This episode was brought to you by

Headlines

Remote DoS in the TCP stack

• A pretty devious bug in the BSD network stack has been making its rounds for a while now, allowing remote attackers to exhaust the resources of a system with nothing more than TCP connections
• While in the LAST_ACK state, which is one of the final stages of a connection's lifetime, the connection can get stuck and hang there indefinitely
• This problem has a slightly confusing history that involves different fixes at different points in time from different people
• Juniper originally discovered the bug and announced a fix for their proprietary networking gear on June 8th
• On June 29th, FreeBSD caught wind of it and fixed the bug in their -current branch, but did not issue a security notice or MFC the fix back to the -stable branches
• On July 13th, two weeks later, OpenBSD fixed the issue in their -current branch with a slightly different patch, citing the FreeBSD revision from which the problem was found
• Immediately afterwards, they merged it back to -stable and issued an errata notice for 5.7 and 5.6
• On July 21st, three weeks after their original fix, FreeBSD committed yet another slightly different fix and issued a security notice for the problem (which didn't include the first fix)
• After the second fix from FreeBSD, OpenBSD gave them both another look and found their single fix to be sufficient, covering the timer issue in a more general way
• NetBSD confirmed they were vulnerable too, and applied another completely different fix to -current on July 24th, but haven't released a security notice yet
• DragonFly is also investigating the issue now to see if they're affected as well ***

c2k15 hackathon reports

• Reports from OpenBSD's latest hackathon, held in Calgary this time, are starting to roll in (there were over 40 devs there, so we might see a lot more of these)
• The first one, from Ingo Schwarze, talks about some of the mandoc work he did at the event
• He writes, "Did you ever look at a huge page in man, wanted to jump to the definition of a specific term - say, in ksh, to the definition of the "command" built-in command - and had to step through dozens of false positives with the less '/' and 'n' search keys before you finally found the actual definition?"
• With mandoc's new internal jump targets, this is a problem of the past now
• Jasper also sent in a report, doing his usual work with Puppet (and specifically "Facter," a tool used by Puppet to gather various bits of system information)
• Aside from that and various ports-related work, Jasper worked on adding tame support to some userland tools, fixing some Octeon stuff and introduced something that OpenBSD has oddly lacked until now: an "-i" flag for sed (hooray!)
• Antoine Jacoutot gave a report on what he did at the hackathon as well, including improvements to the rcctl tool (for configuring startup services)
• It now has an "ls" subcommand with status parsing, allowing you to list running services, stopped services or even ones that failed to start or are supposed to be running (he calls this "the poor man's service monitoring tool")
• He also reworked some of the rc.d system to allow smoother operation of multiple instances of the same daemon to run (using tor with different config files as an example)
• His list also included updating ports, updating ports documentation, updating the hotplug daemon and laying out some plans for automatic sysmerge for future upgrades
• Foundation director Ken Westerback was also there, getting some disk-related and laptop work done
• He cleaned up and committed the 4k sector softraid code that he'd been working on, as well as fixing some trackpad issues
• Stefan Sperling, OpenBSD's token "wireless guy," had a lot to say about the hackathon and what he did there (and even sent in his write-up before he got home)
• He taught tcpdump about some new things, including 802.11n metadata beacons (there's a lot more specific detail about this one in the report)
• Bringing a bag full of USB wireless devices with him, he set out to get the unsupported ones working, as well as fix some driver bugs in the ones that already did work
• One quote from Stefan's report that a lot of people seem to be talking about: "Partway through the hackathon tedu proposed an old diff of his to make our base ls utility display multi-byte characters. This led to a long discussion about how to expand UTF-8 support in base. The conclusion so far indicates that single-byte locales (such as ISO-8859-1 and KOI-8) will be removed from the base OS after the 5.8 release is cut. This simplifies things because the whole system only has to care about a single character encoding. We'll then have a full release cycle to bring UTF-8 support to more base system utilities such as vi, ksh, and mg. To help with this plan, I started organizing a UTF-8-focused hackathon for some time later this year."
• Jeremy Evans wrote in to talk about updating lots of ports, moving the ruby ports up to the latest version and also creating perl and ruby wrappers for the new tame subsystem
• While he's mainly a ports guy, he got to commit fixes to ports, the base system and even the kernel during the hackathon
• Rafael Zalamena, who got commit access at the event, gives his very first report on his networking-related hackathon activities
• With Rafael's diffs and help from a couple other developers, OpenBSD now has support for VPLS
• Jonathan Gray got a lot done in the area of graphics, working on OpenGL and Mesa, updating libdrm and even working with upstream projects to remove some GNU-specific code
• As he's become somewhat known for, Jonathan was also busy running three things in the background: clang's fuzzer, cppcheck and AFL (looking for any potential crashes to fix)
• Martin Pieuchot gave an write-up on his experience: "I always though that hackathons were the best place to write code, but what's even more important is that they are the best (well actually only) moment where one can discuss and coordinate projects with other developers IRL. And that's what I did."
• He laid out some plans for the wireless stack, discussed future plans for PF, made some routing table improvements and did various other bits to the network stack
• Unfortunately, most of Martin's secret plans seem to have been left intentionally vague, and will start to take form in the next release cycle
• We're still eagerly awaiting a report from one of OpenBSD's newest developers, Alexandr Nedvedicky (the Oracle guy who's working on SMP PF and some other PF fixes)
• OpenBSD 5.8's "beta" status was recently reverted, with the message "take that as a hint," so that may mean more big changes are still to come... ***

FreeBSD quarterly status report

• FreeBSD has published their quarterly status report for the months of April to June, citing it to be the largest one so far
• It's broken down into a number of sections: team reports, projects, kernel, architectures, userland programs, ports, documentation, Google Summer of Code and miscellaneous others
• Starting off with the cluster admin, some machines were moved to the datacenter at New York Internet, email services are now more resilient to failure, the svn mirrors (now just "svn.freebsd.org") are now using GeoGNS with official SSL certs and general redundancy was increased
• In the release engineering space, ARM and ARM64 work continues to improve on the Cavium ThunderX, more focus is being put into cloud platforms and the 10.2-RELEASE cycle is reaching its final stages
• The core team has been working on phabricator, the fancy review system, and is considering to integrate oauth support soon
• Work also continues on bhyve, and more operating systems are slowly gaining support (including the much-rumored Windows Server 2012)
• The report also covers recent developments in the Linux emulation layer, and encourages people using 11-CURRENT to help test out the 64bit support
• Multipath TCP was also a hot topic, and there's a brief summary of the current status on that patch (it will be available publicly soon)
• ZFSguru, a project we haven't talked about a lot, also gets some attention in the report - version 0.3 is set to be completed in early August
• PCIe hotplug support is also mentioned, though it's still in the development stages (basic hot-swap functions are working though)
• The official binary packages are now built more frequently than before with the help of additional hardware, so AMD64 and i386 users will have fresher ports without the need for compiling
• Various other small updates on specific areas of ports (KDE, XFCE, X11...) are also included in the report
• Documentation is a strong focus as always, a number of new documentation committers were added and some of the translations have been improved a lot
• Many other topics were covered, including foundation updates, conference plans, pkgsrc support in pkgng, ZFS support for UEFI boot and much more ***

The OpenSSH bug that wasn't

• There's been a lot of discussion about a supposed flaw in OpenSSH, allowing attackers to substantially amplify the number of password attempts they can try per session (without leaving any abnormal log traces, even)
• There's no actual exploit to speak of; this bug would only help someone get more bruteforce tries in with a fewer number of connections
• FreeBSD in its default configuration, with PAM and ChallengeResponseAuthentication enabled, was the only one vulnerable to the problem - not upstream OpenSSH, nor any of the other BSDs, and not even the majority of Linux distros
• If you disable all forms of authentication except public keys, like you're supposed to, then this is also not a big deal for FreeBSD systems
• Realistically speaking, it's more of a PAM bug than anything else
• OpenSSH added an additional check for this type of setup that will be in 7.0, but simply changing your sshd_config is enough to mitigate the issue for now on FreeBSD (or you can run freebsd-update) ***

Interview - Sebastian Wiedenroth - wiedi@netbsd.org / @wied0r

pkgsrc and pkgsrcCon

News Roundup

Now served by OpenBSD

• We've mentioned that you can also install OpenBSD on DO droplets, and this blog post is about someone who actually did it
• The use case for the author was for a webserver, so he decided to try out the httpd in base
• Configuration is ridiculously simple, and the config file in his example provides an HTTPS-only webserver, with plaintext requests automatically redirecting
• TLS 1.2 by default, strong ciphers with LibreSSL and HSTS combined give you a pretty secure web server ***

FreeBSD laptop playbooks

• A new project has started up on Github for configuring FreeBSD on various laptops, unsurprisingly named "freebsd-laptops"
• It's based on ansible, and uses the playbook format for automatic set up and configuration
• Right now, it's only working on a single Lenovo laptop, but the plan is to add instructions for many more models
• Check the Github page for instructions on how to get started, and maybe get involved if you're running FreeBSD on a laptop ***

NetBSD on the NVIDIA Jetson TK1

• If you've never heard of the Jetson TK1, we can go ahead and spoil the secret here: NetBSD runs on it
• As for the specs, it has a quad-core ARMv7 CPU at 2.3GHz, 2 gigs of RAM, gigabit ethernet, SATA, HDMI and mini-PCIE
• This blog post shows which parts of the board are working with NetBSD -current (which seems to be almost everything)
• You can even run X11 on it, pretty sweet ***

DragonFly power mangement options

• DragonFly developer Sepherosa, who we've had on the show, has been doing some ACPI work over there
• In this email, he presents some of DragonFly's different power management options: ACPI P-states, C-states, mwait C-states and some Intel-specific bits as well
• He also did some testing with each of them and gave his findings about power saving
• If you've been thinking about running DragonFly on a laptop, this would be a good one to read ***

OpenBSD router under FreeBSD bhyve

• If one BSD just isn't enough for you, and you've only got one machine, why not run two at once
• This article talks about taking a FreeBSD server running bhyve and making a virtualized OpenBSD router with it
• If you've been considering switching over your router at home or the office, doing it in a virtual machine is a good way to test the waters before committing to real hardware
• The author also includes a little bit of history on how he got into both operating systems
• There are lots of mixed opinions about virtualizing core network components, so we'll leave it up to you to do your research
• Of course, the next logical step is to put that bhyve host under Xen on NetBSD... ***

Feedback/Questions

• Kevin writes in
• Logan writes in
• Peter writes in
• Randy writes in ***

This episode was brought to you by

Headlines

AsiaBSDCon 2015 schedule

• Almost immediately after we finished recording an episode last week, the 2015 AsiaBSDCon schedule went up
• This year's conference will be between 12-15 March at the Tokyo University of Science in Japan
• The first and second days are for tutorials, as well as the developer summit and vendor summit
• Days four and five are the main event with the presentations, which Kris and Allan both made the cut for once again
• Not counting the ones that have yet to be revealed (as of the day we're recording this), there will be thirty-six different talks in all - four BSD-neutral, four NetBSD, six OpenBSD and twenty-two FreeBSD
• Summaries of all the presentations are on the timetable page if you scroll down a bit ***

FreeBSD foundation updates and more

• The FreeBSD foundation has posted a number of things this week, the first of which is their February 2015 status update
• It provides some updates on the funded projects, including PCI express hotplugging and FreeBSD on the POWER8 platform
• There's a FOSDEM recap and another update of their fundraising goal for 2015
• They also have two new blog posts: a trip report from SCALE13x and a featured "FreeBSD in the trenches" article about how a small typo caused a lot of ZFS chaos in the cluster
• "Then panic ensued. The machine didn't panic -- I did." ***

OpenBSD improves browser security

• No matter what OS you run on your desktop, the most likely entry point for an exploit these days is almost certainly the web browser
• Ted Unangst writes in to the OpenBSD misc list to introduce a new project he's working on, simply titled "improving browser security"
• He gives some background on the W^X memory protection in the base system, but also mentions that some applications in ports don't adhere to it
• For it to be enforced globally instead of just recommended, at least one browser (or specifically, one JIT engine) needs to be fixed to use it
• "A system that is 'all W^X except where it's not' is the same as a system that's not W^X. We've worked hard to provide a secure foundation for programs; we'd like to see them take advantage of it."
• The work is being supported by the OpenBSD foundation, and we'll keep you updated on this undertaking as more news about it is released
• There's also some discussion on Hacker News and Undeadly about it ***

NetBSD at Open Source Conference 2015 Tokyo

• The Japanese NetBSD users group has once again invaded a conference, this time in Tokyo
• There's even a spreadsheet of all the different platforms they were showing off at the booth (mostly ARM, MIPS, PowerPC and Landisk this time around)
• If you just can't get enough strange devices running BSD, check the mailing list post for lots of pictures
• Their next target is, as you might guess, AsiaBSDCon 2015 - maybe we'll run into them ***

Interview - Sean Bruno - sbruno@freebsd.org / @franknbeans

Cross-compiling packages with poudriere and QEMU

News Roundup

The Crypto Bone

• The Crypto Bone is a new device that's aimed at making encryption and secure communications easier and more accessible
• Under the hood, it's actually just a Beaglebone board, running stock OpenBSD with a few extra packages
• It includes a web interface for configuring keys and secure tunnels
• The source code is freely available for anyone interested in hacking on it (or auditing the crypto), and there's a technical overview of how everything works on their site
• If you don't want to teach your mom how to use PGP, buy her one of these(?) ***

BSD in the 2015 Google Summer of Code

• For those who don't know, GSoC is a way for students to get paid to work on a coding project for an open source organization
• Good news: both FreeBSD and OpenBSD were accepted for the 2015 event
• FreeBSD has a wiki page of ideas for people to work on
• OpenBSD also has an ideas page where you can see some of the initial things that might be interesting
• If you're a student looking to get involved with BSD development, this might be a great opportunity to even get paid to do it
• Who knows, you may even end up on the show if you work on a cool project
• GSoC will be accepting idea proposals starting March 16th, so you have some time to think about what you'd like to hack on ***

pfSense 2.3 roadmap

• The pfSense team has posted a new blog entry, detailing some of their plans for future versions
• PPTP will finally be deprecated, PHP will be updated to 5.6 and other packages will also get updated to newer versions
• PBIs are scheduled to be replaced with native pkgng packages
• Version 3.0, something coming much later, will be a major rewrite that gets rid of PHP entirely
• Their ultimate goal is for pfSense to be a package you can install atop of a regular FreeBSD install, rather than a repackaged distribution ***

PCBSD 10.1.2 security features

• PCBSD 10.1.2 will include a number of cool security features, some of which are detailed in a new blog post
• A new "personacrypt" utility is introduced, which allows for easy encryption and management of external drives for your home directory
• Going along with this, it also has a "stealth mode" that allows for one-time temporary home directories (but it doesn't self-destruct, don't worry)
• The LibreSSL integration also continues, and now packages will be built with it by default
• If you're using the Life Preserver utility for backups, it will encrypt the remote copy of your files in the next update
• They've also been working on introducing some new options to enable tunneling your traffic through Tor
• There will now be a fully-transparent proxy option that utilizes the switch to IPFW we mentioned last week
• A small disclaimer: remember that many things can expose your true IP when using Tor, so use this option at your own risk if you require full anonymity
• Look forward to Kris wearing a Tor shirt in future episodes ***

Feedback/Questions

• Antonio writes in
• Chris writes in
• Van writes in
• Stu writes in ***

Mailing List Gold

• H
• Pay up, mister Free
• Heritage protected
• Blind leading the blind
• What are the chances ***

This episode was brought to you by

Headlines

NetBSD at Hiroshima Open Source Conference

• NetBSD developers are hard at work, putting NetBSD on everything they can find
• At a technology conference in Hiroshima, some developers brought their exotic machines to put on display
• As usual, there are lots of pictures and a nice report from the conference ***

FreeBSD's Linux emulation overhaul

• For a long time, FreeBSD's emulation layer has been based on an ancient Fedora 10 system
• If you've ever needed to install Adobe Flash on BSD, you'll be stuck with all this extra junk
• With some recent work, that's been replaced with a recent CentOS release
• This opens up the door for newer versions of Skype to run on FreeBSD, and maybe even Steam someday ***

pfSense 2.2-BETA

• Big changes are coming in pfSense land, with their upcoming 2.2 release
• We talked to the developer a while back about future plans, and now they're finally out there
• The 2.2 branch will be based on FreeBSD 10-STABLE (instead of 8.3) and include lots of performance fixes
• It also includes some security updates, lots of package changes and updates and much more
• You can check the full list of changes on their wiki ***

NetBSD on the Raspberry Pi

• This article shows how you can install NetBSD on the ever-so-popular Raspberry Pi
• As of right now, you'll need to use a -CURRENT snapshot to do it
• It also shows how to grow the filesystem to fill up an SD card, some pkgsrc basics and how to get some initial things set up
• Can anyone find something that you can't install NetBSD on? ***

Interview - Steve Wills - swills@freebsd.org / @swills

Mentoring new BSD developers

News Roundup

MidnightBSD 0.5 released

• We don't hear a whole lot about MidnightBSD, but they've just released version 0.5
• It's got a round of the latest FreeBSD security patches, driver updates and various small things
• Maybe one of their developers could come on the show sometime and tell us more about the project ***

BSD Router Project 1.52 released

• The newest update for the BSD Router Project is out
• This version is based on a snapshot of 10-STABLE that's very close to 10.1-RELEASE
• It's mostly a bugfix release, but includes some small changes and package updates ***

Configuring a DragonFly BSD desktop

• We've done tutorials on how to set up a FreeBSD or OpenBSD desktop, but maybe you're more interested in DragonFly
• In this post from Justin Sherrill, you'll learn some of the steps to do just that
• He pulled out an old desktop machine, gave it a try and seems to be pleased with the results
• It includes a few Xorg tips, and there are some comments about the possibility of making a GUI DragonFly installer ***

Building a mini-ITX pfSense box

• Another week, another pfSense firewall build post
• This time, the author is installing to a Jetway J7F2, a mini-ITX device with four LAN ports
• He used to be a m0n0wall guy, but wanted to give the more modern pfSense a try
• Lots of great pictures of the hardware, which we always love ***

Feedback/Questions

• Damian writes in
• Jan writes in
• Dale writes in
• Joe writes in
• Bostjan writes in ***

This episode was brought to you by

Headlines

BSDCan 2014 talks and reports

• The majority of the BSDCan talks are finally uploaded, so prepare to be flooded with links
• Karl Lehenbauer's keynote (he's on next week's episode)
• Mariusz Zaborski and Pawel Jakub Dawidek, Capsicum and Casper (relevant to today's interview)
• Luigi Rizzo, In-kernel OpenvSwitch on FreeBSD
• Dwayne Hart, Migrating from Linux to FreeBSD for Backend Data Storage
• Warner Losh, NAND Flash and FreeBSD
• Simon Gerraty, FreeBSD bmake and Meta Mode
• Bob Beck, LibreSSL - The First 30 Days
• Henning Brauer, OpenBGPD Turns 10 Years Old
• Arun Thomas, BSD ARM Kernel Internals
• Peter Hessler, Using BGP for Realtime Spam Lists
• Pedro Giffuni, Features and Status of FreeBSD's Ext2 Implementation
• Matt Ahrens, OpenZFS Upcoming Features and Performance Enhancements
• Daichi Goto, Shellscripts and Commands
• Benno Rice, Keeping Current
• Sean Bruno, MIPS Router Hacking
• John-Mark Gurney, Optimizing GELI Performance
• Patrick Kelsey, Userspace Networking with libuinet
• Massimiliano Stucchi, IPv6 Transitioning Mechanisms
• Roger Pau Monné, Taking the Red Pill
• Shawn Webb, Introducing ASLR in FreeBSD
• There's also a trip report from Peter Hessler and one from Julio Merino
• The latter report also talks about how, unfortunately, NetBSD basically had no presence in the event at all (and how that's a recurring trend) ***

Defend your network and privacy with a VPN and OpenBSD

• After all the recent news about spying, backdoored routers, deep packet inspection and everything else, you might want to start taking steps at getting some privacy back
• This article describes how to set up a secure network gateway and VPN using OpenBSD and related crypto utilities
• There are bits for DHCP, DNS, OpenVPN, DNSCrypt and a watchdog script to make sure your tunnel is always being used
• You can transparently tunnel all your outbound traffic over the VPN with this configuration, nothing is needed on any of the client systems - this could also be used with Tor (but it would be very slow)
• It also includes a few general privacy tips, recommended browser extensions, etc
• The intro to the article is especially great, so give the whole thing a read
• He mentions our OpenBSD router guide and other tutorials being a big help for this setup, so hello if you're watching! ***

You should try FreeBSD

• In this blog post, the author talks a bit about how some Linux people aren't familiar with the BSDs and how we can take steps to change that
• He goes into some FreeBSD history specifically, then talks about some of the apparent (and not-so-apparent) differences between the two
• Possibly the most useful part is how to address the question "my server already works, why bother switching?"
• "Stackoverflow’s answers assume I have apt-get installed"
• It includes mention of the great documentation, stability, ports, improved security and much more
• A takeaway quote for would-be Linux switchers: "I like to compare FreeBSD to a really tidy room where you can find everything with your eyes closed. Once you know where the closets are, it is easy to just grab what you need, even if you have never touched it before" ***

OpenBSD and the little Mauritian contributor

• This is a story about a guy from Mauritius named Logan, one of OpenBSD's newest developers
• Back in 2010, he started sending in patched for OpenBSD's "mg" editor, among other small things, and eventually added file transfer resume support for SFTP
• The article talks about his journey from just a guy who submits a patch here and there to joining the developer ranks and even getting his picture taken with Theo at a recent hackathon
• It really shows how easy it is to get involved with the different BSDs and contribute back to the software ecosystem
• Congrats to Logan, and hopefully this will inspire more people to start helping out and contributing code back ***

Interview - Jon Anderson - jonathan@freebsd.org

Capsicum and Casperd

Tutorial

Encrypting DNS lookups

News Roundup

FreeBSD Journal, May 2014 issue

• The newest issue of the FreeBSD Journal is out, following the bi-monthly release cycle
• This time the topics include: a letter from the foundation, a ports report, some 9.3-RELEASE plans, an events calendar, an overview of ipfw, exploring network activity with dtrace, an article about kqueue, data distribution with dnssec and finally an article about TCP scaling
• Pick up your (digital) copy at Amazon, Google Play or on iTunes and have a read ***

LibreSSL porting update

• Since the last LibreSSL post we covered, a couple unofficial "portable" versions have died off
• Unfortunately, people still think they can just port LibreSSL to other BSDs and Linux all willy-nilly - stop doing that!
• This post reiterates that LibreSSL currently relies on a lot of OpenBSD-specific security functions that are not present in other systems, and also gives a very eye-opening example
• Please wait for an official portable version instead of wasting time with these dime-a-dozen github clones that do more harm than good ***

BSDMag May 2014 issue is out

• The usual monthly release from BSDMag, covering a variety of subjects
• This time around the topics include: managing large development projects using RCS, working with HAMMER FS and PFSes, running MeteorJS on FreeBSD 11, another bhyve article, more GIMP tutorials and a few other things
• It's a free PDF, go grab it ***

BSDTalk episode 241

• A new episode of BSDTalk is out, this time with Bob Beck
• He talks about the OpenBSD foundation's recent activities, his own work in the project, some stories about the hardware in Theo's basement and a lot more
• The interview itself isn't about LibreSSL at all, but they do touch on it a bit too
• Really interesting stuff, covers a lot of different topics in a short amount of time ***

Feedback/Questions

• We got a number of replies about last week's VPN question, so thanks to everyone who sent in an email about it - the vpnc package seems to be what we were looking for
• Tim writes in
• AJ writes in
• Peter writes in
• Thomas writes in
• Martin writes in ***

This episode was brought to you by

Headlines

BSDCan schedule, speakers and talks

• This year's BSDCan will kick off on May 14th in Ottawa
• The list of speakers is also out
• And finally the talks everyone's looking forward to
• Lots of great tutorials and talks, spanning a wide range of topics of interest
• Be sure to come by so you can and meet Allan and Kris in person and get BSDCan shirts ***

NYCBSDCon talks uploaded

• The BSD TV YouTube channel has been uploading recordings from the 2014 NYCBSDCon
• Jeff Rizzo's talk, "Releasing NetBSD: So Many Targets, So Little Time"
• Dru Lavigne's talk, "ZFS Management Tools in FreeNAS and PC-BSD"
• Scott Long's talk, "Serving one third of the Internet via FreeBSD"
• Michael W. Lucas' talk, "BSD Breaking Barriers" ***

FreeBSD Journal, issue 2

• The bi-monthly FreeBSD journal's second issue is out
• Topics in this issue include pkg, poudriere, the PBI format, hwpmc and journaled soft-updates
• In less than two months, they've already gotten over 1000 subscribers! It's available on Google Play, iTunes, Amazon, etc
• "We are also working on a dynamic version of the magazine that can be read in many web browsers, including those that run on FreeBSD"
• Check our interview with GNN for more information about the journal ***

OpenSSL, more like OpenSS-Hell

• We mentioned this huge OpenSSL bug last week during all the chaos, but the aftermath is just as messy
• There's been a pretty vicious response from security experts all across the internet and in all of the BSD projects - and rightfully so
• We finally have a timeline of events
• Reactions from ISC, PCBSD, Tarsnap, the Tor project, FreeBSD, NetBSD, oss-sec, PHK, Varnish and Akamai
• pfSense released a new version to fix it
• OpenBSD disabled heartbeat entirely and is very unforgiving of the IETF
• Ted Unangst has two good write-ups about the issue and how horrible the OpenSSL codebase is
• A nice quote from one of the OpenBSD lists: "Given how trivial one-liner fixes such as #2569 have remained unfixed for 2.5+ years, one can only assume that OpenSSL's bug tracker is only used to park bugs, not fix them"
• Sounds like someone else was having fun with the bug for a while too
• There's also another OpenSSL bug that OpenBSD patched - it allows an attacker to inject data from one connection into another
• OpenBSD has also imported the most current version of OpenSSL and are ripping it apart from the inside out - we're seeing a fork in real time ***

Interview - Jim Brown - info@bsdcertification.org

The BSD Certification exams

Tutorial

Building OpenBSD binary packages in bulk

News Roundup

Portable signify

• Back in episode 23 we talked with Ted Unangst about the new "signify" tool in OpenBSD
• Now there's a (completely unofficial) portable version of it on github
• If you want to verify your OpenBSD sets ahead of time on another OS, this tool should let you do it
• Maybe other BSD projects can adopt it as a replacement for gpg and incorporate it into their base systems ***

Foundation goals and updates

• The OpenBSD foundation has reached their 2014 goal of $150,000
• You can check their activities and goals to see where the money is going
• Remember that funding also goes to OpenSSH, which EVERY system uses and relies on everyday to protect their data
• The FreeBSD foundation has kicked off their spring fundraising campaign
• There's also a list of their activities and goals available to read through
• Be sure to support your favorite BSD, whichever one, so they can continue to make and improve great software that powers the whole internet ***

PCBSD weekly digest

• New PBI runtime that fixes stability issues and decreases load times
• "Update Center" is getting a lot of development and improvements
• Lots of misc. bug fixes and updates ***

Feedback/Questions

• There's a reddit thread we wanted to highlight - a user wants to show his friend BSD and why it's great
• Brad writes in
• Sha'ul writes in
• iGibbs writes in
• Matt writes in ***