One of the shows I found was BSD Now. I saw that they helped people and answered questions, so I decided to write in."
• In this ongoing series of blog posts, a user named Michael writes about his initial experiences with trying different BSDs for some different tasks
• The first post covers ZFS on FreeBSD, used to build a file server for his house (and of course he lists the hardware, if you're into that)
• You get a glimpse of a brand new user trying things out, learning how great ZFS-based RAID arrays are and even some of the initial hurdles someone could run into
• He's also looking to venture into the realm of replacing some of his VMs with jails and bhyve soon
• His second post explores replacing the firewall on his self-described "over complicated home network" with an OpenBSD box
• After going from ipfwadmin to ipchains to iptables, not even making it to nftables, he found the simple PF syntax to be really refreshing
• All the tools for his networking needs, the majority of which are in the base system, worked quickly and were easy to understand
• Getting to hear experiences like this are very important - they show areas where all the BSD developers' hard work has paid off, but can also let us know where we need to improve ***

PC-BSD tries HardenedBSD builds

• The PC-BSD team has created a new branch of their git repo with the HardenedBSD ASLR patches integrated
• They're not the first major FreeBSD-based project to offer an alternate build - OPNsense did that a few weeks ago - but this might open the door for more projects to give it a try as well
• With Personacrypt, OpenNTPD, LibreSSL and recent Tor integration through the tools, these additional memory protections will offer PC-BSD users even more security that a default FreeBSD install won't have
• Time will tell if more projects and products like FreeNAS might be interested too ***

C-states in OpenBSD

• People who run BSD on their notebooks, you'll want to pay attention to this one
• OpenBSD has recently committed some ACPI improvements for deep C-states, enabling the processor to enter a low-power mode
• According to a few users so far, the change has resulted in dramatically lower CPU temperatures on their laptops, as well as much better battery life
• If you're running OpenBSD -current on a laptop, try out the latest snapshot and report back with your findings ***

NetBSD at Open Source Conference 2015 Hokkaido

• The Japanese NetBSD users group never sleeps, and they've hit yet another open source conference
• As is usually the case, lots of strange machines on display were running none other than NetBSD (though it was mostly ARM this time)
• We'll be having one of these guys on the show next week to discuss some of the lesser-known NetBSD platforms ***

Interview - Marc Espie - espie@openbsd.org / @espie_openbsd

Recent improvements to OpenBSD's dpb tool

News Roundup

Introducing xhyve, bhyve on OS X

• We've talked about FreeBSD's "bhyve" hypervisor a lot on the show, and now it's been ported to another OS
• As the name "xhyve" might imply, it's a port of bhyve to Mac OS X
• Currently it only has support for virtualizing a few Linux distributions, but more guest systems can be added in the future
• It runs entirely in userspace, and has no extra requirements beyond OS X 10.10 or newer
• There are also a few examples on how to use it ***

4K displays on DragonFlyBSD

• If you've been using DragonFly as a desktop, maybe with those nice Broadwell graphics, you'll be pleased to know that 4K displays work just fine
• Matthew Dillon wrote up a wiki page about some of the specifics, including a couple gotchas
• Some GUI applications might look weird on such a huge resolution,
• HDMI ports are mostly limited to a 30Hz refresh rate, and there are slightly steeper hardware requirements for a smooth experience ***

Sandboxing port daemons on OpenBSD

• We talked about different containment methods last week, and mentioned that a lot of the daemons in OpenBSD's base as chrooted by default - things from ports or packages don't always get the same treatment
• This blog post uses a mumble server as an example, but you can apply it to any service from ports that doesn't chroot by default
• It goes through the process of manually building a sandbox with all the libraries you'll need to run the daemon, and this setup will even wipe and refresh the chroot every time you restart it
• With a few small changes, similar tricks could be done on the other BSDs as well - everybody has chroots ***

SmallWall 1.8.2 released

• SmallWall is a relatively new BSD-based project that we've never covered before
• It's an attempt to keep the old m0n0wall codebase going, and appears to have started around the time m0n0wall called it quits
• They've just released the first official version, so you can give it a try now
• If you're interested in learning more about SmallWall, the lead developer just might be on the show in a few weeks... ***

Feedback/Questions

• David writes in
• Brian writes in
• Dan writes in
• Joel writes in
• Steve writes in ***

This episode was brought to you by

Headlines

BSDCan schedule, speakers and talks

• This year's BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone's looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts ***

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo's talk, "Releasing NetBSD: So Many Targets, So Little Time"
• Dru Lavigne's talk, "ZFS Management Tools in FreeNAS and PC-BSD"
• Scott Long's talk, "Serving one third of the Internet via FreeBSD"
• Michael W. Lucas' talk, "BSD Breaking Barriers" ***

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal's second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they've already gotten over 1000 subscribers! It's available on Google Play, iTunes, Amazon, etc
• "We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD"
• Check our interview with GNN for more information about the journal ***

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There's been a pretty vicious response from security experts all across the internet and in all of the BSD projects - and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: "Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL's bug tracker is only used to park bugs, not fix them"
• Sounds like someone else was having fun with the bug for a while too
• There's also another OpenSSL bug that OpenBSD patched - it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out - we're seeing a fork in real time ***

Interview - Jim Brown - info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new "signify" tool in OpenBSD
• Now there's a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems ***

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There's also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet ***

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• "Update Center" is getting a lot of development and improvements
• Lots of misc. bug fixes and updates ***

Feedback/Questions

• There's a reddit thread we wanted to highlight - a user wants to show his friend BSD and why it's great
• Brad writes in
• Sha'ul writes in
• iGibbs writes in
• Matt writes in ***

This episode was brought to you by

Headlines

Using OpenSSH Certificate Authentication

• SSH has a not-so-often-talked-about authentication option in addition to passwords and keys: certificates - you can add certificates to any current authentication method you're using
• They're not really that complex, there just isn't a lot of documentation on how to use them - this post tries to solve that
• There's the benefit of not needing a known_hosts file or authorized_users file anymore
• The post goes into a fair amount of detail about the differences, advantages and implications of using certificates for authentication ***

Back to FreeBSD, a new series

• Similar to the "FreeBSD Challenge" blog series, one of our listeners will be writing about his switching BACK to FreeBSD journey
• "So, a long time ago, I had a box which was running FreeBSD 4, running on a Pentium. 14 years later, I have decided to get back into FreeBSD, now at FreeBSD 10"
• He's starting off with PCBSD since it's easy to get working with dual graphics
• Should be a fun series to follow! ***

OpenBSD's recent experiments in package building

• If you'll remember back to our poudriere tutorial, it lets you build FreeBSD binary packages in bulk - OpenBSD's version is called dpb
• Marc Espie recently got some monster machines in russia to play with to help improve scaling of dpb on high end hardware
• This article goes through some of his findings and plans for future versions that increase performance
• We'll be showing a tutorial of dpb on the show in a few weeks ***

Securing FreeBSD with 2FA

• So maybe you've set up two-factor authentication with gmail or twitter, but have you done it with your BSD box?
• This post walks us through the process of locking down an ssh server with 2FA
• With just a mobile phone and a few extra tools, you can enable two-factor auth on your BSD box and have just that little extra bit of protections ***

Interview - Gleb Kurtsou - gleb.kurtsou@gmail.com

PEFS (security audit results here)

Tutorial

Filesystem-based encryption with PEFS

News Roundup

BSDCan 2014 registration

• Registration is finally open!
• The prices are available along with a full list of presentations
• Tutorial sessions for various topics as well
• You have to go ***

Big changes for OpenBSD 5.6

• Although 5.5 was just frozen and the release process has started, 5.6 is already looking promising
• OpenBSD has, for a long time, included a heavily-patched version of Apache based on 1.3
• They've also imported nginx into base a few years ago, but now have finally removed Apache
• Sendmail is also no longer the default MTA, OpenSMTPD is the new default
• Will BIND be removed next? Maybe so
• They've also discontinued the hp300, mvme68k and mvme88k ports ***

Getting to know your portmgr lurkers

• The "getting to know your portmgr" series makes its return
• This time we get to talk with danfe@ (probably most known for being the nVidia driver maintainer, but he does a lot with ports)
• How he got into FreeBSD? He "wanted a unix system that I could understand and that would not get bloated as time goes by"
• Mentions why he's still heavily involved with the project and lots more ***

PCBSD weekly digest

• Work has started to port Pulseaudio to PCBSD 10.0.1
• There's a new "pc-mixer" utility being worked on for sound management as well
• New PBIs, GNOME/Mate updates, Life Preserver fixes and a lot more
• PCBSD 10.0.1 was released too ***

Feedback/Questions

• Alex writes in
• Ben writes in
• Nick writes in
• Sami writes in
• Christopher writes in ***