Podcasts about safestack

  • 34PODCASTS
  • 42EPISODES
  • 44mAVG DURATION
  • ?INFREQUENT EPISODES
  • Mar 12, 2024LATEST

POPULARITY

20172018201920202021202220232024


Best podcasts about safestack

Latest podcast episodes about safestack

The Business of You with Rachel Gogos
129 | How Brand Reputation Can Give Your Business an Edge with Laura Bell Main

The Business of You with Rachel Gogos

Play Episode Listen Later Mar 12, 2024 32:53


If you're looking for creative ways to sell more without being salesy, building a strong brand reputation is the key.  Laura Bell Main is the Co-Founder and CEO of SafeStack, an online education platform offering flexible, high-quality, and people-focused secure development training for fast-moving companies. She and her co-founder have built a brand reputation as global leaders in secure software.  Laura is the co-author of Agile Application Security and Security for Everyone. Her work has been featured in international publications including WIRED and MIT Tech Review. She has presented at BlackHat USA and RenderATL, as well as leading international software development and cybersecurity conferences. Transition From Service-Based to Product Business Laura's business began as a consultancy. The first few years of SafeStack were dedicated to validating their framework and serving high-growth companies.  When Covid hit in 2020, those companies made drastic budget cuts and Laura and her co-founder started looking for creative ways to solve the same problems at a different price point. As the product side of the company took off, they decided to separate and sell the consultancy.  Now leading a team of 12, Laura is CEO and also the head of sales and marketing–which looks completely different now than it did in their service-based model.  Brand Marketing and Creative Sales Strategies SafeStack's target audience is software developers, who Laura says are resistant to traditional sales techniques. Instead, she and her co-founder have focused on building their brand reputation. Through speaking at conferences and high-quality content, they do as much as they can to build that reputation before starting a conversation with the customer. Another effective strategy has been creating opportunities to speak with their customers one-on-one, whether that's at an in-person event or interacting with them online. They use just enough automation to keep people moving forward through the sales process, but not so much that it feels impersonal. Approaching the conversation with empathy is key. Laura starts by talking the customer through their frustrations, helping them identify their biggest challenges before presenting a solution. She always gives the customer plenty of opportunities to ask questions.  After a customer starts using the product, Laura and her team are always on hand for support. They help leaders identify who's engaging and who may need more encouragement. For SafeStack, it's not just about adopting a new software but changing the entire team culture. Enjoy this episode with founder and CEO Laura Bell Main… Quotes “I moved between some really exciting organizations, but what stayed the same was I was always really curious…I was always pressing buttons and saying, 'I wonder what happens if I do this?'” “I don't sit around for a long time and say ‘This is going to be very hard' and stop.” “Software takes an entire team of people and all of these roles to build, and all of those people need to be involved in keeping it secure.”  “Culture change for a software is really difficult. We can't change it on our own, but we can make it easy for a leader to grow a program so they can change it.” “This is the year of getting out of my own way and caring a bit less about what other people think.” “When do I invest in the company brand and its name and put myself behind that label versus when do I lead with my brand, and how can they support each other?” Links mentioned in this episode: Visit Laura's website: https://www.laurabellmain.com/  SafeStack website: https://safestack.io/  Connect with Laura on LinkedIn: https://www.linkedin.com/in/lauradbell/

7 Figures Club: A Business Growth Podcast
222: Protect Your Business from Cyber Threats! (w/ LAURA BELL MAIN!)

7 Figures Club: A Business Growth Podcast

Play Episode Listen Later Mar 6, 2024 33:09


Laura Bell Main is a seasoned software developer, engaging storyteller, and adept application security specialist, known for her unique contribution to the security community. Her journey began as an apprentice software developer at 17, evolving through roles that include writing critical software for CERN and tackling technical counter-terrorism for the UK Government. She founded SafeStack, transitioning from a security consultant to leading an application security education platform, aiding companies in integrating security into their software development lifecycles effectively. In addition to her professional achievements, Laura has made significant contributions to cybersecurity education through founding In2securITy and co-authoring notable books like "Agile Application Security" and "Security for Everyone". Her insights are frequently shared in publications like Forbes and she is a recognized figure on the speaking circuit, including BlackHat USA and RenderATL. Beyond her professional life, Laura resides in New Zealand with her family, indulging in hobbies like reading epic fantasy, restoring old treasures, and macro photography. An introvert at heart, she's mastered the art of extroversion, captivating audiences with her calming voice and storytelling prowess, despite her aversion to being photographed. For More Info: https://www.laurabellmain.com/

The Secure Developer
Threat Modeling In The Age Of Artificial Intelligence With Laura Bell Main

The Secure Developer

Play Episode Listen Later Jan 29, 2024 45:15


Episode SummaryLaura Bell Main, CEO at SafeStack, discusses the two-fold implications of AI for threat modeling in DevSecOps. She highlights challenges in integrating AI systems, the importance of data verifiability, and the potential efficiencies AI tools can introduce. With guidance, she suggests it's possible to manage the complexities and ensure the responsible utilization of AI.Show NotesIn this intriguing episode of The Secure Developer, listen in as Laura Bell Main, CEO at SafeStack, dives into the intricate world of AI and its bearing on threat modeling. Laura provides a comprehensive glimpse into the dynamic landscape of application security, addressing its complexities and the pivotal role of artificial intelligence.Laura elucidates how AI has the potential to analyze vulnerabilities, identify risks, and make repetitive tasks efficient. As she delves deeper, she explores how AI can facilitate processes and significantly enhance security measures within the DevSecOps pipeline. She also highlights a crucial aspect - AI is not just an enabler but should be seen as a partner in achieving your security objectives.However, integrating AI into existing systems is not without its hurdles. Laura illustrates the complexities of utilizing third-party AI models, the vital importance of data verifiability, and the possible pitfalls of over-reliance on an LLM.As the conversation advances, Laura provides insightful advice to tackle these challenges head-on. She underscores the importance of due diligence, the effective management of AI integration, and the necessity of checks and balances. With proactive measures and responsible use, she affirms that AI has the potential to transform threat modeling.Don't miss this episode as Laura provides a thoughtful overview of the intersection of AI and threat modeling, offering important insights for anyone navigating the evolving landscape of DevSecOps. Whether you're a developer, a security enthusiast, or a tech leader, this episode is packed with valuable takeaways.LinksAgile Application SecuritySecurity for EveryoneMicrosoft STRIDEOWASP Top 10 for Large Language Model ApplicationsSnyk - The Developer Security CompanyFollow UsOur WebsiteOur LinkedIn

CIO Exchange Podcast
Moving Fast, Securely with Laura Bell Main, CEO of SafeStack

CIO Exchange Podcast

Play Episode Listen Later Jan 17, 2024 35:28


How can companies move fast, securely? In this episode, Yadin sits down with Laura Bell Main, CEO of SafeStack and co-author of the book Security for Everyone, to discuss securing organizations of all sizes, navigating security conversations when selling to large enterprises, and some common missteps with security and AI. Laura dives into practical tips for both growing a company and prioritizing security.---------Key Quotes:“We need to remember that security is the oldest problem there is, so it isn't something you grow into. It isn't something that suddenly appears one Tuesday morning and you're like, oh, right, security matters now.”“This is how your company is seen in the world. It's a bit crass to say security can help you sell, but it really kind of can.”“We're never going to win. We just have to give up on that entirely. There is no 100 percent secure, there's no done. That's okay, that's cool.”---------Timestamps:(01:16) How smaller organizations can become secure(05:21) Security can help you sell (06:05) Communicating security measures when pitching(08:54) Security and AI tools(11:01) Putting data in LLMs(17:24) AI explainability requirements in the EU(26:37) Understanding ROI in cybersecurity(32:40) The role of dopamine in cybersecurity--------Links:Laura Bell Main on LinkedInCIO Exchange on XYadin Porter de León on XOWASP Top 10 for Large Language Model Applications[Subscribe to the Podcast] On Apple PodcastFor more podcasts, video and in-depth research go to https://www.vmware.com/cio

Wings Of...Inspired Business
AI and Cybersecurity: Entrepreneur Laura Bell Main on Lack of AI Transparency and Supply Chain “Insecurity”

Wings Of...Inspired Business

Play Episode Listen Later Dec 5, 2023 39:49


Laura Bell Main is the co-founder and CEO of SafeStack, an online education platform offering flexible, high-quality, and people-focused secure development training for fast-moving companies, focusing on building application security skills, practices, and culture across the entire engineering team. With over 20 years of experience in software development and application security, Laura specializes in bringing Application Security and Secure Development practices into organizations worldwide. She also hosts the podcast Build Amazing Things Securely.

Tech Intersect™ with Tonya M. Evans
Tech Intersect #182: Laura Bell Main on Accessible and People-First Digital Security

Tech Intersect™ with Tonya M. Evans

Play Episode Listen Later Nov 6, 2023 23:00


Cyber attacks, data breaches, and identity theft are more prevalent than ever. We all know that digital security is important, but it can be overwhelming to get started with your security hygiene routine. And when starting a new business or online project, security is often the last thing on your mind. Laura Bell Main, one of the leaders in developing secure software, is here today to discuss accessible digital security, how security is a human problem and more. This week, episode 182 of the Tech Intersect™ Podcast is about making digital security people-driven and accessible to all! POWERED BY ADVANTAGE EVANS™ ACADEMY Navigate your way from cash to crypto with Digital Money Demystified. Dive into the definitive guide on crypto myths and truths by Professor Tonya M. Evans. This isn't just a book; it's a roadmap to the decentralized web's future of work, wealth, and creativity. Head over to DigitalMoneyDemystified.com and embark on your crypto journey today! Laura Bell Main is the CEO of SafeStack, a community-centric online training platform that takes a flexible, people-focused approach to ongoing secure development education at a time when it's never been more needed. With over twenty years of experience in software development and cyber security, she is the co-author of "Agile Application Security" (O'Reilly Media)  and "Security for Everyone" (Holloway). Her work has been featured in many international publications, including  WIRED and MIT Tech Review.Laura and I discuss:Understanding the human element in security.The importance of adding security into your company from the very beginning, and keeping up with your security needs as you grow.Making digital security practices accessible to everyone.How software development is changing, and the need for greater digital security.For more information on Laura's books and links to purchase, visit her website. To sign up for OneHourAppSec, you can check out SafeStack's website.CONNECT WITH LAURA BELL MAIN:LinkedInSafestack.ioWebsiteX (formerly Twitter)CONNECT WITH DR. TONYA M. EVANS:Questions and requests: hello@techintersectpodcast.com Follow: Twitter @AtTechIntersect | Instagram @TechIntersect Web: Tech Intersect Podcast  Connect for exclusive content: https://advantageevans.activehosted.com/f/6 RESOURCES:Buy the Book + Leave 5 Star Review Digital Money DemystifiedConsulting, Courses and Community: DigitalMoneyDemystified.cPreorder my book, Digital Money Demystified, at https://digitalmoneydemystified.com/ today!Regulate & The Rabbit Hole by Notty Prod licensed via Creative Commons Attribution-NoDerivatives 4.0 International License. Produced by Tonya M. Evans for Advantage Evans, LLC

Building With People For People: The Unfiltered Build Podcast
Ep. 27: Smiling Security - Sentinel Serenades with Laura Bell Main

Building With People For People: The Unfiltered Build Podcast

Play Episode Listen Later Oct 10, 2023 43:19


Your password must contain at least one uppercase letter, one lowercase letter, one number, a special character and be at least 8 characters long. These directions should be all too familiar to you when creating a new password for some new account you are signing up for. Have you ever stopped to think about why these requirements exist? Today, we are joined by, Laura Bell Main, a passionate cyber security expert who will share her journey with us into the wide world of security, help us understand the importance of security and ground us in a daunting world with simple and effective ways to secure our digital lives. Laura has been in the cyber security world for over 20 years. She has her Bachelors of Science in Computer Science and Artificial Intelligence, has worked for the New Zealand Internet Task Force, as a security consultant for various companies, was a board member for Hackers Helping Hackers and is an investor and advisor for Onwardly. Currently, she is the founder and CEO of SafeStack, a company dedicated to teaching the world how to secure the software we build. She is a published co-author of two books Security for Everyone and Agile Application Security and is spreading the good word of security best practices high and low. She says “to protect one of us we must protect all of us”. When she is not on her mission to build a team of 30 million security minded software developers she is spending time with her two daughters, restoring old mechanical things like 100 year old sowing machines and is an avid gardener. Connect with Laura: Website Twitter LinkedIn Show notes and helpful resources: 1 Hour Appsec - free application security program Build Amazing Things Podcast hosted by Laura Bell Main Smurf Attack Security is one of the oldest problems we have and it is very human - (video) Security is about how we protect the things that have value from other people who have sufficient motivation to take action to get them One key tip to protect your self in the digital world is to make sure your email password is very very strong Make sure you also look at the people around you in your life and give them support to protect their digital footprint “Minimum Viable Security” - The minimum amount of security you can do that takes care of your highest priority risks Security becomes a tool to increase sales and is a large part of software quality Maori sayings: “Kia Kaha” - Stay strong, be brave and “Kia Ora” - Hello Building something cool or solving interesting problems? Want to be on this show? Send me an email at jointhepodcast@unfilteredbuild.com Podcast produced by Unfiltered Build - dream.design.develop.

Women Who Code Radio
Talks Tech #49: How We Can Securely Build an Amazing Technology-Based Future

Women Who Code Radio

Play Episode Listen Later Oct 5, 2023 26:19


Meghan Pope, Director of Quality Assurance Engineering, sits down with Laura Bell Main, Founder and CEO of SafeStack, to learn about how we can build an amazing technology-based future securely. They discuss Laura's leadership path and how teaching is also a natural space for her. Video: https://youtu.be/-3E_jTJlSYg  Guest: Laura Bell Main, Founder and CEO, SafeStack Twitter: https://twitter.com/lady_nerd  Mastodon: https://infosec.exchange/@ladynerd  LinkedIn: https://www.linkedin.com/in/lauradbell https://safestack.io Host: Meghan Pope - Director of Quality Assurance Engineering, Fullbay LinkedIn: https://www.linkedin.com/in/meghanlpope/

Accelerate Your Business Growth
Making Cyber Security a Superpower

Accelerate Your Business Growth

Play Episode Listen Later Sep 25, 2023 29:29


Welcome to another episode of Accelerate Your Business Growth! In today's conversation, our guest, Laura Bell Main discusses the importance of cybersecurity for businesses of all sizes. Laura shares how security can be leveraged to not only protect companies but also to drive revenue and foster innovation. She emphasizes that instead of viewing cybersecurity as a daunting threat, businesses can use it as a superpower to showcase their maturity and attract larger customers. Join us as we unravel the ways in which security can be a differentiating factor and a tool for growth. Laura Bell Main is the Founder and CEO of SafeStack Academy. SafeStack is a mission-driven and community-centric online training platform that provides software development teams with the skills they need to build high-quality, secure software. Laura can enlighten your audience on how cyber security is necessary for all businesses, big and small, and how security can be used to increase revenue and as a tool for innovation. If you are a small business owner or salesperson who struggles with getting the sales results you are looking for, get your copy of Succeed Without Selling today. Learn the importance of Always Be Curious. Accelerate Your Business Growth is proud to be included on the list of the 45 Best Business Growth Podcasts. Each episode of this podcast provides insights and education around topics that are important to you as a business owner or leader. The content comes from people who are experts in their fields and who are interested in helping you be more successful. Whether it's sales challenges, leadership issues, hiring and talent struggles, marketing, seo, branding, time management, customer service, communication, podcasting, social media, cashflow, or publishing, the best and the brightest join the host, Diane Helbig, for a casual conversation. Discover programs, webinars, services, books, and other podcasts you can tap into for fresh ideas. Be sure to subscribe so you never miss an episode and visit Helbig Enterprises to explore the many ways Diane can help you improve your business outcomes and results. The Power of Security for Smaller Businesses: "And in those cases, security can be a bit of a superpower...the fact that you're taking those little steps to make your organization more secure can speed up your sales process." — Laura Bell Main 00:02:43 Protecting your Accounts: "The first thing we have to do is we have to kind of narrow our scope a little bit... You probably wanna pick the key 5 that would have the most impact on you or your business if they were compromised. So for me, that would be my email account. Email account is number 1 because that is pretty much the gateway to all of my other accounts. Probably my core business tools, like my payroll, my banking. I probably wanna care about those." — Laura Bell Main 00:06:30 Learn more about your ad choices. Visit megaphone.fm/adchoices

ceo founders power discover security superpowers cybersecurity diane helbig safestack laura bell main succeed without selling helbig enterprises
Beyond the Hype
DevSecOps, a portmanteau too far?

Beyond the Hype

Play Episode Listen Later Sep 4, 2023 40:23


In this episode, Oliver and Peter from Scott Logic are joined by Laura Bell Main, CEO and co-founder of SafeStack, for a lively discussion on DevSecOps. They touch on techniques such as “assume breach” and “shift left”, and the relationship to DevOps, which is trying to solve a similar problem. However, much of the discussion focused quite simply on security and the challenges this presents, especially when this so often falls to a very small team or an individual. Laura mentioned OneHourAppSec at the end of the recording. It's a free appsec program that helps software teams worldwide bring security to their software development lifecycle in just one hour per sprint. You can join at any time, from anywhere. She'd love you to check it out. Links from the podcast: The Assume Breach Paradigm  Shift left vs shift right: A DevOps mystery solved  

ceo devops devsecops portmanteau safestack laura bell main
The Engineering Leadership Podcast
Building your security team & tool stack w/ Laura Bell Main #146

The Engineering Leadership Podcast

Play Episode Listen Later Aug 22, 2023 48:10


This episode features all things security with our guest, Laura Bell Main, CEO & Founder @ SafeStack. She shares valuable strategies for building your security team & tool stack. We cover why security is a human problem based on human motivations, prioritization conversations for assessing risks, considerations for early-stage security teams, how behavior change & decision making impact security, and considerations for companies in the “messy middle” phase. Laura also addresses communicating about security in terms of tech debt, recommendations for incorporating security monitoring tools, how to measure those tools' ROI, and more.ABOUT LAURA BELL MAINWith over twenty years of experience in software development and information security, Laura Bell Main (@lady_nerd) specialises in bringing security into organisations of every shape and size.She is the co-founder and CEO of SafeStack, an online education platform offering flexible, high-quality, and people-focused secure development training for fast-moving companies, with a focus on building security skills, practices, and culture across the entire engineering team.Laura is an experienced conference speaker, trainer, and regular panel member, and has spoken at a range of events such as BlackHat USA, Velocity, and OSCON on the subjects of privacy, covert communications, agile security, and security mindset.She is also the co-author of Agile Application Security and Security for Everyone."The most important thing that we forget to tell folks when they're starting out in security is most of our tooling is about being more effective and efficient. It's not about doing something you can't do yourself. Security isn't about a magic box. I wish it was, it would be a lot easier if we could just buy a magic box. Done! Off we go to the beach, but what we have is a really human problem.”- Laura Bell Main    Join us at ELC Annual 2023!ELC Annual is our flagship conference for engineering leaders. You'll learn from experts in engineering and leadership, gain mentorship and support from like-minded professionals, expand your perspectives, build relationships across the tech industry, and leave with practical proven strategies.Join us this August 30-31 at the Fort Mason Center in San FranciscoFor tickets, head to https://sfelc.com/annual2023SHOW NOTES:What to do about security if you don't already have a security team (2:28)Security as a “human problem” in the scope of eng orgs (4:58)Why you need to understand human motivations (7:21)Prioritization frameworks & chaos engineering for assessing threats (9:14)Considerations for the early stages of forming a security org (11:47)Understanding security through a behavior change model (14:57)How to operationalize a security mindset within a software team (18:00)Examples of how decisions can flag security risks (20:50)Approaches for tracking & managing security as tech debt (23:20)Addressing security considerations as a “messy” middle-stage company (27:17)High friction aspects of security behavior change for eng orgs (30:51)Tips for knowing if you have the right security tool (34:41)How to evaluate the ROI of tools you're considering (38:06)Methods for incorporating security monitoring into your current tool stack (39:32)Rapid fire questions (42:45)LINKS AND RESOURCESThe Body Keeps The Score - The inspiring story of how a group of therapists and scientists— together with their courageous and memorable patients—has struggled to integrate recent advances in brain science, attachment research, and body awareness into treatments that can free trauma survivors from the tyranny of the past.Open source checklist for high-growth CTOsThis episode wouldn't have been possible without the help of our incredible production team:Patrick Gallagher - Producer & Co-HostJerry Li - Co-HostNoah Olberding - Associate Producer, Audio & Video Editor https://www.linkedin.com/in/noah-olberding/Dan Overheim - Audio Engineer, Dan's also an avid 3D printer - https://www.bnd3d.com/Ellie Coggins Angus - Copywriter, Check out her other work at https://elliecoggins.com/about/

Wild Hearts

Welcome back to another episode of Wild Hearts. One Blackbird described this week's episode as ‘My favourite episode yet. Laura is incredibly charismatic, I was riveted from start to finish!' Outtakes:  ✅ How cyber threats are shifting with the rise of AI ✅ The value of authenticity when community-building  ✅ A step by step guide to protecting your cyber borders ✅ The power of storytelling for teaching and learning Within the episode, we explore the shifting landscape of cybersecurity, where software developers are not just creators but custodians of security. Delving into the historical disconnect between CISOs (Chief information security officers) and engineering teams and how bridging this gap can enhance security measures in larger organisations. The growing awareness around third-party dependency risks - a concern that has prompted businesses to reflect on their exposure. Drawing an intriguing analogy, Laura likens each new piece of software or technology to adopting a puppy, bringing with it responsibilities and potential challenges that need to be managed. A key highlight is Laura's vision for the future, where every software developer dedicates time to security. She shares SafeStack's mission to protect companies of all scales, by empowering software teams worldwide to weave security throughout the development cycles.  Listen to hear how SafeStack will reach 13 million software developers, getting them to enjoy one hour of security every fortnight, regardless of the amazing technology they're building all through the power of storytelling. Episode highlights from Laura Bell Main:  “And what I realized was that to sell to people who were essentially just like me, I needed to. Sell to people like me and I wouldn't pick up a cold call, and I don't care about your marketing emails as pretty as they are.” “What we needed to be was authentically in the community sharing value with no strings attached. We needed to give people the chance to explore the product in a way that they, you know, they could do their research before they came to talk to someone.” “The teeny, tiny, scrappy little three people things. They need to do security too, and they've got no budget. Trying to sell to them is just, that's silly. Don't do that,  give them the free version. Give them just some essentials. They can get started. And that goodwill and that standing, cultivates with them. They grow with it. And so, as they grow, our hope is that they will grow into us.” “It's hard and every country has its own culture with doing this, so there's a lot to learn, but it's quite freeing now that we are able to say, Hey, we don't need to behave like the playbook security company. We can just be the company we need to be to get to our particular audience.” “Yeah.  it goes through how we teach, right? nobody wants to sit there and be bored to death by training. The best way to teach, especially when it's something to do with risk is stories.” “I'm really mission driven. I dunno whether it came from that before or I was already there, but it's, it's really empowering to go to work every day knowing that you're doing something that's bigger than yourself.” “I'm genuinely nerdily excited about technology. I, I feel like all of the things I used to read as a kid are coming to life in front of me, the good and the bad. And, yeah, I think it's a pretty cool time to be a technologist”

The Jeff Bullas Show
Protecting Your Business in a Modern Digital World

The Jeff Bullas Show

Play Episode Listen Later Jun 22, 2023 45:23


Laura Bell Main specializes in securing some of Australia and New Zealand's fastest-growing organizations. She has over twenty years of experience in software development and information security. It's her mission to bring security into organizations of every shape and size. Laura is the founder and CEO of SafeStack Academy, an online education platform offering flexible, high-quality, and people-focused, secure development training for fast-moving companies. SafeStack is a values-driven company on a mission to make cybersecurity accessible for everyone and any organization. “To protect each one of us, we must protect all of us,” this is the underpinning belief that drives Laura. Her company is pushing hard into this issue by attempting to train all of our organizations, big and small. Through free plans, student sponsorships, and sponsored communities, she is working towards a future where we no longer spend 99% of our security resources on 1% of our organizations. She is an experienced conference speaker, trainer, and regular panel member, and has spoken at a range of events such as BlackHat USA, Velocity, and OSCON on the subjects of privacy, covert communications, agile security, and security mindset. She is also the co-author of Agile Application Security and Security for Everyone. What you will learn What sparked Laura's passion for software engineering and computer security What inspired Laura to launch her own company in this industry The top 3 things a growing company can do to get started with security Discover the critical importance of software updates in protecting your systems Laura shares her best tips for enhancing the security of your WordPress site Learn how to reduce and prevent unwanted emails Uncover how to secure and grow your company Discover the opportunities and challenges for business security in the age of AI

IT TECH TALK
Laura Bell Main CEO of SafeStack

IT TECH TALK

Play Episode Listen Later Jun 2, 2023 30:09


With over twenty years of experience in software development and information security, Laura Bell Main specializes in bringing security into organizations of every shape and size. She is the co-founder and CEO of SafeStack, an online education platform offering flexible, high-quality, and people-focused secure development training for fast-moving companies, focusing on building security skills, practices, and culture across the entire engineering team. Laura is an experienced conference speaker, trainer, and regular panel member, and has spoken at various events such as BlackHat USA, Velocity, and OSCON on the subjects of privacy, covert communications, agile security, and security mindset. She is also the co-author of Agile Application Security and Security for Everyone.

ceo oscon laura bell safestack laura bell main
The Conference Room with Simon Lader
Ep. 106 - Building a Tech Startup From the Ground Up with Laura Bell Main

The Conference Room with Simon Lader

Play Episode Listen Later May 29, 2023 43:14


In this week's episode we welcome Laura Bell Main, CEO of application security vendor SafeStack to discuss her experience of being a company founder, pivoting from services to software and building her initial team. KEY TAKEAWAYS FROM THIS EPISODE Pivoting from services to software - the why and the how How to find your key initial hires How to hire when face to face interviewing isn't an option How to recognize hiring mistakes and damage limitation What driving stick can teach you about growing a business TODAY'S GUEST Laura Bell Main is the CEO of cybersecurity vendor SafeStack. Born and raised in the UK, she moved to New Zealand in 2011 and specializes in securing some of the world's fastest-growing organizations, having brought her application security vendor Safestack to clients in over 65 countries. She has over twenty years of experience in software development and information security. and it is her mission and passion to bring security into organizations of every shape and size. To find out more about SafeStack, visit www.safestack.io To connect with Laura, find her on LinkedIn YOUR HOST Simon Lader is the host of The Conference Room, Co-Founder of global executive search firm Salisi Human Capital, and podcast growth consultancy Viva Podcasts. Since 1997, Simon has helped cybersecurity vendors to build highly effective teams, and since 2022 he has helped people make money from podcasting. Get to know more about Simon at: Website: https://simonlader.com/ Make Money from Podcasting: https://www.vivapodcasts.com/podcastpowerups Twitter: https://twitter.com/simonlader LinkedIn: https://www.linkedin.com/in/headhuntersimonlader The Conference Room is available on Spotify, Apple Podcasts, Amazon Music, iHeartRadio and everywhere else you listen to podcasts!

Software Process and Measurement Cast
SPaMCAST 752 - Fast-Growing Companies And Security, A Conversation with Laura Bell Main

Software Process and Measurement Cast

Play Episode Listen Later Apr 23, 2023 36:34


SPaMCAST 752 features our interview with Laura Bell Main. We discuss the confluence of fast-growing companies and security. Maybe I should say collision instead of confluence. Note: Laura provides an incredible amount of wisdom in the interview; however, due to a user error (mine) I lost the first minute of the interview. The abrupt start of the interview means we hit the ground running with very little preamble. Laura Bell Main specializes in securing some of Australia and New Zealand's fastest-growing organizations. She has over twenty years of experience in software development and information security. It's her mission and passion to bring security into organizations of every shape and size.  Laura is the founder and CEO of SafeStack Academy, an online education platform offering flexible, high-quality, and people-focused, secure development training for fast-moving companies, with a focus on building security skills, practices, and culture across the entire engineering team. SafeStack is a value's driven company on a mission to make cybersecurity accessible for everyone and any organization.  “To protect each one of us, we must protect all of us” Connect With Laura Bell Main: www.Laurabellmain.com   www.safestack.io/   mobile.twitter.com/lady_nerd  www.nz.linkedin.com/in/lauradbel l    Re-read Saturday News! Chapter 3 of Team Topologies: Organizing Business And Technology Teams For Fast Flow by Matthew Skelton and Manuel Pais is titled Team First Thinking. Using teams to get work done in all walks of life is undeniable. Whether the idea of “team” emerged a century ago or last week is less important. What is important is the knowledge that very little work happens without teams. Team-first thinking makes simple sense.   Buy a copy and read along! - Team Topologies: Organizing Business And Technology Teams For Fast Flow Previous Installments: Week 1: Front Matter and Logistics – http://bit.ly/3nHGkW4  Week 2: The Problem With Org Charts – https://bit.ly/3zGGyQf  Week 3:  Conway's Law and Why It Matters - https://bit.ly/3muTVQE  Week 4: Team First Thinking - https://bit.ly/3H9xRSC  Next SPaMCAST  In SPaMCAST 753 we will return to our discussion of fatalism to examine the relationship between hierarchy, fatalism, and engagement.  We will also have a visit from Tony Timbol who will bring his To Tell A Story column to the podcast. 

The Coder Career
#64 - Laura Bell Main | CEO of SafeStack

The Coder Career

Play Episode Listen Later Apr 17, 2023 43:42


In this episode of The Coder Career podcast, host Cameron sits down with Laura Bell Main, the CEO of SafeStack, to discuss her journey into the technology industry and her experiences working in cyber security.Laura shares her fascinating career path, from her early beginnings at inland revenue to her current role leading SafeStack. As the conversation continues, Laura shares some of her craziest cyber security stories, including a case involving a casino heist all starting from a smart fishtank. She also shares some eye-opening insights into the world of cybercrime and how individuals and businesses can protect themselves from online threats.Finally, Laura discusses the mission of SafeStack and how they aim to educate everyone about cyber security. She shares some of the innovative approaches they use to make cyber security education accessible and engaging, and how they are working to empower individuals and organizations to protect themselves online.If you're interested in learning more about cyber security and how to stay safe online, this episode of The Coder Career is not to be missed!Cam's ContentSafeStack Hosted on Acast. See acast.com/privacy for more information.

ceo acast laura bell safestack laura bell main
The Coder Career
#64 - Laura Bell Main | CEO of SafeStack

The Coder Career

Play Episode Listen Later Apr 17, 2023 43:42


In this episode of The Coder Career podcast, host Cameron sits down with Laura Bell Main, the CEO of SafeStack, to discuss her journey into the technology industry and her experiences working in cyber security.Laura shares her fascinating career path, from her early beginnings at inland revenue to her current role leading SafeStack. As the conversation continues, Laura shares some of her craziest cyber security stories, including a case involving a casino heist all starting from a smart fishtank. She also shares some eye-opening insights into the world of cybercrime and how individuals and businesses can protect themselves from online threats.Finally, Laura discusses the mission of SafeStack and how they aim to educate everyone about cyber security. She shares some of the innovative approaches they use to make cyber security education accessible and engaging, and how they are working to empower individuals and organizations to protect themselves online.If you're interested in learning more about cyber security and how to stay safe online, this episode of The Coder Career is not to be missed!Cam's ContentSafeStack Hosted on Acast. See acast.com/privacy for more information.

ceo acast laura bell safestack laura bell main
That Tech Pod
Cybersecurity to ChatGPT: How to Truly Manage Security With CEO of SafeStack Laura Bell Mail

That Tech Pod

Play Episode Listen Later Apr 11, 2023 32:45


Today Laura and Kevin speak to Laura Bell Main, CEO of SafeStack about cybersecurity, threat modeling, and ChatGPT while also trying to determine who is the best Laura Laura Bell Main is the co-founder and CEO of SafeStack, an online education platform offering flexible, high-quality, and people-focused secure development training for fast-moving companies, with a focus on building security skills, practices, and culture across the entire engineering team. With over twenty years of experience in software development and information security, Laura Bell Main specializes in bringing security into organizations of every shape and size. Laura is an experienced conference speaker, trainer, and regular panel member, and has spoken at a range of events such as BlackHat USA, Velocity, and OSCON on the subjects of privacy, covert communications, agile security, and security mindset.  She is also the co-author of Agile Application Security and Security for Everyone.

Nothing About You Says Computer Technology
114. Protecting the Technology that will Change the World with Laura Bell Main

Nothing About You Says Computer Technology

Play Episode Listen Later Mar 26, 2023 26:13


Today we have an amazing episode.  I interviewed Laura Bell Main, the founder, and CEO of SafeStack, an online training platform. We chatted about her background and journey to becoming a tech founder, the work she does at SafeStack, and the importance of cybersecurity for everyone, along with diversity in cybersecurity.  I hope you enjoy our conversation.  You can visit the show's website at www.nothingaboutyou.com 

NZ Tech Podcast
Cybersecurity with SafeStack CEO - Laura Bell Main

NZ Tech Podcast

Play Episode Listen Later Mar 21, 2023 53:07


On this episode Paul Spain is joined by Laura Bell-Main, founder and CEO at SafeStack as they discuss the importance of Cybersecurity, as well as tech news from the week including:New Zealand to ban TikTok on devices linked to parliamentBlackbaud to pay $3m to settle SEC charge over ransomware misleading disclosuresGoogle/Samsung phones - modem bugs found in Android devices Microsoft's AI ethics and society teams laid off

CYBER24
Episode 185: Security from the Start

CYBER24

Play Episode Listen Later Mar 15, 2023 22:03


In this episode of the CYBER24 podcast, presented by VLCM, we discuss application security with Laura Bell Main, the founder and CEO of SafeStack. We discuss incentivizing security in software design and her belief that secure software is more than just the code developers write.PanelistsLaura Bell Main, CEO of Safestack

ceo security safestack laura bell main
Cybercrime Magazine Podcast
Cybersecurity Elevator Pitch: Community-Centric Online Cybersecurity Training. Provided by SafeStack

Cybercrime Magazine Podcast

Play Episode Listen Later Feb 17, 2023 1:08


SafeStack is a community-centric online training platform that takes a flexible, people-focused approach to ongoing cyber security education at a time when it's never been more needed. Everyone and every organization has the right to be safe and secure online. Combining courses, hands-on labs, and community, SafeStack helps you build a cyber security culture that lasts a lifetime. Get started for free ay https://safestack.io

Tech in the Right Direction
Understanding Software Security

Tech in the Right Direction

Play Episode Listen Later Nov 8, 2022 31:53


Join Jennifer and Laura Bell Main as they talk about the importance of Software security.  Software security is not just a business challenge, but a challenge for home computer users as well.  Laura Bell Main shares some great insights and tips that everyone can use to have a safer online experience. A little more about Laura Bell Main: Laura Bell Main specializes in securing some of Australia and New Zealand's fastest-growing organizations. She has over twenty years of experience in software development and information security. It's her mission and passion to bring security into organizations of every shape and size. Laura is the founder and CEO of SafeStack Academy, an online education platform offering flexible, high-quality, and people-focused, secure development training for fast moving companies, with a focus on building security skills, practices, and culture across the entire engineering team. SafeStack is a value's driven company on a mission to make cybersecurity accessible for everyone and any organization. “To protect each one of us, we must protect all of us” This is the underpinning belief that drives Laura. Her company pushing hard into this issue by attempting to train all of our organisations, big and small. Through free plans, student sponsorships and sponsored communities, she is working towards a future where we no longer spend 99% of our security resources on 1% of our organizations. She is an experienced conference speaker, trainer, and regular panel member, and has spoken at a range of events such as BlackHat USA, Velocity, and OSCON on the subjects of privacy, covert communications, agile security, and security mindset. She is also the co-author of Agile Application Security and Security for Everyone.

Talk Money To Me
How has the Venture Capital market been holding up in 2022? Damian Fox | Carthona Capital

Talk Money To Me

Play Episode Listen Later Oct 27, 2022 44:24


In this episode, Candice and Felicity chat to Damian Fox about his thoughts on Venture Capital and how it's faring in 2022. Damian's an impressive resume, having been involved in the fund from such an early stage, Damian has been instrumental in developing Carthona's investment approach and processes, and has had deep involvement across each of Carthona's portfolio investments and across all stages of their business life cycles. Notable investments that he has led at Carthona include its investments in Particular Audience, Cascade, CIM, Salad Technologies, and SafeStack. The ladies also talk to Damian about the evolution of the business, and how it's shifted to a more traditional venture capital fund structure, and is now deploying its third fund with approximately $400m in funds under management from a mix of Institutional (Superannuation), Family Office and High Net-worth investors.Follow Talk Money To Me on Instagram, or send Candice and Felicity an email with all your thoughts here. Felicity Thomas and Candice Bourke are Senior Advisers at Shaw and Partners, and you can find out more here. *****In the spirit of reconciliation, Equity Mates Media and the hosts of Talk Money To Me acknowledge the Traditional Custodians of country throughout Australia and their connections to land, sea and community. We pay our respects to their elders past and present and extend that respect to all Aboriginal and Torres Strait Islander people today. *****Talk Money To Me is a product of Equity Mates Media. This podcast is intended for education and entertainment purposes. Any advice is general advice only, and has not taken into account your personal financial circumstances, needs or objectives. Before acting on general advice, you should consider if it is relevant to your needs and read the relevant Product Disclosure Statement. And if you are unsure, please speak to a financial professional. Equity Mates Media operates under Australian Financial Services Licence 540697.Talk Money To Me is part of the Acast Creator Network. Hosted on Acast. See acast.com/privacy for more information.

#robettLIVE
#robettLIVE Ep. 318 on TodayFM

#robettLIVE

Play Episode Listen Later Jul 10, 2022 94:58


This week our special guests are: Olivia Wensley, CEO of Start-up Queenstown Lakes Tall Poppy Profile with Laura Bell Main from SafeStack - a community-centric online training platform Young Bucks with Pieta Proudfoot LEARN / SHARE / REPEAT with Steve Papps sales and mindset performance coach Jolie Hodson, the CEO of Spark New Zealand Tune in every Saturday @ Midday on TodayFM www.TodayFM.co.nz /// www.robett.com --- Send in a voice message: https://anchor.fm/robett/message

ceo today fm safestack laura bell main
Business Is Boring
Going Global: with Laura Bell, SafeStack Academy

Business Is Boring

Play Episode Listen Later Jun 1, 2022 44:22


How do you take your business beyond Aotearoa to the world stage? Welcome to Going Global, a six part pop-up series where we find out. For its inaugural episode, Laura Bell, founder and CEO of SafeStack Academy, joins hosts Brianne West (CEO and founder of Ethique) and Simon Pound (Business is Boring) for a kōrero about everything from the export market for digital products, to how SafeStack Academy found itself helping world-class companies with their cybersecurity training.Going Global is brought to you in partnership with New Zealand Trade and Enterprise. NZTE wants to help more Kiwi businesses reach their global potential. Visit www.getthere.nz to find out more See acast.com/privacy for privacy and opt-out information.

Investment Fix
Episode 4: International VC with SafeStack and Jelix

Investment Fix

Play Episode Listen Later May 3, 2022 37:12


Aside from access to million-dollar investment funds, international venture capital can bring invaluable global connections and experience. In this episode of NZTE's Investment Fix podcast, we hear from SafeStack CEO and founder Laura Bell and Andrea Gardiner, CEO and founder of Australian venture capital firm Jelix Ventures. They talk about the path to securing overseas investment, the importance of 'fit', and how having the right international partner on your side can help drive your global ambitions.

Open the Pod Bay Doors
E135 - Laura Bell, SafeStack Academy

Open the Pod Bay Doors

Play Episode Listen Later Apr 13, 2022 55:16


Laura is the CEO and Founder of SafeStack Academy, a community-centric online education platform on a mission to give software developers, analysts and architects all of the skills they need to build secure internet software.Laura entered the workforce at 16 after telling quite a few lies to become an apprentice software developer for EDS. She put herself through her qualifications to get to university and night school and then went back to do her degree in her early 20s. During 2005/2006 she took a year out to work for Cern in Geneva before taking up a post for British Intelligence. After a number of years working in counterterrorism and counter online harm, Laura took a trip to NZ for 6 weeks and never left - 11 years later, she holds a passport and has 2 small kiwi children.Fascinated with how fast software was being built, Laura found a niche seeing that security wasn't adapting to this speed. With a newborn in tow, she took a leap and after winning a couple of high growth NZ clients, began her startup at the same time co-authoring a book - Agile Application Security.SafeStack began as a consultancy, embedded with software development teams but quickly moved towards being a training company. When COVID hit they lost 94% of revenue overnight. The pandemic was the catalyst to take SafeStack from a service business to a software business. The company breeds diversity; its superpower as Laura admits. 70% of SafeStack Academy's team and 100% of the board identify as female. They see diversity as a strength, hiring from different backgrounds, countries of origin, languages, religions, sexuality and gender. Its youngest employee is 23 and oldest is 59. Laura lives by the philosophy that every day is a school day and that you should share your failures.Quickfire Round:Book: Atomic Habits by James Clear / How to Be Successful Without Hurting Men's FeelingsPodcast: Risky BizNews Source: more international news than local - takes a little bit from here and thereTech CEO: HashiCorp - Aaron BadgerApp: New York Times Puzzle App, Freeflow - things that can turn off brainProductivity Tool: Miro, AsanaTV Show: fantasy with a good story that takes you on an adventure and outside your worldTed Talk: Restoring vintage sewing machines / Teach everyone to be a little less well behaved - breaking the rules helps you defend.

Provenance Marketing Show
Laura Bell - SafeStack Academy

Provenance Marketing Show

Play Episode Listen Later May 10, 2021 16:39


Listen now (16 min) | Launched in 2020, SafeStack Academy is an online cyber security and privacy education platform made by SafeStack. In this episode, we talk all things cyber security with Safestack founder Laura Bell. Show notes: 01:02 Introducing digital security to small businesses Get on the email list at www.akiwioriginal.com

Grow A Small Business Podcast
085: Aged 30 in 2015 and with only $300 in startup capital, started SafeStack, and diversified into online education in 2020. Within 5 months, had 4,000+ learners, $280,000 in annual revenues and 8 FTE (Laura Bell)

Grow A Small Business Podcast

Play Episode Listen Later Mar 7, 2021 22:15


In this episode, I interview Laura Bell, the Founder, and CEO of SafeStack Academy, a boutique cybersecurity company with a team that now stretches across New Zealand and Australia. With over a decade of experience in software development and information security, Laura specializes in bringing security survival skills, practices, and culture into fast-paced businesses and organizations of every shape and size.  An experienced conference speaker, trainer, and regular panel member, Laura has spoken at a range of events such as BlackHat USA, Velocity, OSCON, Kiwicon, Linux Conf AU, and Microsoft TechEd on the subjects of privacy, covert communications, agile security, and security mindset. Laura started SafeStack from a shared workspace back in 2015, aged 30 and with just $300 in startup capital. The business is currently focused on its online educational platform, which they launched in July 2020. Five months in, they had about 4,000 learners and were generating $280,000 in annual revenue with expectations to reach $1 Million within a year.  She was the sole full-time employee when she started the business and now has 8 full-time employees after peaking to seventeen a while back. Laura says the hardest thing in growing a small business for her has been trusting their journey to be different from other companies without focusing on what the other companies were doing. The one thing she says she would tell herself on day one of starting out is, “Believe in yourself more, be confident, don’t sweat the small stuff, and don’t let your anxiety get the best of you” Prepare to be blown away by Laura’s small business growth wisdom. This Cast Covers: Cybersecurity consulting for growing businesses and those that may not have their own internal security team. Generating revenue from the consultancy services and online educational platform. Rate quitting her job to go out on her own and fix everything she couldn’t fix before. Focusing on the online educational platform that they launched in 2020. From 0 to 4,000 learners within 5 months of being in operation and currently generating $280,000 a year in revenue which is projected to reach $1 Million. Giving time to ideas and opportunities that may not seem worthy in the present. Bootstrapping the business from the beginning and their current funding round. The valuable hiring lessons that Laura has learned over time and how it has positively impacted her business. Discovering that sales in cybersecurity are based on emotion and shared values. The power of being authentic to herself and finding confidence in her style of management. Navigating the roller coaster that is fast growth in small business. Overcoming challenges, continuous learning, and enjoying the flexibility that comes with being a small business owner. Scheduling your fitness time and health activities as if they are your most important client. Having success with hiring people who are outside her bubble and hiring through a recruiter. How she struggled with work-life balance in the beginning. Reading a lot on management, communication, and habits for her professional development. Additional Resources:   SafeStack Academy Thinking, Fast and Slow By Daniel Kahneman Atomic Habits By James Clear The Gift of Imperfection By Brené Brown   Music from https://filmmusic.io "Cold Funk" by Kevin MacLeod (https://incompetech.com). License: CC BY (http://creativecommons.org/licenses/by/4.0/

BSD Now
367: Changing jail datasets

BSD Now

Play Episode Listen Later Sep 10, 2020 45:28


A 35 Year Old Bug in Patch, Sandbox for FreeBSD, Changing from one dataset to another within a jail, You don’t need tmux or screen for ZFS, HardenedBSD August 2020 Status Report and Call for Donations, and more. NOTES This episode of BSDNow is brought to you by Tarsnap (https://www.tarsnap.com/) Headlines A 35 Year Old Bug in Patch (http://bsdimp.blogspot.com/2020/08/a-35-year-old-bug-in-patch-found-in.html) Larry Wall posted patch 1.3 to mod.sources on May 8, 1985. A number of versions followed over the years. It's been a faithful alley for a long, long time. I've never had a problem with patch until I embarked on the 2.11BSD restoration project. In going over the logs very carefully, I've discovered a bug that bites this effort twice. It's quite interesting to use 27 year old patches to find this bug while restoring a 29 year old OS... Sandbox for FreeBSD (https://www.relkom.sk/en/fbsd_sandbox.shtml) A sandbox is a software which artificially limits access to the specific resources on the target according to the assigned policy. The sandbox installs hooks to the kernel syscalls and other sub-systems in order to interrupt the events triggered by the application. From the application point of view, application working as usual, but when it wants to access, for instance, /dev/kmem the sandbox software decides against the assigned sandbox scheme whether to grant or deny access. In our case, the sandbox is a kernel module which uses MAC (Mandatory Access Control) Framework developed by the TrustedBSD team. All necessary hooks were introduced to the FreeBSD kernel. Source Code (https://gitlab.com/relkom/sandbox) Documentation (https://www.relkom.sk/en/fbsd_sandbox_docs.shtml) News Roundup Changing from one dataset to another within a jail (https://dan.langille.org/2020/08/16/changing-from-one-dataset-to-another-within-a-freebsd-iocage-jail/) ZFS has a the ability to share itself within a jail. That gives the jail some autonomy, and I like that. I’ve written briefly about that, specifically for iocage. More recently, I started using a zfs snapshot for caching clearing. The purpose of this post is to document the existing configuration of the production FreshPorts webserver and outline the plan on how to modify it for more zfs-snapshot-based cache clearing. You don’t need tmux or screen for ZFS (https://rubenerd.com/you-dont-need-tmux-or-screen-for-zfs/) Back in January I mentioned how to add redundancy to a ZFS pool by adding a mirrored drive. Someone with a private account on Twitter asked me why FreeBSD—and NetBSD!—doesn’t ship with a tmux or screen equivilent in base in order to daemonise the process and let them run in the background. ZFS already does this for its internal commands. HardenedBSD August 2020 Status Report and Call for Donations (https://hardenedbsd.org/article/shawn-webb/2020-08-15/hardenedbsd-august-2020-status-report-and-call-donations) This last month has largely been a quiet one. I've restarted work on porting five-year-old work from the Code Pointer Integrity (CPI) project into HardenedBSD. Chiefly, I've started forward-porting the libc and rtld bits from the CPI project and now need to look at llvm compiler/linker enhancements. We need to be able to apply SafeStack to shared objects, not just application binaries. This forward-porting work I'm doing is to support that effort. The infrastructure has settled and is now churning normally and happily. We're still working out bandwidth issues. We hope to have a new fiber line ran by the end of September. As part of this status report, I'm issuing a formal call for donations. I'm aiming for $4,000.00 USD for a newer self-hosted Gitea server. I hope to purchase the new server before the end of 2020. Important parts of Unix's history happened before readline support was common (https://utcc.utoronto.ca/~cks/space/blog/unix/TimeBeforeReadline) Unix and things that run on Unix have been around for a long time now. In particular, GNU Readline was first released in 1989 (as was Bash), which is long enough ago for it (or lookalikes) to become pretty much pervasive, especially in Unix shells. Today it's easy to think of readline support as something that's always been there. But of course this isn't the case. Unix in its modern form dates from V7 in 1979 and 4.2 BSD in 1983, so a lot of Unix was developed before readline and was to some degree shaped by the lack of it. Tarsnap This weeks episode of BSDNow was sponsored by our friends at Tarsnap, the only secure online backup you can trust your data to. Even paranoids need backups. Feedback/Questions Mason - mailserver (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/367/feedback/Mason%20-%20mailserver.md) casey - freebsd on decline (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/367/feedback/casey%20-%20freebsd%20on%20decline.md) denis - postgres (https://github.com/BSDNow/bsdnow.tv/blob/master/episodes/367/feedback/denis%20-%20postgres.md) *** Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) ***

BSD Now
316: git commit FreeBSD

BSD Now

Play Episode Listen Later Sep 18, 2019 65:04


NetBSD LLVM sanitizers and GDB regression test suite, Ada—The Language of Cost Savings, Homura - a Windows Games Launcher for FreeBSD, FreeBSD core team appoints a WG to explore transition to Git, OpenBSD 6.6 Beta tagged, Project Trident 12-U5 update now available, and more. Headlines LLVM santizers and GDB regression test suite. (http://blog.netbsd.org/tnf/entry/llvm_santizers_and_gdb_regression) As NetBSD-9 is branched, I have been asked to finish the LLVM sanitizer integration. This work is now accomplished and with MKLLVM=yes build option (by default off), the distribution will be populated with LLVM files for ASan, TSan, MSan, UBSan, libFuzzer, SafeStack and XRay. I have also transplanted basesystem GDB patched to my GDB repository and managed to run the GDB regression test-suite. NetBSD distribution changes I have enhanced and imported my local MKSANITIZER code that makes whole distribution sanitization possible. Few real bugs were fixed and a number of patches were newly written to reflect the current NetBSD sources state. I have also merged another chunk of the fruits of the GSoC-2018 project with fuzzing the userland (by plusun@). The following changes were committed to the sources: ab7de18d0283 Cherry-pick upstream compiler-rt patches for LLVM sanitizers 966c62a34e30 Add LLVM sanitizers in the MKLLVM=yes build 8367b667adb9 telnetd: Stop defining the same variables concurrently in bss and data fe72740f64bf fsck: Stop defining the same variable concurrently in bss and data 40e89e890d66 Fix build of tubsan/tubsanxx under MKSANITIZER b71326fd7b67 Avoid symbol clashes in tests/usr.bin/id under MKSANITIZER c581f2e39fa5 Avoid symbol clashes in fs/nfs/nfsservice under MKSANITIZER 030a4686a3c6 Avoid symbol clashes in bin/df under MKSANITIZER fd9679f6e8b1 Avoid symbol clashes in usr.sbin/ypserv/ypserv under MKSANITIZER 5df2d7939ce3 Stop defining _rpcsvcdirty in bss and data 5fafbe8b8f64 Add missing extern declaration of ibmachemips in installboot d134584be69a Add SANITIZERRENAMECLASSES in bsd.prog.mk 2d00d9b08eae Adapt tests/kernel/tsubrprf for MKSANITIZER ce54363fe452 Ship with sanitizer/lsan_interface.h for GCC 7 7bd5ee95e9a0 Ship with sanitizer/lsan_interface.h for LLVM 7 d8671fba7a78 Set NODEBUG for LLVM sanitizers 242cd44890a2 Add PAXCTL_FLAG rules for MKSANITIZER 5e80ab99d9ce Avoid symbol clashes in test/rump/modautoload/t_modautoload with sanitizers e7ce7ecd9c2a sysctl: Add indirection of symbols to remove clash with sanitizers 231aea846aba traceroute: Add indirection of symbol to remove clash with sanitizers 8d85053f487c sockstat: Add indirection of symbols to remove clash with sanitizers 81b333ab151a netstat: Add indirection of symbols to remove clash with sanitizers a472baefefe8 Correct the memset(3)'s third argument in i386 biosdisk.c 7e4e92115bc3 Add ATF c and c++ tests for TSan, MSan, libFuzzer 921ddc9bc97c Set NOSANITIZER in i386 ramdisk image 64361771c78d Enhance MKSANITIZER support 3b5608f80a2b Define targetnotsupported_body() in TSan, MSan and libFuzzer tests c27f4619d513 Avoids signedness bit shift in dbgetvalue() 680c5b3cc24f Fix LLVM sanitizer build by GCC (HAVE_LLVM=no) 4ecfbbba2f2a Rework the LLVM compiler_rt build rules 748813da5547 Correct the build rules of LLVM sanitizers 20e223156dee Enhance the support of LLVM sanitizers 0bb38eb2f20d Register syms.extra in LLVM sanitizer .syms files Almost all of the mentioned commits were backported to NetBSD-9 and will land 9.0. Homura - a Windows Games Launcher for FreeBSD (https://github.com/Alexander88207/Homura) Inspired by lutris (a Linux gaming platform), we would like to provide a game launcher to play windows games on FreeBSD. Makes it easier to run games on FreeBSD, by providing the tweaks and dependencies for you Dependencies curl bash p7zip zenity webfonts alsa-utils (Optional) winetricks vulkan-tools mesa-demos i386-wine-devel on amd64 or wine-devel on i386 News Roundup Ada—The Language of Cost Savings? (https://www.electronicdesign.com/embedded-revolution/ada-language-cost-savings) Many myths surround the Ada programming language, but it continues to be used and evolve at the same time. And while the increased adoption of Ada and SPARK, its provable subset, is slow, it’s noticeable. Ada already addresses more of the features found in found in heavily used embedded languages like C+ and C#. It also tackles problems addressed by upcoming languages like Rust. Chris concludes, “Development technologies have a profound impact on one of the largest and most variable costs associated with embedded-system engineering—labor. At a time when on-time system deployment can not only impact customer satisfaction, but access to services revenue streams, engineering team efficiency is at a premium. Our research showed that programming language choices can have significant influence in this area, leading to shorter projects, better schedules and, ultimately, lower development costs. While a variety of factors can influence and dictate language choice, our research showed that Ada’s evolution has made it an increasingly compelling option for engineering organizations, providing both technically and financially sound solution.” In general, Ada already makes embedded “programming in the large” much easier by handling issues that aren’t even addressed in other languages. Though these features are often provided by third-party software, it results in inconsistent practices among developers. Ada also supports the gamut of embedded platforms from systems like Arm’s Cortex-M through supercomputers. Learning Ada isn’t as hard as one might think and the benefits can be significant. FreeBSD core team appoints a WG to explore transitioning from Subversion to Git. (https://www.freebsd.org/news/status/report-2019-04-2019-06.html#FreeBSD-Core-Team) The FreeBSD Core Team is the governing body of FreeBSD. Core approved source commit bits for Doug Moore (dougm), Chuck Silvers (chs), Brandon Bergren (bdragon), and a vendor commit bit for Scott Phillips (scottph). The annual developer survey closed on 2019-04-02. Of the 397 developers, 243 took the survey with an average completion time of 12 minutes. The public survey closed on 2019-05-13. It was taken by 3637 users and had a 79% completion rate. A presentation of the survey results took place at BSDCan 2019. The core team voted to appoint a working group to explore transitioning our source code 'source of truth' from Subversion to Git. Core asked Ed Maste to chair the group as Ed has been researching this topic for some time. For example, Ed gave a MeetBSD 2018 talk on the topic. There is a variety of viewpoints within core regarding where and how to host a Git repository, however core feels that Git is the prudent path forward. OpenBSD 6.6 Beta tagged (https://undeadly.org/cgi?action=article;sid=20190810123243) ``` CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2019/08/09 21:56:02 Modified files: etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi sys/conf : newvers.sh sys/sys : param.h usr.bin/signify: signify.1 Log message: move to 6.6-beta ``` Preliminary release notes (https://www.openbsd.org/66.html) Improved hardware support, including: clang(1) is now provided on powerpc. IEEE 802.11 wireless stack improvements: Generic network stack improvements: Installer improvements: Security improvements: + Routing daemons and other userland network improvements + The ntpd(8) daemon now gets and sets the clock in a secure way when booting even when a battery-backed clock is absent. + bgdp(8) improvements + Assorted improvements: + The filesystem buffer cache now more aggressively uses memory outside the DMA region, to improve cache performance on amd64 machines. The BER API previously internal to ldap(1), ldapd(8), ypldap(8), and snmpd(8) has been moved into libutil. See berreadelements(3). Support for specifying boot device in vm.conf(5). OpenSMTPD 6.6.0 LibreSSL 3.0.X API and Documentation Enhancements Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. Documented undescribed options and removed unfunctional options description in openssl(1) manual. OpenSSH 8.0 Project Trident 12-U5 update now available (https://project-trident.org/post/2019-09-04_stable12-u5_available/) This is the fifth general package update to the STABLE release repository based upon TrueOS 12-Stable. Package changes from Stable 12-U4 Package Summary New Packages: 20 Deleted Packages: 24 Updated Packages: 279 New Packages (20) artemis (biology/artemis) : 17.0.1.11 catesc (games/catesc) : 0.6 dmlc-core (devel/dmlc-core) : 0.3.105 go-wtf (sysutils/go-wtf) : 0.20.0_1 instead (games/instead) : 3.3.0_1 lidarr (net-p2p/lidarr) : 0.6.2.883 minerbold (games/minerbold) : 1.4 onnx (math/onnx) : 1.5.0 openzwave-devel (comms/openzwave-devel) : 1.6.897 polkit-qt-1 (sysutils/polkit-qt) : 0.113.0_8 py36-traitsui (graphics/py-traitsui) : 6.1.2 rubygem-aws-sigv2 (devel/rubygem-aws-sigv2) : 1.0.1 rubygem-defaultvaluefor32 (devel/rubygem-defaultvaluefor32) : 3.2.0 rubygem-ffi110 (devel/rubygem-ffi110) : 1.10.0 rubygem-zeitwerk (devel/rubygem-zeitwerk) : 2.1.9 sems (net/sems) : 1.7.0.g20190822 skypat (devel/skypat) : 3.1.1 tvm (math/tvm) : 0.4.1440 vavoom (games/vavoom) : 1.33_15 vavoom-extras (games/vavoom-extras) : 1.30_4 Deleted Packages (24) geeqie (graphics/geeqie) : Unknown reason iriverter (multimedia/iriverter) : Unknown reason kde5 (x11/kde5) : Unknown reason kicad-doc (cad/kicad-doc) : Unknown reason os-nozfs-buildworld (os/buildworld) : Unknown reason os-nozfs-userland (os/userland) : Unknown reason os-nozfs-userland-base (os/userland-base) : Unknown reason os-nozfs-userland-base-bootstrap (os/userland-base-bootstrap) : Unknown reason os-nozfs-userland-bin (os/userland-bin) : Unknown reason os-nozfs-userland-boot (os/userland-boot) : Unknown reason os-nozfs-userland-conf (os/userland-conf) : Unknown reason os-nozfs-userland-debug (os/userland-debug) : Unknown reason os-nozfs-userland-devtools (os/userland-devtools) : Unknown reason os-nozfs-userland-docs (os/userland-docs) : Unknown reason os-nozfs-userland-lib (os/userland-lib) : Unknown reason os-nozfs-userland-lib32 (os/userland-lib32) : Unknown reason os-nozfs-userland-lib32-development (os/userland-lib32-development) : Unknown reason os-nozfs-userland-rescue (os/userland-rescue) : Unknown reason os-nozfs-userland-sbin (os/userland-sbin) : Unknown reason os-nozfs-userland-tests (os/userland-tests) : Unknown reason photoprint (print/photoprint) : Unknown reason plasma5-plasma (x11/plasma5-plasma) : Unknown reason polkit-qt5 (sysutils/polkit-qt) : Unknown reason secpanel (security/secpanel) : Unknown reason Beastie Bits DragonFlyBSD - msdosfs updates (https://www.dragonflydigest.com/2019/09/10/23472.html) Stand out as a speaker (https://science.sciencemag.org/content/365/6455/834.full) Not a review of the 7th Gen X1 Carbon (http://akpoff.com/archive/2019/not_a_review_of_the_lenovo_x1c7.html) FreeBSD Meets Linux At The Open Source Summit (https://www.tfir.io/2019/08/24/freebsd-meets-linux-at-the-open-source-summit/) QEMU VM Escape (https://blog.bi0s.in/2019/08/24/Pwn/VM-Escape/2019-07-29-qemu-vm-escape-cve-2019-14378/) Porting wine to amd64 on NetBSD, third evaluation report. (http://blog.netbsd.org/tnf/entry/porting_wine_to_amd64_on1) OpenBSD disabled DoH by default in Firefox (https://undeadly.org/cgi?action=article;sid=20190911113856) Feedback/Questions Reinis - GELI with UEFI (http://dpaste.com/0SG8630#wrap) Mason - Beeping (http://dpaste.com/1FQN173) [CHVT feedback] DJ - Feedback (http://dpaste.com/08M3XNH#wrap) Ben - chvt (http://dpaste.com/274RVCE#wrap) Harri - Marc's chvt question (http://dpaste.com/23R1YMK#wrap) Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv (mailto:feedback@bsdnow.tv) Your browser does not support the HTML5 video tag.

BSD Now
285: BSD Strategy

BSD Now

Play Episode Listen Later Feb 14, 2019 69:32


Strategic thinking to keep FreeBSD relevant, reflecting on the soul of a new machine, 10GbE Benchmarks On Nine Linux Distros and FreeBSD, NetBSD integrating LLVM sanitizers in base, FreeNAS 11.2 distrowatch review, and more. ##Headlines ###Strategic thinking, or what I think what we need to do to keep FreeBSD relevant Since I participate in the FreeBSD project there are from time to time some voices which say FreeBSD is dead, Linux is the way to go. Most of the time those voices are trolls, or people which do not really know what FreeBSD has to offer. Sometimes those voices wear blinders, they only see their own little world (were Linux just works fine) and do not see the big picture (like e.g. competition stimulates business, …) or even dare to look what FreeBSD has to offer. Sometimes those voices raise a valid concern, and it is up to the FreeBSD project to filter out what would be beneficial. Recently there were some mails on the FreeBSD lists in the sense of “What about going into direction X?”. Some people just had the opinion that we should stay where we are. In my opinion this is similarly bad to blindly saying FreeBSD is dead and following the masses. It would mean stagnation. We should not hold people back in exploring new / different directions. Someone wants to write a kernel module in (a subset of) C++ or in Rust… well, go ahead, give it a try, we can put it into the Ports Collection and let people get experience with it. This discussion on the mailinglists also triggered some kind of “where do we see us in the next years” / strategic thinking reflection. What I present here, is my very own opinion about things we in the FreeBSD project should look at, to stay relevant in the long term. To be able to put that into scope, I need to clarify what “relevant” means in this case. FreeBSD is currently used by companies like Netflix, NetApp, Cisco, Juniper, and many others as a base for products or services. It is also used by end‐users as a work‐horse (e.g. mailservers, webservers, …). Staying relevant means in this context, to provide something which the user base is interested in to use and which makes it more easy / fast for the user base to deliver whatever they want or need to deliver than with another kind of system. And this in terms of time to market of a solution (time to deliver a service like a web‐/mail‐/whatever‐server or product), and in terms of performance (which not only means speed, but also security and reliability and …) of the solution. I have categorized the list of items I think are important into (new) code/features, docs, polishing and project infrastructure. Links in the following usually point to documentation/HOWTOs/experiences for/with FreeBSD, and not to the canonical entry points of the projects or technologies. In a few cases the links point to an explanation in the wikipedia or to the website of the topic in question. ###Reflecting on The Soul of a New Machine Long ago as an undergraduate, I found myself back home on a break from school, bored and with eyes wandering idly across a family bookshelf. At school, I had started to find a calling in computing systems, and now in the den, an old book suddenly caught my eye: Tracy Kidder’s The Soul of a New Machine. Taking it off the shelf, the book grabbed me from its first descriptions of Tom West, captivating me with the epic tale of the development of the Eagle at Data General. I — like so many before and after me — found the book to be life changing: by telling the stories of the people behind the machine, the book showed the creative passion among engineers that might otherwise appear anodyne, inspiring me to chart a course that might one day allow me to make a similar mark. Since reading it over two decades ago, I have recommended The Soul of a Machine at essentially every opportunity, believing that it is a part of computing’s literary foundation — that it should be considered our Odyssey. Recently, I suggested it as beach reading to Jess Frazelle, and apparently with perfect timing: when I saw the book at the top of her vacation pile, I knew a fuse had been lit. I was delighted (though not at all surprised) to see Jess livetweet her admiration of the book, starting with the compelling prose, the lucid technical explanations and the visceral anecdotes — but then moving on to the deeper technical inspiration she found in the book. And as she reached the book’s crescendo, Jess felt its full power, causing her to reflect on the nature of engineering motivation. Excited to see the effect of the book on Jess, I experienced a kind of reflected recommendation: I was inspired to (re-)read my own recommendation! Shortly after I started reading, I began to realize that (contrary to what I had been telling myself over the years!) I had not re-read the book in full since that first reading so many years ago. Rather, over the years I had merely revisited those sections that I remembered fondly. On the one hand, these sections are singular: the saga of engineers debugging a nasty I-cache data corruption issue; the young engineer who implements the simulator in an impossibly short amount of time because no one wanted to tell him that he was being impossibly ambitious; the engineer who, frustrated with a nanosecond-scale timing problem in the ALU that he designed, moved to a commune in Vermont, claiming a desire to deal with “no unit of time shorter than a season”. But by limiting myself to these passages, I was succumbing to the selection bias of my much younger self; re-reading the book now from start to finish has given new parts depth and meaning. Aspects that were more abstract to me as an undergraduate — from the organizational rivalries and absurdities of the industry to the complexities of West’s character and the tribulations of the team down the stretch — are now deeply evocative of concrete episodes of my own career. See Article for rest… ##News Roundup ###Out-Of-The-Box 10GbE Network Benchmarks On Nine Linux Distributions Plus FreeBSD 12 Last week I started running some fresh 10GbE Linux networking performance benchmarks across a few different Linux distributions. That testing has now been extended to cover nine Linux distributions plus FreeBSD 12.0 to compare the out-of-the-box networking performance. Tested this round alongside FreeBSD 12.0 was Antergos 19.1, CentOS 7, Clear Linux, Debian 9.6, Fedora Server 29, openSUSE Leap 15.0, openSUSE Tumbleweed, Ubuntu 18.04.1 LTS, and Ubuntu 18.10. All of the tests were done with a Tyan S7106 1U server featuring two Intel Xeon Gold 6138 CPUs, 96GB of DDR4 system memory, and Samsung 970 EVO SSD. For the 10GbE connectivity on this server was an add-in HP NC523SFP PCIe adapter providing two 10Gb SPF+ ports using a QLogic 8214 controller. Originally the plan as well was to include Windows Server 2016/2019. Unfortunately the QLogic driver download site was malfunctioning since Cavium’s acquisition of the company and the other Windows Server 2016 driver options not panning out and there not being a Windows Server 2019 option. So sadly that Windows testing was thwarted so I since started testing over with a Mellanox Connectx-2 10GbE NIC, which is well supported on Windows Server and so that testing is ongoing for the next article of Windows vs. Linux 10 Gigabit network performance plus some “tuned” Linux networking results too. ###Integration of the LLVM sanitizers with the NetBSD base system Over the past month I’ve merged the LLVM compiler-rt sanitizers (LLVM svn r350590) with the base system. I’ve also managed to get a functional set of Makefile rules to build all of them, namely: ASan, UBSan, TSan, MSan, libFuzzer, SafeStack, XRay. In all supported variations and modes that are supported by the original LLVM compiler-rt package. ###Distrowatch FreeNAS 11.2 review The project’s latest release is FreeNAS 11.2 and, at first, I nearly overlooked the new version because it appeared to be a minor point release. However, a lot of work went into the new version and 11.2 offers a lot of changes when compared next to 11.1, “including a major revamp of the web interface, support for self-encrypting drives, and new, backwards-compatible REST and WebSocket APIs. This update also introduces iocage for improved plugins and jails management and simplified plugin development.” ##Beastie Bits Instructions for installing rEFInd to dual boot a computer with FreeBSD and windows (and possibly other OSes as well). NetBSD desktop pt.6: “vi(1) editor, tmux and unicode $TERM” Unix flowers FreeBSD upgrade procedure using GPT Pull-based Backups using OpenBSD base* Developing WireGuard for NetBSD OpenZFS User Conference, April 18-19, Norwalk CT KnoxBug Feb 25th ##Feedback/Questions Jake - C Programming Farhan - Explanation of rtadvd Nelson - Bug Bounties on Open-Source Software Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

BSD Now
Episode 280: FOSS Clothing | BSD Now 280

BSD Now

Play Episode Listen Later Jan 10, 2019 52:23


A EULA in FOSS clothing, NetBSD with more LLVM support, Thoughts on FreeBSD 12.0, FreeBSD Performance against Windows and Linux on Xeon, Microsoft shipping NetBSD, and more. Headlines A EULA in FOSS clothing? There was a tremendous amount of reaction to and discussion about my blog entry on the midlife crisis in open source. As part of this discussion on HN, Jay Kreps of Confluent took the time to write a detailed response — which he shortly thereafter elevated into a blog entry. Let me be clear that I hold Jay in high regard, as both a software engineer and an entrepreneur — and I appreciate the time he took to write a thoughtful response. That said, there are aspects of his response that I found troubling enough to closely re-read the Confluent Community License — and that in turn has led me to a deeply disturbing realization about what is potentially going on here. To GitHub: Assuming that this is in fact a EULA, I think it is perilous to allow EULAs to sit in public repositories. It’s one thing to have one click through to accept a license (though again, that itself is dubious), but to say that a git clone is an implicit acceptance of a contract that happens to be sitting somewhere in the repository beggars belief. With efforts like choosealicense.com, GitHub has been a model in guiding projects with respect to licensing; it would be helpful for GitHub’s counsel to weigh in on their view of this new strain of source-available proprietary software and the degree to which it comes into conflict with GitHub’s own terms of service. To foundations concerned with software liberties, including the Apache Foundation, the Linux Foundation, the Free Software Foundation, the Electronic Frontier Foundation, the Open Source Initiative, and the Software Freedom Conservancy: the open source community needs your legal review on this! I don’t think I’m being too alarmist when I say that this is potentially a dangerous new precedent being set; it would be very helpful to have your lawyers offer their perspectives on this, even if they disagree with one another. We seem to be in some terrible new era of frankenlicenses, where the worst of proprietary licenses are bolted on to the goodwill created by open source licenses; we need your legal voices before these creatures destroy the village! NetBSD and LLVM NetBSD entering 2019 with more complete LLVM support I’m recently helping the NetBSD developers to improve the support for this operating system in various LLVM components. As you can read in my previous report, I’ve been focusing on fixing build and test failures for the purpose of improving the buildbot coverage. Previously, I’ve resolved test failures in LLVM, Clang, LLD, libunwind, openmp and partially libc++. During the remainder of the month, I’ve been working on the remaining libc++ test failures, improving the NetBSD clang driver and helping Kamil Rytarowski with compiler-rt. The process of upstreaming support to LLVM sanitizers has been finalized I’ve finished the process of upstreaming patches to LLVM sanitizers (almost 2000LOC of local code) and submitted to upstream new improvements for the NetBSD support. Today out of the box (in unpatched version) we have support for a variety of compiler-rt LLVM features: ASan (finds unauthorized memory access), UBSan (finds unspecified code semantics), TSan (finds threading bugs), MSan (finds uninitialized memory use), SafeStack (double stack hardening), Profile (code coverage), XRay (dynamic code tracing); while other ones such as Scudo (hardened allocator) or DFSan (generic data flow sanitizer) are not far away from completeness. The NetBSD support is no longer visibly lacking behind Linux in sanitizers, although there are still failing tests on NetBSD that are not observed on Linux. On the other hand there are features working on NetBSD that are not functional on Linux, like sanitizing programs during early initialization process of OS (this is caused by /proc dependency on Linux that is mounted by startup programs, while NetBSD relies on sysctl(3) interfaces that is always available). News Roundup Thoughts on FreeBSD 12.0 Playing with FreeBSD with past week I don’t feel as though there were any big surprises or changes in this release compared to FreeBSD 11. In typical FreeBSD fashion, progress tends to be evolutionary rather than revolutionary, and this release feels like a polished and improved incremental step forward. I like that the installer handles both UFS and ZFS guided partitioning now and in a friendly manner. In the past I had trouble getting FreeBSD’s boot menu to work with boot environments, but that has been fixed for this release. I like the security options in the installer too. These are not new, but I think worth mentioning. FreeBSD, unlike most Linux distributions, offers several low-level security options (like hiding other users’ processes and randomizing PIDs) and I like having these presented at install time. It’s harder for people to attack what they cannot see, or predict, and FreeBSD optionally makes these little adjustment for us. Something which stands out about FreeBSD, compared to most Linux distributions I run, is that FreeBSD rarely holds the user’s hand, but also rarely surprises the user. This means there is more reading to do up front and new users may struggle to get used to editing configuration files in a text editor. But FreeBSD rarely does anything unless told to do it. Updates rarely change the system’s behaviour, working technology rarely gets swapped out for something new, the system and its applications never crashed during my trial. Everything was rock solid. The operating system may seem like a minimal, blank slate to new users, but it’s wonderfully dependable and predictable in my experience. I probably wouldn’t recommend FreeBSD for desktop use. It’s close relative, GhostBSD, ships with a friendly desktop and does special work to make end user applications run smoothly. But for people who want to run servers, possible for years without change or issues, FreeBSD is a great option. It’s also an attractive choice, in my opinion, for people who like to build their system from the ground up, like you would with Debian’s server install or Arch Linux. Apart from the base tools and documentation, there is nothing on a FreeBSD system apart from what we put on it. FreeBSD 12.0 Performance Against Windows & Linux On An Intel Xeon Server Last week I posted benchmarks of Windows Server 2019 against various Linux distributions using a Tyan dual socket Intel Xeon server. In this article are some complementary results when adding in the performance of FreeBSD 11.2 against the new FreeBSD 12.0 stable release for this leading BSD operating system. As some fun benchmarks to end out 2018, here are the results of FreeBSD 11.2/12.0 (including an additional run when using GCC rather than Clang) up against Windows Server and several enterprise-ready Linux distributions. While FreeBSD 12.0 had picked up just one win of the Windows/Linux comparisons run, the FreeBSD performance is moving in the right direction. FreeBSD 12.0 was certainly faster than FreeBSD 11.2 on this dual Intel Xeon Scalable server based on a Tyan 1U platform. Meanwhile, to no surprise given the data last week, Clear Linux was by far the fastest out-of-the-box operating system tested. I did run some extra benchmarks on FreeBSD 11.2/12.0 with this hardware: in total I ran 120 benchmarks for these BSD tests. Of the 120 tests, there were just 15 cases where FreeBSD 11.2 was faster than 12.0. Seeing FreeBSD 12.0 faster than 11.2 nearly 90% of the time is an accomplishment and usually with other operating systems we see more of a mixed bag on new releases with not such solidly better performance. It was also great seeing the competitive performance out of FreeBSD when using the Clang compiler for the source-based tests compared to the GCC8 performance. Additional data available via this OpenBenchmarking.org result file. How NetBSD came to be shipped by Microsoft Google cache in case the site is down In 2000, Joe Britt, Matt Hershenson and Andy Rubin formed Danger Incorporated. Danger developed the world’s first recognizable smartphone, the Danger HipTop. T-Mobile sold the first HipTop under the brand name Sidekick in October of 2002. Danger had a well developed kernel that had been designed and built in house. The kernel came to be viewed as not a core intellectual property and Danger started a search for a replacement. For business reasons, mostly to do with legal concerns over the Gnu Public License, Danger rejected Linux and began to consider BSD Unix as a replacement for the kernel. In 2006 I was hired by Mike Chen, the manager of the kernel development group to investigate the feasibility of replacing the Danger kernel with a BSD kernel, to select the version of BSD to use, to develop a prototype and to develop the plan for adapting BSD to Danger’s requirements. NetBSD was easily the best choice among the BSD variations at the time because it had well developed cross development tools. It was easy to use a NetBSD desktop running an Intel release to cross compile a NetBSD kernel and runtime for a device running an ARM processor. (Those interested in mailing list archaeology might be amused to investigate NetBSD technical mailing list for mail from picovex, particularly from Bucky Katz at picovex.) We began product development on the specific prototype of the phone that would become the Sidekick LX2009 in 2007 and contracts for the phone were written with T-Mobile. We were about half way through the two year development cycle when Microsoft purchased Danger in 2008. Microsoft would have preferred to ship the Sidekick running Windows/CE rather than NetBSD, but a schedule analysis performed by me, and another by an independent outside contractor, indicated that doing so would result in unacceptable delay. Beastie Bits Unleashed 1.2 Released 35th CCC - Taming the Chaos: Can we build systems that actually work? Potholes to avoid when migrating to IPv6 XScreenSaver 5.42 SSH Examples and Tunnels Help request - mbuf(9) - request for comment NSA to release free Reverse Engineering Tool Running FreeBSD on a Raspberry Pi3 using a custom image created with crochet and poudriere Feedback/Questions Dries - Lets talk a bit about VIMAGE jails ohb - Question About ZFS Root Dataset Micah - Active-Active NAS Sync recommendations Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

BSD Now
Episode 272: Detain the bhyve | BSD Now 272

BSD Now

Play Episode Listen Later Nov 15, 2018 68:39


Byproducts of reading OpenBSD’s netcat code, learnings from porting your own projects to FreeBSD, OpenBSD’s unveil(), NetBSD’s Virtual Machine Monitor, what 'dependency' means in Unix init systems, jailing bhyve, and more. ##Headlines ###The byproducts of reading OpenBSD netcat code When I took part in a training last year, I heard about netcat for the first time. During that class, the tutor showed some hacks and tricks of using netcat which appealed to me and motivated me to learn the guts of it. Fortunately, in the past 2 months, I was not so busy that I can spend my spare time to dive into OpenBSD‘s netcat source code, and got abundant byproducts during this process. (1) Brush up socket programming. I wrote my first network application more than 10 years ago, and always think the socket APIs are marvelous. Just ~10 functions (socket, bind, listen, accept…) with some IO multiplexing buddies (select, poll, epoll…) connect the whole world, wonderful! From that time, I developed a habit that is when touching a new programming language, network programming is an essential exercise. Even though I don’t write socket related code now, reading netcat socket code indeed refresh my knowledge and teach me new stuff. (2) Write a tutorial about netcat. I am mediocre programmer and will forget things when I don’t use it for a long time. So I just take notes of what I think is useful. IMHO, this “tutorial” doesn’t really mean teach others something, but just a journal which I can refer when I need in the future. (3) Submit patches to netcat. During reading code, I also found bugs and some enhancements. Though trivial contributions to OpenBSD, I am still happy and enjoy it. (4) Implement a C++ encapsulation of libtls. OpenBSD‘s netcat supports tls/ssl connection, but it needs you take full care of resource management (memory, socket, etc), otherwise a small mistake can lead to resource leak which is fatal for long-live applications (In fact, the two bugs I reported to OpenBSD are all related resource leak). Therefore I develop a simple C++ library which wraps the libtls and hope it can free developer from this troublesome problem and put more energy in application logic part. Long story to short, reading classical source code is a rewarding process, and you can consider to try it yourself. ###What I learned from porting my projects to FreeBSD Introduction I set up a local FreeBSD VirtualBox VM to test something, and it seems to work very well. Due to the novelty factor, I decided to get my software projects to build and pass the tests there. The Projects https://github.com/shlomif/shlomif-computer-settings/ (my dotfiles). https://web-cpan.shlomifish.org/latemp/ https://fc-solve.shlomifish.org/ https://www.shlomifish.org/open-source/projects/black-hole-solitaire-solver/ https://better-scm.shlomifish.org/source/ http://perl-begin.org/source/ https://www.shlomifish.org/meta/site-source/ Written using a mix of C, Perl 5, Python, Ruby, GNU Bash, XML, CMake, XSLT, XHTML5, XHTML1.1, Website META Language, JavaScript and more. Work fine on several Linux distributions and have https://en.wikipedia.org/wiki/TravisCI using Ubuntu 14.04 hosts Some pass builds and tests on AppVeyor/Win64 What I Learned: FreeBSD on VBox has become very reliable Some executables on FreeBSD are in /usr/local/bin instead of /usr/bin make on FreeBSD is not GNU make m4 on FreeBSD is not compatible with GNU m4 Some CPAN Modules fail to install using local-lib there DocBook/XSL Does Not Live Under /usr/share/sgml FreeBSD’s grep does not have a “-P” flag by default FreeBSD has no “nproc” command Conclusion: It is easier to port a shell than a shell script. — Larry Wall I ran into some cases where my scriptology was lacking and suboptimal, even for my own personal use, and fixed them. ##News Roundup ###OpenBSD’s unveil() One of the key aspects of hardening the user-space side of an operating system is to provide mechanisms for restricting which parts of the filesystem hierarchy a given process can access. Linux has a number of mechanisms of varying capability and complexity for this purpose, but other kernels have taken a different approach. Over the last few months, OpenBSD has inaugurated a new system call named unveil() for this type of hardening that differs significantly from the mechanisms found in Linux. The value of restricting access to the filesystem, from a security point of view, is fairly obvious. A compromised process cannot exfiltrate data that it cannot read, and it cannot corrupt files that it cannot write. Preventing unwanted access is, of course, the purpose of the permissions bits attached to every file, but permissions fall short in an important way: just because a particular user has access to a given file does not necessarily imply that every program run by that user should also have access to that file. There is no reason why your PDF viewer should be able to read your SSH keys, for example. Relying on just the permission bits makes it easy for a compromised process to access files that have nothing to do with that process’s actual job. In a Linux system, there are many ways of trying to restrict that access; that is one of the purposes behind the Linux security module (LSM) architecture, for example. The SELinux LSM uses a complex matrix of labels and roles to make access-control decisions. The AppArmor LSM, instead, uses a relatively simple table of permissible pathnames associated with each application; that approach was highly controversial when AppArmor was first merged, and is still looked down upon by some security developers. Mount namespaces can be used to create a special view of the filesystem hierarchy for a set of processes, rendering much of that hierarchy invisible and, thus, inaccessible. The seccomp mechanism can be used to make decisions on attempts by a process to access files, but that approach is complex and error-prone. Yet another approach can be seen in the Qubes OS distribution, which runs applications in virtual machines to strictly control what they can access. Compared to many of the options found in Linux, unveil() is an exercise in simplicity. This system call, introduced in July, has this prototype: int unveil(const char *path, const char *permissions); A process that has never called unveil() has full access to the filesystem hierarchy, modulo the usual file permissions and any restrictions that may have been applied by calling pledge(). Calling unveil() for the first time will “drop a veil” across the entire filesystem, rendering the whole thing invisible to the process, with one exception: the file or directory hierarchy starting at path will be accessible with the given permissions. The permissions string can contain any of “r” for read access, “w” for write, “x” for execute, and “c” for the ability to create or remove the path. Subsequent calls to unveil() will make other parts of the filesystem hierarchy accessible; the unveil() system call itself still has access to the entire hierarchy, so there is no problem with unveiling distinct subtrees that are, until the call is made, invisible to the process. If one unveil() call applies to a subtree of a hierarchy unveiled by another call, the permissions associated with the more specific call apply. Calling unveil() with both arguments as null will block any further calls, setting the current view of the filesystem in stone. Calls to unveil() can also be blocked using pledge(). Either way, once the view of the filesystem has been set up appropriately, it is possible to lock it so that the process cannot expand its access in the future should it be taken over and turn hostile. unveil() thus looks a bit like AppArmor, in that it is a path-based mechanism for restricting access to files. In either case, one must first study the program in question to gain a solid understanding of which files it needs to access before closing things down, or the program is likely to break. One significant difference (beyond the other sorts of behavior that AppArmor can control) is that AppArmor’s permissions are stored in an external policy file, while unveil() calls are made by the application itself. That approach keeps the access rules tightly tied to the application and easy for the developers to modify, but it also makes it harder for system administrators to change them without having to rebuild the application from source. One can certainly aim a number of criticisms at unveil() — all of the complaints that have been leveled at path-based access control and more. But the simplicity of unveil() brings a certain kind of utility, as can be seen in the large number of OpenBSD applications that are being modified to use it. OpenBSD is gaining a base level of protection against unintended program behavior; while it is arguably possible to protect a Linux system to a much greater extent, the complexity of the mechanisms involved keeps that from happening in a lot of real-world deployments. There is a certain kind of virtue to simplicity in security mechanisms. ###NetBSD Virtual Machine Monitor (NVVM) NetBSD Virtual Machine Monitor The NVMM driver provides hardware-accelerated virtualization support on NetBSD. It is made of an ~MI frontend, to which MD backends can be plugged. A virtualization API is provided in libnvmm, that allows to easily create and manage virtual machines via NVMM. Two additional components are shipped as demonstrators, toyvirt and smallkern: the former is a toy virtualizer, that executes in a VM the 64bit ELF binary given as argument, the latter is an example of such binary. Download The source code of NVMM, plus the associated tools, can be downloaded here. Technical details NVMM can support up to 128 virtual machines, each having a maximum of 256 VCPUs and 4GB of RAM. Each virtual machine is granted access to most of the CPU registers: the GPRs (obviously), the Segment Registers, the Control Registers, the Debug Registers, the FPU (x87 and SSE), and several MSRs. Events can be injected in the virtual machines, to emulate device interrupts. A delay mechanism is used, and allows VMM software to schedule the interrupt right when the VCPU can receive it. NMIs can be injected as well, and use a similar mechanism. The host must always be x8664, but the guest has no constraint on the mode, so it can be x8632, PAE, real mode, and so on. The TSC of each VCPU is always re-based on the host CPU it is executing on, and is therefore guaranteed to increase regardless of the host CPU. However, it may not increase monotonically, because it is not possible to fully hide the host effects on the guest during #VMEXITs. When there are more VCPUs than the host TLB can deal with, NVMM uses a shared ASID, and flushes the shared-ASID VCPUs on each VM switch. The different intercepts are configured in such a way that they cover everything that needs to be emulated. In particular, the LAPIC can be emulated by VMM software, by intercepting reads/writes to the LAPIC page in memory, and monitoring changes to CR8 in the exit state. ###What ‘dependency’ means in Unix init systems is underspecified (utoronto.ca) I was reading Davin McCall’s On the vagaries of init systems (via) when I ran across the following, about the relationship between various daemons (services, etc): I do not see any compelling reason for having ordering relationships without actual dependency, as both Nosh and Systemd provide for. In comparison, Dinit’s dependencies also imply an ordering, which obviates the need to list a dependency twice in the service description. Well, this may be an easy one but it depends on what an init system means by ‘dependency’. Let’s consider ®syslog and the SSH daemon. I want the syslog daemon to be started before the SSH daemon is started, so that the SSH daemon can log things to it from the beginning. However, I very much do not want the SSH daemon to not be started (or to be shut down) if the syslog daemon fails to start or later fails. If syslog fails, I still want the SSH daemon to be there so that I can perhaps SSH in to the machine and fix the problem. This is generally true of almost all daemons; I want them to start after syslog, so that they can syslog things, but I almost never want them to not be running if syslog failed. (And if for some reason syslog is not configured to start, I want enabling and starting, say, SSH, to also enable and start the syslog daemon.) In general, there are three different relationships between services that I tend to encounter: a hard requirement, where service B is useless or dangerous without service A. For instance, many NFS v2 and NFS v3 daemons basically don’t function without the RPC portmapper alive and active. On any number of systems, firewall rules being in place are a hard requirement to start most network services; you would rather your network services not start at all than that they start without your defenses in place. a want, where service B wants service A to be running before B starts up, and service A should be started even if it wouldn’t otherwise be, but the failure of A still leaves B functional. Many daemons want the syslog daemon to be started before they start but will run without it, and often you want them to do so so that at least some of the system works even if there is, say, a corrupt syslog configuration file that causes the daemon to error out on start. (But some environments want to hard-fail if they can’t collect security related logging information, so they might make rsyslogd a requirement instead of a want.) an ordering, where if service A is going to be started, B wants to start after it (or before it), but B isn’t otherwise calling for A to be started. We have some of these in our systems, where we need NFS mounts done before cron starts and runs people’s @reboot jobs but neither cron nor NFS mounts exactly or explicitly want each other. (The system as a whole wants both, but that’s a different thing.) Given these different relationships and the implications for what the init system should do in different situations, talking about ‘dependency’ in it systems is kind of underspecified. What sort of dependency? What happens if one service doesn’t start or fails later? My impression is that generally people pick a want relationship as the default meaning for init system ‘dependency’. Usually this is fine; most services aren’t actively dangerous if one of their declared dependencies fails to start, and it’s generally harmless on any particular system to force a want instead of an ordering relationship because you’re going to be starting everything anyway. (In my example, you might as well say that cron on the systems in question wants NFS mounts. There is no difference in practice; we already always want to do NFS mounts and start cron.) ###Jailing The bhyve Hypervisor As FreeBSD nears the final 12.0-RELEASE release engineering cycles, I’d like to take a moment to document a cool new feature coming in 12: jailed bhyve. You may notice that I use HardenedBSD instead of FreeBSD in this article. There is no functional difference in bhyve on HardenedBSD versus bhyve on FreeBSD. The only difference between HardenedBSD and FreeBSD is the aditional security offered by HardenedBSD. The steps I outline here work for both FreeBSD and HardenedBSD. These are the bare minimum steps, no extra work needed for either FreeBSD or HardenedBSD. A Gentle History Lesson At work in my spare time, I’m helping develop a malware lab. Due to the nature of the beast, we would like to use bhyve on HardenedBSD. Starting with HardenedBSD 12, non-Cross-DSO CFI, SafeStack, Capsicum, ASLR, and strict W^X are all applied to bhyve, making it an extremely hardened hypervisor. So, the work to support jailed bhyve is sponsored by both HardenedBSD and my employer. We’ve also jointly worked on other bhyve hardening features, like protecting the VM’s address space using guard pages (mmap(…, MAPGUARD, …)). Further work is being done in a project called “malhyve.” Only those modifications to bhyve/malhyve that make sense to upstream will be upstreamed. Initial Setup We will not go through the process of creating the jail’s filesystem. That process is documented in the FreeBSD Handbook. For UEFI guests, you will need to install the uefi-edk2-bhyve package inside the jail. I network these jails with traditional jail networking. I have tested vnet jails with this setup, and that works fine, too. However, there is no real need to hook the jail up to any network so long as bhyve can access the tap device. In some cases, the VM might not need networking, in which case you can use a network-less VM in a network-less jail. By default, access to the kernel side of bhyve is disabled within jails. We need to set allow.vmm in our jail.conf entry for the bhyve jail. We will use the following in our jail, so we will need to set up devfs(8) rules for them: A ZFS volume A null-modem device (nmdm(4)) UEFI GOP (no devfs rule, but IP assigned to the jail) A tap device Conclusion The bhyve hypervisor works great within a jail. When combined with HardenedBSD, bhyve is extremely hardened: PaX ASLR is fully applied due to compilation as a Position-Independent Executable (HardenedBSD enhancement) PaX NOEXEC is fully applied (strict W^X) (HardenedBSD enhancement) Non-Cross-DSO CFI is fully applied (HardenedBSD enhancement) Full RELRO (RELRO + BINDNOW) is fully applied (HardenedBSD enhancement) SafeStack is applied to the application (HardenedBSD enhancement) Jailed (FreeBSD feature written by HardenedBSD) Virtual memory protected with guard pages (FreeBSD feature written by HardenedBSD) Capsicum is fully applied (FreeBSD feature) Bad guys are going to have a hard time breaking out of the userland components of bhyve on HardenedBSD. :) ##Beastie Bits GhostBSD 18.10 has been released Project Trident RC3 has been released The OpenBSD Foundation receives the first Silver contribution from a single individual Monitoring pf logs gource NetBSD on the RISC-V is alive The X hole Announcing the pkgsrc-2018Q3 release (2018-10-05) NAT performance on EdgeRouter X and Lite with EdgeOS, OpenBSD, and OpenWRT UNIX (as we know it) might not have existed without Mrs. Thompson Free Pizza for your dev events Portland BSD Pizza Night: Nov 29th 7pm ##Feedback/Questions Dennis - Core developers leaving illumOS? Ben - Jumping from snapshot to snapshot Ias - Question about ZFS snapshots Send questions, comments, show ideas/topics, or stories you want mentioned on the show to feedback@bsdnow.tv

BSD Now
Episode 254: Bare the OS | BSD Now 254

BSD Now

Play Episode Listen Later Jul 12, 2018 91:23


Control flow integrity with HardenedBSD, fixing bufferbloat with OpenBSD’s pf, Bareos Backup Server on FreeBSD, MeetBSD CfP, crypto simplified interface, twitter gems, interesting BSD commits, and more. ##Headlines Silent Fanless FreeBSD Desktop/Server Today I will write about silent fanless FreeBSD desktop or server computer … or NAS … or you name it, it can have multa##Headlines ###Cross-DSO CFI in HardenedBSD Control Flow Integrity, or CFI, raises the bar for attackers aiming to hijack control flow and execute arbitrary code. The llvm compiler toolchain, included and used by default in HardenedBSD 12-CURRENT/amd64, supports forward-edge CFI. Backward-edge CFI support is gained via a tangential feature called SafeStack. Cross-DSO CFI builds upon ASLR and PaX NOEXEC for effectiveness. HardenedBSD supports non-Cross-DSO CFI in base for 12-CURRENT/amd64 and has it enabled for a few individual ports. The term “non-Cross-DSO CFI” means that CFI is enabled for code within an application’s codebase, but not for the shared libraries it depends on. Supporting non-Cross-DSO CFI is an important initial milestone for supporting Cross-DSO CFI, or CFI applied to both shared libraries and applications. This article discusses where HardenedBSD stands with regards to Cross-DSO CFI in base. We have made a lot of progress, yet we’re not even half-way there. Brace yourself: This article is going to be full of references to “Cross-DSO CFI.” Make a drinking game out of it. Or don’t. It’s your call. ;) Using More llvm Toolchain Components CFI requires compiling source files with Link-Time Optimization (LTO). I remembered hearing a few years back that llvm developers were able to compile the entirety of FreeBSD’s source code with LTO. Compiling with LTO produces intermediate object files as LLVM IR bitcode instead of ELF objects. In March of 2017, we started compiling all applications with LTO and non-Cross-DSO CFI. This also enabled ld.lld as the default linker in base since CFI requires lld. Commit f38b51668efcd53b8146789010611a4632cafade made the switch to ld.lld as the default linker while enabling non-Cross-DSO CFI at the same time. Building libraries in base requires applications like ar, ranlib, nm, and objdump. In FreeBSD 12-CURRENT, ar and ranlib are known as “BSD ar” and “BSD ranlib.” In fact, ar and ranlib are the same applications. One is hardlinked to another and the application changes behavior depending on arvgv[0] ending in “ranlib”. The ar, nm, and objdump used in FreeBSD do not support LLVM IR bitcode object files. In preparation for Cross-DSO CFI support, commit fe4bb0104fc75c7216a6dafe2d7db0e3f5fe8257 in October 2017 saw HardenedBSD switching ar, ranlib, nm, and objdump to their respective llvm components. The llvm versions due support LLVM IR bitcode object files (surprise!) There has been some fallout in the ports tree and we’ve added LLVM_AR_UNSAFE and friends to help transition those ports that dislike llvm-ar, llvm-ranlib, llvm-nm, and llvm-objdump. With ld.lld, llvm-ar, llvm-ranlib, llvm-nm, and llvm-objdump the default, HardenedBSD has effectively switched to a full llvm compiler toolchain in 12-CURRENT/amd64. Building Libraries With LTO The primary 12-CURRENT development branch in HardenedBSD (hardened/current/master) only builds applications with LTO as mentioned in the secion above. My first attempt at building all static and shared libraries failed due to issues within llvm itself. I reported these issues to FreeBSD. Ed Maste (emaste@), Dimitry Andric (dim@), and llvm’s Rafael Espindola expertly helped address these issues. Various commits within the llvm project by Rafael fully and quickly resolved the issues brought up privately in emails. With llvm fixed, I could now build nearly every library in base with LTO. I noticed, however, that if I kept non-Cross-DSO CFI and SafeStack enabled, all applications would segfault. Even simplistic applications like /bin/ls. Disabling both non-Cross-DSO CFI and SafeStack, but keeping LTO produced a fully functioning world! I have spent the last few months figuring out why enabling either non-Cross-DSO CFI or SafeStack caused issues. This brings us to today. The Sanitizers in FreeBSD FreeBSD brought in all the files required for SafeStack and CFI. When compiling with SafeStack, llvm statically links a full sanitization framework into the application. FreeBSD includes a full copy of the sanitization framework in SafeStack, including the common C++ sanization namespaces. Thus, libclang_rt.safestack included code meant to be shared among all the sanitizers, not just SafeStack. I had naively taken a brute-force approach to setting up the libclang_rt.cfi static library. I copied the Makefile from libclang_rt.safestack and used that as a template for libclang_rt.cfi. This approach was incorrect due to breaking the One Definition Rule (ODR). Essentially, I ended up including a duplicate copy of the C++ classes and sanitizer runtime if both CFI and SafeStack were used. In my Cross-DSO CFI development VM, I now have SafeStack disabled across-the-board and am only compiling in CFI. As of 26 May 2018, an LTO-ified world (libs + apps) works in my limited testing. /bin/ls does not crash anymore! The second major milestone for Cross-DSO CFI has now been reached. Known Issues And Limitations There are a few known issues and regressions. Note that this list of known issues essentially also constitutes a “work-in-progress” and every known issue will be fixed prior to the official launch of Cross-DSO CFI. It seems llvm does not like statically compiling applications with LTO that have a mixture of C and C++ code. /sbin/devd is one of these applications. As such, when Cross-DSO CFI is enabled, devd is compiled as a Position-Independent Executable (PIE). Doing this breaks UFS systems where /usr is on a separate partition. We are currently looking into solving this issue to allow devd to be statically compiled again. NO_SHARED is now unset in the tools build stage (aka, bootstrap-tools, cross-tools). This is related to the static compilation issue above. Unsetting NO_SHARED for to tools build stage is only a band-aid until we can resolve static compliation with LTO. One goal of our Cross-DSO CFI integration work is to be able to support the cfi-icall scheme when dlopen(3) and dlsym(3)/dlfunc(3) is used. This means the runtime linker (RTLD), must be enhanced to know and care about the CFI runtime. This enhancement is not currently implemented, but is planned. When Cross-DSO CFI is enabled, SafeStack is disabled. This is because compiling with Cross-DSO CFI brings in a second copy of the sanitizer runtime, violating the One Definition Rule (ODR). Resolving this issue should be straightforward: Unify the sanitizer runtime into a single common library that both Cross-DSO CFI and SafeStack can link against. When the installed world has Cross-DSO CFI enabled, performing a buildworld with Cross-DSO CFI disabled fails. This is somewhat related to the static compilation issue described above. Current Status I’ve managed to get a Cross-DSO CFI world booting on bare metal (my development laptop) and in a VM. Some applications failed to work. Curiously, Firefox still worked (which also means xorg works). I’m now working through the known issues list, researching and learning. Future Work Fixing pretty much everything in the “Known Issues And Limitations” section. ;P I need to create a static library that includes only a single copy of the common sanitizer framework code. Applications compiled with CFI or SafeStack will then only have a single copy of the framework. Next I will need to integrate support in the RTLD for Cross-DSO CFI. Applications with the cfi-icall scheme enabled that call functions resolved through dlsym(3) currently crash due to the lack of RTLD support. I need to make a design decision as to whether to only support adding cfi-icall whitelist entries only with dlfunc(3) or to also whitelist cfi-icall entries with the more widely used dlsym(3). There’s likely more items in the “TODO” bucket that I am not currently aware of. I’m treading in uncharted territory. I have no firm ETA for any bit of this work. We may gain Cross-DSO CFI support in 2018, but it’s looking like it will be later in either 2019 or 2020. Conclusion I have been working on Cross-DSO CFI support in HardenedBSD for a little over a year now. A lot of progress is being made, yet there’s still some major hurdles to overcome. This work has already helped improve llvm and I hope more commits upstream to both FreeBSD and llvm will happen. We’re getting closer to being able to send out a preliminary Call For Testing (CFT). At the very least, I would like to solve the static linking issues prior to publishing the CFT. Expect it to be published before the end of 2018. I would like to thank Ed Maste, Dimitry Andric, and Rafael Espindola for their help, guidance, and support. iXsystems FreeNAS 11.2-BETAs are starting to appear ###Bareos Backup Server on FreeBSD Ever heard about Bareos? Probably heard about Bacula. Read what is the difference here – Why Bareos forked from Bacula? Bareos (Backup Archiving Recovery Open Sourced) is a network based open source backup solution. It is 100% open source fork of the backup project from bacula.org site. The fork is in development since late 2010 and it has a lot of new features. The source is published on github and licensed under AGPLv3 license. Bareos supports ‘Always Incremental backup which is interesting especially for users with big data. The time and network capacity consuming full backups only have to be taken once. Bareos comes with WebUI for administration tasks and restore file browser. Bareos can backup data to disk and to tape drives as well as tape libraries. It supports compression and encryption both hardware-based (like on LTO tape drives) and software-based. You can also get professional services and support from Bareos as well as Bareos subscription service that provides you access to special quality assured installation packages. I started my sysadmin job with backup system as one of the new responsibilities, so it will be like going back to the roots. As I look on the ‘backup’ market it is more and more popular – especially in cloud oriented environments – to implement various levels of protection like GOLD, SILVER and BRONZE for example. They of course have different retention times, number of backups kept, different RTO and RPO. Below is a example implementation of BRONZE level backups in Bareos. I used 3 groups of A, B and C with FULL backup starting on DAY 0 (A group), DAY 1 (B group) and DAY 2 (C group). This way you still have FULL backups quite often and with 3 groups you can balance the network load. I for the days that we will not be doing FULL backups we will be doing DIFFERENTIAL backups. People often confuse them with INCREMENTAL backups. The difference is that DIFFERENTIAL backups are always against FULL backup, so its always ‘one level of combining’. INCREMENTAL ones are done against last done backup TYPE, so its possible to have 100+ levels of combining against 99 earlier INCREMENTAL backups and the 1 FULL backup. That is why I prefer DIFFERENTIAL ones here, faster recovery. That is all backups is about generally, recovery, some people/companies tend to forget that. The implementation of BRONZE in these three groups is not perfect, but ‘does the job’. I also made ‘simulation’ how these group will overlap at the end/beginning of the month, here is the result. Not bad for my taste. Today I will show you how to install and configure Bareos Server based on FreeBSD operating system. It will be the most simplified setup with all services on single machine: bareos-dir bareos-sd bareos-webui bareos-fd I also assume that in order to provide storage space for the backup data itself You would mount resources from external NFS shares. To get in touch with Bareos terminology and technology check their great Manual in HTML or PDF version depending which format You prefer for reading documentation. Also their FAQ provides a lot of needed answers. Also this diagram may be useful for You to get some grip into the Bareos world. System As every system needs to have its name we will use latin word closest to backup here – replica – for our FreeBSD system hostname. The install would be generally the same as in the FreeBSD Desktop – Part 2 – Install article. Here is our installed FreeBSD system with login prompt.

GovComms: The Future of Government Communication
InTransition 141: Understanding cyber security with Laura Bell, CEO of SafeStack

GovComms: The Future of Government Communication

Play Episode Listen Later Jan 29, 2018 32:45


This week we are joined by cyber security professional Laura Bell, CEO of New Zealand-based boutique security firm SafeStack. Aiming to provide her clients with a better understanding of cyber security and the risks we face, Laura shares with us tips on being as secure as possible in the digital age. As people continue to live their whole lives online, our personal information has never been more vulnerable. SafeStack's aim is to teach teams and individuals how to better protect their information; to decrease the fear of what might happen. Topics discussed in this episode: The role cyber security plays in the 21st century Information protection Delving into the unknown world of hacking Accepting that it's okay to be vulnerable The importance of training staff to know how to behave online Why you should celebrate success What we can learn from illegal hacking Reasons to consider building a generalised team What is content communication? It is a strategic, measurable, and accountable business process that relies on the creation, curation, and distribution of useful, relevant, and consistent content. The purpose is to engage and inform a specific audience in order to achieve a desired citizen and/or stakeholder action. That is the practice and the process of content communication. Find contentgroup on Facebook, LinkedIn and Twitter. Read more about best industry practices from our blog and weekly newsletter. Hosted on Acast. See acast.com/privacy for more information.

GovComms: The Future of Government Communication
InTransition 141: Understanding cyber security with Laura Bell, CEO of SafeStack

GovComms: The Future of Government Communication

Play Episode Listen Later Jan 29, 2018 32:46


This week we are joined by cyber security professional Laura Bell, CEO of New Zealand-based boutique security firm SafeStack. Aiming to provide her clients with a better understanding of cyber security and the risks we face, Laura shares with us tips on being as secure as possible in the digital age. As people continue to live their whole lives online, our personal information has never been more vulnerable. SafeStack’s aim is to teach teams and individuals how to better protect their information; to decrease the fear of what might happen. Topics discussed in this episode: The role cyber security plays in the 21st century Information protection Delving into the unknown world of hacking Accepting that it’s okay to be vulnerable The importance of training staff to know how to behave online Why you should celebrate success What we can learn from illegal hacking Reasons to consider building a generalised team What is content communication? It is a strategic, measurable, and accountable business process that relies on the creation, curation, and distribution of useful, relevant, and consistent content. The purpose is to engage and inform a specific audience in order to achieve a desired citizen and/or stakeholder action. That is the practice and the process of content communication. Find contentgroup on Facebook, LinkedIn and Twitter. Read more about best industry practices from our blog and weekly newsletter.

BSD Now
213: The French CONnection

BSD Now

Play Episode Listen Later Sep 27, 2017 91:00


We recap EuroBSDcon in Paris, tell the story behind a pf PR, and show you how to do screencasting with OpenBSD. This episode was brought to you by Headlines Recap of EuroBSDcon 2017 in Paris, France (https://2017.eurobsdcon.org) EuroBSDcon was held in Paris, France this year, which drew record numbers this year. With over 300 attendees, it was the largest BSD event I have ever attended, and I was encouraged by the higher than expected number of first time attendees. The FreeBSD Foundation held a board meeting on Wednesday afternoon with the members who were in Paris. Topics included future conferences (including a conference kit we can mail to people who want to represent FreeBSD) and planning for next year. The FreeBSD Devsummit started on Thursday at the beautiful Mozilla Office in Paris. After registering and picking up our conference bag, everyone gathered for a morning coffee with lots of handshaking and greeting. We then gathered in the next room which had a podium with microphone, screens as well as tables and chairs. After developers sat down, Benedict opened the devsummit with a small quiz about France for developers to win a Mogics Power Bagel (https://www.mogics.com/?page_id=3824). 45 developers participated and DES won the item in the end. After introductions and collecting topics of interest from everyone, we started with the Work in Progress (WIP) session. The WIP session had different people present a topic they are working on in 7 minute timeslots. Topics ranged from FreeBSD Forwarding Performance, fast booting options, and a GELI patch under review to attach multiple providers. See their slides on the FreeBSD wiki (https://wiki.freebsd.org/DevSummit/201709). After lunch, the FreeBSD Foundation gave a general update on staff and funding, as well as a more focused presentation about our partnership with Intel. People were interested to hear what was done so far and asked a few questions to the Intel representative Glenn Weinberg. After lunch, developers worked quietly on their own projects. The mic remained open and occasionally, people would step forward and gave a short talk without slides or motivated a discussion of common interest. The day concluded with a dinner at a nice restaurant in Paris, which allowed to continue the discussions of the day. The second day of the devsummit began with a talk about the CAM-based SDIO stack by Ilya Bakulin. His work would allow access to wifi cards/modules on embedded boards like the Raspberry Pi Zero W and similar devices as many of these are using SDIO for data transfers. Next up was a discussion and Q&A session with the FreeBSD core team members who were there (missing only Benno Rice, Kris Moore, John Baldwin, and Baptiste Daroussin, the latter being busy with conference preparations). The new FCP (FreeBSD community proposals) were introduced for those who were not at BSDCan this year and the hows and whys about it. Allan and I were asked to describe our experiences as new members of core and we encouraged people to run for core when the next election happens. After a short break, Scott Long gave an overview of the work that's been started on NUMA (Non-Uniform Memory Architecture), what the goals of the project are and who is working on it. Before lunch, Christian Schwarz presented his work on zrepl, a new ZFS replication solution he developed using Go. This sparked interest in developers, a port was started (https://reviews.freebsd.org/D12462) and people suggested to Christian that he should submit his talk to AsiaBSDcon and BSDCan next year. Benedict had to leave before lunch was done to teach his Ansible tutorial (which was well attended) at the conference venue. There were organized dinners, for those two nights, quite a feat of organization to fit over 100 people into a restaurant and serve them quickly. On Saturday, there was a social event, a river cruise down the Seine. This took the form of a ‘standing' dinner, with a wide selection of appetizer type dishes, designed to get people to walk around and converse with many different people, rather than sit at a table with the same 6-8 people. I talked to a much larger group of people than I had managed to at the other dinners. I like having both dinner formats. We would also like to thank all of the BSDNow viewers who attended the conference and made the point of introducing themselves to us. It was nice to meet you all. The recordings of the live video stream from the conference are available immediately, so you can watch the raw versions of the talks now: Auditorium Keynote 1: Software Development in the Age of Heroes (https://youtu.be/4iR8g9-39LM?t=179) by Thomas Pornin (https://twitter.com/BearSSLnews) Tuning FreeBSD for routing and firewalling (https://youtu.be/4iR8g9-39LM?t=1660) by Olivier Cochard-Labbé (https://twitter.com/ocochardlabbe) My BSD sucks less than yours, Act I (https://youtu.be/4iR8g9-39LM?t=7040) by Antoine Jacoutot (https://twitter.com/ajacoutot) and Baptiste Daroussin (https://twitter.com/_bapt_) My BSD sucks less than yours, Act II (https://youtu.be/4iR8g9-39LM?t=14254) by Antoine Jacoutot (https://twitter.com/ajacoutot) and Baptiste Daroussin (https://twitter.com/_bapt_) Reproducible builds on NetBSD (https://youtu.be/4iR8g9-39LM?t=23351) by Christos Zoulas Your scheduler is not the problem (https://youtu.be/4iR8g9-39LM?t=26845) by Martin Pieuchot Keynote 2: A French story on cybercrime (https://youtu.be/4iR8g9-39LM?t=30540) by Éric Freyssinet (https://twitter.com/ericfreyss) Case studies of sandboxing base system with Capsicum (https://youtu.be/jqdHYEH_BQY?t=731) by Mariusz Zaborski (https://twitter.com/oshogbovx) OpenBSD's small steps towards DTrace (a tale about DDB and CTF) (https://youtu.be/jqdHYEH_BQY?t=6030) by Jasper Lievisse Adriaanse The Realities of DTrace on FreeBSD (https://youtu.be/jqdHYEH_BQY?t=13096) by George Neville-Neil (https://twitter.com/gvnn3) OpenSMTPD, current state of affairs (https://youtu.be/jqdHYEH_BQY?t=16818) by Gilles Chehade (https://twitter.com/PoolpOrg) Hoisting: lessons learned integrating pledge into 500 programs (https://youtu.be/jqdHYEH_BQY?t=21764) by Theo de Raadt Keynote 3: System Performance Analysis Methodologies (https://youtu.be/jqdHYEH_BQY?t=25463) by Brendan Gregg (https://twitter.com/brendangregg) Closing Session (https://youtu.be/jqdHYEH_BQY?t=29355) Karnak “Is it done yet ?” The never ending story of pkg tools (https://youtu.be/1hjzleqGRYk?t=71) by Marc Espie (https://twitter.com/espie_openbsd) A Tale of six motherboards, three BSDs and coreboot (https://youtu.be/1hjzleqGRYk?t=7498) by Piotr Kubaj and Katarzyna Kubaj State of the DragonFly's graphics stack (https://youtu.be/1hjzleqGRYk?t=11475) by François Tigeot From NanoBSD to ZFS and Jails – FreeBSD as a Hosting Platform, Revisited (https://youtu.be/1hjzleqGRYk?t=16227) by Patrick M. Hausen Bacula – nobody ever regretted making a backup (https://youtu.be/1hjzleqGRYk?t=20069) by Dan Langille (https://twitter.com/DLangille) Never Lose a Syslog Message (https://youtu.be/qX0BS4P65cQ?t=325) by Alexander Bluhm Running CloudABI applications on a FreeBSD-based Kubernetes cluster (https://youtu.be/qX0BS4P65cQ?t=5647) by Ed Schouten (https://twitter.com/EdSchouten) The OpenBSD web stack (https://youtu.be/qX0BS4P65cQ?t=13255) by Michael W. Lucas (https://twitter.com/mwlauthor) The LLDB Debugger on NetBSD (https://youtu.be/qX0BS4P65cQ?t=16835) by Kamil Rytarowski What's in store for NetBSD 8.0? (https://youtu.be/qX0BS4P65cQ?t=21583) by Alistair Crooks Louxor A Modern Replacement for BSD spell(1) (https://youtu.be/6Nen6a1Xl7I?t=156) by Abhinav Upadhyay (https://twitter.com/abhi9u) Portable Hotplugging: NetBSD's uvm_hotplug(9) API development (https://youtu.be/6Nen6a1Xl7I?t=5874) by Cherry G. Mathew Hardening pkgsrc (https://youtu.be/6Nen6a1Xl7I?t=9343) by Pierre Pronchery (https://twitter.com/khorben) Discovering OpenBSD on AWS (https://youtu.be/6Nen6a1Xl7I?t=14874) by Laurent Bernaille (https://twitter.com/lbernail) OpenBSD Testing Infrastructure Behind bluhm.genua.de (https://youtu.be/6Nen6a1Xl7I?t=18639) by Jan Klemkow The school of hard knocks – PT1 (https://youtu.be/8wuW8lfsVGc?t=276) by Sevan Janiyan (https://twitter.com/sevanjaniyan) 7 years of maintaining firefox, and still looking ahead (https://youtu.be/8wuW8lfsVGc?t=5321) by Landry Breuil Branch VPN solution based on OpenBSD, OSPF, RDomains and Ansible (https://youtu.be/8wuW8lfsVGc?t=12385) by Remi Locherer Running BSD on AWS (https://youtu.be/8wuW8lfsVGc?t=15983) by Julien Simon and Nicolas David Getting started with OpenBSD device driver development (https://youtu.be/8wuW8lfsVGc?t=21491) by Stefan Sperling A huge thanks to the organizers, program committee, and sponsors of EuroBSDCon. Next year, EuroBSDcon will be in Bucharest, Romania. *** The story of PR 219251 (https://www.sigsegv.be//blog/freebsd/PR219251) The actual story I wanted Kristof to tell, the pf bug he fixed at the Essen Hackathon earlier this summer. As I threatened to do in my previous post, I'm going to talk about PR 219251 for a bit. The bug report dates from only a few months ago, but the first report (that I can remeber) actually came from Shawn Webb on Twitter, of all places Despite there being a stacktrace it took quite a while (nearly 6 months in fact) before I figured this one out. It took Reshad Patuck managing to distill the problem down to a small-ish test script to make real progress on this. His testcase meant that I could get core dumps and experiment. It also provided valuable clues because it could be tweaked to see what elements were required to trigger the panic. This test script starts a (vnet) jail, adds an epair interface to it, sets up pf in the jail, and then reloads the pf rules on the host. Interestingly the panic does not seem to occur if that last step is not included. Obviously not the desired behaviour, but it seems strange. The instances of pf in the jails are supposed to be separate. We try to fetch a counter value here, but instead we dereference a bad pointer. There's two here, so already we need more information. Inspection of the core dump reveals that the state pointer is valid, and contains sane information. The rule pointer (rule.ptr) points to a sensible location, but the data is mostly 0xdeadc0de. This is the memory allocator being helpful (in debug mode) and writing garbage over freed memory, to make use-after-free bugs like this one easier to find. In other words: the rule has been free()d while there was still a state pointing to it. Somehow we have a state (describing a connection pf knows about) which points to a rule which no longer exists. The core dump also shows that the problem always occurs with states and rules in the default vnet (i.e. the host pf instance), not one of the pf instances in one of the vnet jails. That matches with the observation that the test script does not trigger the panic unless we also reload the rules on the host. Great, we know what's wrong, but now we need to work out how we can get into this state. At this point we're going to have to learn something about how rules and states get cleaned up in pf. Don't worry if you had no idea, because before this bug I didn't either. The states keep a pointer to the rule they match, so when rules are changed (or removed) we can't just delete them. States get cleaned up when connections are closed or they time out. This means we have to keep old rules around until the states that use them expire. When rules are removed pfunlinkrule() adds then to the Vpfunlinkedrules list (more on that funny V prefix later). From time to time the pf purge thread will run over all states and mark the rules that are used by a state. Once that's done for all states we know that all rules that are not marked as in-use can be removed (because none of the states use it). That can be a lot of work if we've got a lot of states, so pfpurgethread() breaks that up into smaller chuncks, iterating only part of the state table on every run. We iterate over all of our virtual pf instances (VNETFOREACH()), check if it's active (for FreeBSD-EN-17.08, where we've seen this code before) and then check the expired states with pfpurgeexpiredstates(). We start at state 'idx' and only process a certain number (determined by the PFTMINTERVAL setting) states. The pfpurgeexpiredstates() function returns a new idx value to tell us how far we got. So, remember when I mentioned the odd V_ prefix? Those are per-vnet variables. They work a bit like thread-local variables. Each vnet (virtual network stack) keeps its state separate from the others, and the V_ variables use a pointer that's changed whenever we change the currently active vnet (say with CURVNETSET() or CURVNETRESTORE()). That's tracked in the 'curvnet' variable. In other words: there are as many Vpfvnetactive variables as there are vnets: number of vnet jails plus one (for the host system). Why is that relevant here? Note that idx is not a per-vnet variable, but we handle multiple pf instances here. We run through all of them in fact. That means that we end up checking the first X states in the first vnet, then check the second X states in the second vnet, the third X states in the third and so on and so on. That of course means that we think we've run through all of the states in a vnet while we really only checked some of them. So when pfpurgeunlinkedrules() runs it can end up free()ing rules that actually are still in use because pfpurgethread() skipped over the state(s) that actually used the rule. The problem only happened if we reloaded rules in the host, because the active ruleset is never free()d, even if there are no states pointing to the rule. That explains the panic, and the fix is actually quite straightforward: idx needs to be a per-vnet variable, Vpfpurge_idx, and then the problem is gone. As is often the case, the solution to a fairly hard problem turns out to be really simple. As you might expect, finding the problem takes a lot more work that fixing it Thanks to Kristof for writing up this detailed post explaining how the problem was found, and what caused it. *** vBSDcon 2017: BSD at Work (https://www.ixsystems.com/blog/vbsdcon-2017-dexter/) The third biennial vBSDcon hosted by Verisign took place September 7th through 9th with the FreeBSD Developer Summit taking place the first day. vBSDcon and iXsystems' MeetBSD event have been alternating between the East and West coasts of the U.S.A. and these two events play vital roles in reaching Washington, DC-area and Bay Area/Silicon Valley audiences. Where MeetBSD serves many BSD Vendors, vBSDcon attracts a unique government and security industry demographic that isn't found anywhere else. Conference time and travel budgets are always limited and bringing these events to their attendees is a much-appreciated service provided by their hosts. The vBSDcon FreeBSD DevSummit had a strong focus on OpenZFS, the build system and networking with the FreeBSD 12 wish list of features in mind. How to best incorporate the steady flow of new OpenZFS features into FreeBSD such as dataset-level encryption was of particular interest. This feature from a GNU/Linux-based storage vendor is tribute to the growth of the OpenZFS community which is vital in light of the recent “Death of Solaris and ZFS” at Oracle. There has never been more demand for OpenZFS on FreeBSD and the Oracle news further confirms our collective responsibility to meet that demand. The official conference opened with my talk on “Isolated BSD Build Environments” in which I explained how the bhyve hypervisor can be used to effortlessly tour FreeBSD 5.0-onward and build specific source releases on demand to trace regressions to their offending commit. I was followed by a FreeNAS user who made the good point that FreeNAS is an exemplary “entry vector” into Unix and Enterprise Storage fundamentals, given that many of the vectors our generation had are gone. Where many of us discovered Unix and the Internet via console terminals at school or work, smart phones are only delivering the Internet without the Unix. With some irony, both iOS and Android are Unix-based yet offer few opportunities for their users to learn and leverage their Unix environments. The next two talks were The History and Future of Core Dumps in FreeBSD by Sam Gwydir and Using pkgsrc for multi-platform deployments in heterogeneous environments by G. Clifford Williams. I strongly recommend that anyone wanting to speak at AsiaBSDCon read Sam's accompanying paper on core dumps because I consider it the perfect AsiaBSDCon topic and his execution is excellent. Core dumps are one of those things you rarely think about until they are a DROP EVERYTHING! priority. G. Clifford's talk was about what I consider a near-perfect BSD project: pkgsrc, the portable BSD package manager. I put it up there with OpenSSH and mandoc as projects that have provided significant value to other Open Source operating systems. G. Clifford's real-world experiences are perfectly inline with vBSDcon's goal to be more production-oriented than other BSDCons. Of the other talks, any and all Dtrace talks are always appreciated and George Neville-Neil's did not disappoint. He based it on his experiences with the Teach BSD project which is bringing FreeBSD-based computer science education to schools around the world. The security-related talks by John-Mark Gurney, Dean Freeman and Michael Shirk also represented vBSDcon's consideration of the local community and made a convincing point that the BSDs should make concerted efforts to qualify for Common Criteria, FIPS, and other Government security requirements. While some security experts will scoff at these, they are critical to the adoption of BSD-based products by government agencies. BSD Now hosts Allan Jude and Benedict Reuschling hosted an OpenZFS BoF and Ansible talk respectively and I hosted a bhyve hypervisor BoF. The Hallway Track and food at vBSDcon were excellent and both culminated with an after-dinner dramatic reading of Michael W. Lucas' latest book that raised money for the FreeBSD Foundation. A great time was had by all and it was wonderful to see everyone! News Roundup FreeBSD 10.4-RC2 Available (https://lists.freebsd.org/pipermail/freebsd-stable/2017-September/087848.html) FreeBSD 10.4 will be released soon, this is the last chance to find bugs before the official release is cut. Noteworthy Changes Since 10.4-RC1: Given that the amd64 disc1 image was overflowing, more of the base components installed into the disc1 (live) file systems had to be disabled. Most notably, this removed the compiler toolchain from the disc1 images. All disabled tools are still available with the dvd1 images, though. The aesni(4) driver now no longer shares a single FPU context across multiple sessions in multiple threads, addressing problems seen when employing aesni(4) for ipsec(4). Support for netmap(4) by the ixgbe(4) driver has been brought into line with the netmap(4) API present in stable/10. Also, ixgbe(4) now correctly handles VFs in its netmap(4) support again instead of treating these as PFs. During the creation of amd64 and i386 VM images, etcupdate(8) and mergemaster(8) databases now are bootstrapped, akin to what happens along the extraction of base.txz as part of a new installation via bsdinstall(8). This change allows for both of these tools to work out-of-box on the VM images and avoids errors seen when upgrading these images via freebsd-update(8). If you are still on the stable/10 branch, you should test upgrading to 10.4, and make sure there are no problems with your workload Additional testing specifically of the features that have changed since 10.4-BETA1 would also be most helpful This will be the last release from the stable/10 branch *** OpenBSD changes of note 628 (https://www.tedunangst.com/flak/post/openbsd-changes-of-note-628) EuroBSDCon in two weeks. Be sure to attend early and often. Many and various documentation improvements for libcrypto. New man pages, rewrites, expanded bugs sections, and more. Only allow upward migration in vmd. There's a README for the syspatch build system if you want to run your own. Move the kernel relinking code from /etc/rc into a seperate script usable by syspatch. Kernel patches can now be reduced to just the necessary files. Make the callers of sogetopt() responsible for allocating memory. Now allocation and free occur in the same place. Use waitpid() instead of wait() in most programs to avoid accidentally collecting the wrong child. Have cu call isatty() before making assumptions. Switch mandoc rendering of mathematical symbols and greek letters from trying to imitate the characters' graphical shapes, which resulted in unintelligible renderings in many cases, to transliterations conveying the characters' meanings. Update libexpat to 2.2.4. Fix copying partial UTF-8 characters. Sigh, here we go again. Work around bug in F5's handling of the supported elliptic curves extension. RFC 4492 only defines elliptic_curves for ClientHello. However, F5 is sending it in ServerHello. We need to skip over it since our TLS extension parsing code is now more strict. After a first install, run syspatch -c to check for patches. If SMAP is present, clear PSL_AC on kernel entry and interrupt so that only the code in copy{in,out}* that need it run with it set. Panic if it's set on entry to trap() or syscall(). Prompted by Maxime Villard's NetBSD work. Errata. New drivers for arm: rktemp, mvpinctrl, mvmpic, mvneta, mvmdio, mvpxa, rkiic, rkpmic. No need to exec rm from within mandoc. We know there's exactly one file and directory to remove. Similarly with running cmp. Revert to Mesa 13.0.6 to hopefully address rendering issues a handful of people have reported with xpdf/fvwm on ivy bridge with modesetting driver. Rewrite ALPN extension using CBB/CBS and the new extension framework. Rewrite SRTP extension using CBB/CBS and the new extension framework. Revisit 2q queue sizes. Limit the hot queue to 1/20th the cache size up to a max of 4096 pages. Limit the warm and cold queues to half the cache. This allows us to more effectively notice re-interest in buffers instead of losing it in a large hot queue. Add glass console support for arm64. Probably not yet for your machine, though. Replace heaps of hand-written syscall stubs in ld.so with a simpler framework. 65535 is a valid port to listen on. When xinit starts an X server that listens only on UNIX socket, prefer DISPLAY=unix:0 rather than DISPLAY=:0. This will prevent applications from ever falling back to TCP if the UNIX socket connection fails (such as when the X server crashes). Reverted. Add -z and -Z options to apmd to auto suspend or hibernate when low on battery. Remove the original (pre-IETF) chacha20-poly1305 cipher suites. Add urng(4) which supports various USB RNG devices. Instead of adding one driver per device, start bundling them into a single driver. Remove old deactivated pledge path code. A replacement mechanism is being brewed. Fix a bug from the extension parsing rewrite. Always parse ALPN even if no callback has been installed to prevent leaving unprocessed data which leads to a decode error. Clarify what is meant by syslog priorities being ordered, since the numbers and priorities are backwards. Remove a stray setlocale() from ksh, eliminating a lot of extra statically linked code. Unremove some NPN symbols from libssl because ports software thinks they should be there for reasons. Fix saved stack location after resume. Somehow clang changed it. Resume works again on i386. Improve error messages in vmd and vmctl to be more informative. Stop building the miniroot installer for OMAP3 Beagleboards. It hasn't worked in over a year and nobody noticed. Have the callers of sosetopt() free the mbuf for symmetry. On octeon, let the kernel use the hardware FPU even if emulation is compiled in. It's faster. Fix support for 486DX CPUs by not calling cpuid. I used to own a 486. Now I don't. Merge some drm fixes from linux. Defer probing of floppy drives, eliminating delays during boot. Better handling of probes and beacons and timeouts and scans in wifi stack to avoid disconnects. Move mutex, condvar, and thread-specific data routes, pthreadonce, and pthreadexit from libpthread to libc, along with low-level bits to support them. Let's thread aware (but not actually threaded) code work with just libc. New POSIX xlocale implementation. Complete as long as you only use ASCII and UTF-8, as you should. Round and round it goes; when 6.2 stops, nobody knows. A peak at the future? *** Screencasting with OpenBSD (http://eradman.com/posts/screencasting.html) USB Audio Any USB microphone should appear as a new audio device. Here is the dmesg for my mic by ART: uaudio0 at uhub0 port 2 configuration 1 interface 0 "M-One USB" rev 1.10/0.01 addr 2 uaudio0: audio rev 1.00, 8 mixer controls audio1 at uaudio0 audioctl can read off all of the specific characterisitcs of this device $ audioctl -f /dev/audio1 | grep record mode=play,record record.rate=48000 record.channels=1 record.precision=16 record.bps=2 record.msb=1 record.encoding=slinear_le record.pause=0 record.active=0 record.block_size=1960 record.bytes=0 record.errors=0 Now test the recording from the second audio device using aucat(1) aucat -f rsnd/1 -o file.wav If the device also has a headset audio can be played through the same device. aucat -f rsnd/1 -i file.wav Screen Capture using Xvfb The rate at which a framebuffer for your video card is a feature of the hardware and software your using, and it's often very slow. x11vnc will print an estimate of the banwidth for the system your running. x11vnc ... 09/05/2012 22:23:45 fb read rate: 7 MB/sec This is about 4fps. We can do much better by using a virtual framebuffer. Here I'm setting up a new screen, setting the background color, starting cwm and an instance of xterm Xvfb :1 -screen 0 720x540x16 & DISPLAY=:1 xsetroot -solid steelblue & DISPLAY=:1 cwm & DISPLAY=:1 xterm +sb -fa Hermit -fs 14 & Much better! Now we're up around 20fps. x11vnc -display :1 & ... 11/05/2012 18:04:07 fb read rate: 168 MB/sec Make a connection to this virtual screen using raw encoding to eliminate time wasted on compression. vncviewer localhost -encodings raw A test recording with sound then looks like this ffmpeg -f sndio -i snd/1 -y -f x11grab -r 12 -s 800x600 -i :1.0 -vcodec ffv1 ~/out.avi Note: always stop the recording and playback using q, not Ctrl-C so that audio inputs are shut down properly. Screen Capture using Xephyr Xephyr is perhaps the easiest way to run X with a shadow framebuffer. This solution also avoids reading from the video card's RAM, so it's reasonably fast. Xephyr -ac -br -noreset -screen 800x600 :1 & DISPLAY=:1 xsetroot -solid steelblue & DISPLAY=:1 cwm & DISPLAY=:1 xrdb -load ~/.Xdefaults & DISPLAY=:1 xterm +sb -fa "Hermit" -fs 14 & Capture works in exactally the same way. This command tries to maintain 12fps. ffmpeg -f sndio -i snd/1 -y -f x11grab -r 12 -s 800x600 -i :1.0 -vcodec ffv1 -acodec copy ~/out.avi To capture keyboard and mouse input press Ctrl then Shift. This is very handy for using navigating a window manager in the nested X session. Arranging Windows I have sometimes found it helpful to launch applications and arrange them in a specific way. This will open up a web browser listing the current directory and position windows using xdotool DISPLAY=:1 midori "file:///pwd" & sleep 2 DISPLAY=:1 xdotool search --name "xterm" windowmove 0 0 DISPLAY=:1 xdotool search --class "midori" windowmove 400 0 DISPLAY=:1 xdotool search --class "midori" windowsize 400 576 This will position the window precisely so that it appears to be in a tmux window on the right. Audio/Video Sync If you find that the audio is way out of sync with the video, you can ajust the start using the -ss before the audio input to specify the number of seconds to delay. My final recording command line, that delays the audio by 0.5 seconds, writing 12fps ffmpeg -ss 0.5 -f sndio -i snd/1 -y -f x11grab -r 12 -s 800x600 -i :1.0 -vcodec ffv1 -acodec copy ~/out.avi Sharing a Terminal with tmux If you're trying to record a terminal session, tmux is able to share a session. In this way a recording of an X framebuffer can be taken without even using the screen. Start by creating the session. tmux -2 -S /tmp/tmux0 Then on the remote side connect on the same socket tmux -2 -S /tmp/tmux0 attach Taking Screenshots Grabbing a screenshots on Xvfb server is easily accomplished with ImageMagick's import command DISPLAY=:1 import -window root screenshot.png Audio Processing and Video Transcoding The first step is to ensure that the clip begins and ends where you'd like it to. The following will make a copy of the recording starting at time 00:00 and ending at 09:45 ffmpeg -i interactive-sql.avi -vcodec copy -acodec copy -ss 00:00:00 -t 00:09:45 interactive-sql-trimmed.avi mv interactive-sql-trimmed.avi interactive-sql.avi Setting the gain correctly is very important with an analog mixer, but if you're using a USB mic there may not be a gain option; simply record using it's built-in settings and then adjust the levels afterwards using a utility such as normalize. First extact the audio as a raw PCM file and then run normalize ffmpeg -i interactive-sql.avi -c:a copy -vn audio.wav normalize audio.wav Next merge the audio back in again ffmpeg -i interactive-sql.avi -i audio.wav -map 0:0 -map 1:0 -c copy interactive-sql-normalized.avi The final step is to compress the screencast for distribution. Encoding to VP8/Vorbis is easy: ffmpeg -i interactive-sql-normalized.avi -c:v libvpx -b:v 1M -c:a libvorbis -q:a 6 interactive-sql.webm H.264/AAC is tricky. For most video players the color space needs to be set to yuv420p. The -movflags puts the index data at the beginning of the file to enable streaming/partial content requests over HTTP: ffmpeg -y -i interactive-sql-normalized.avi -c:v libx264 -preset slow -crf 14 -pix_fmt yuv420p -movflags +faststart -c:a aac -q:a 6 interactive-sql.mp4 TrueOS @ Ohio Linuxfest '17! (https://www.trueos.org/blog/trueos-ohio-linuxfest-17/) Dru Lavigne and Ken Moore are both giving presentations on Saturday the 30th. Sit in and hear about new developments for the Lumina and FreeNAS projects. Ken is offering Lumina Rising: Challenging Desktop Orthodoxy at 10:15 am in Franklin A. Hear his thoughts about the ideas propelling desktop environment development and how Lumina, especially Lumina 2, is seeking to offer a new model of desktop architecture. Elements discussed include session security, application dependencies, message handling, and operating system integration. Dru is talking about What's New in FreeNAS 11 at 2:00 pm in Franklin D. She'll be providing an overview of some of the new features added in FreeNAS 11.0, including: Alert Services Starting specific services at boot time AD Monitoring to ensure the AD service restarts if disconnected A preview of the new user interface support for S3-compatible storage and the bhyve hypervisor She's also giving a sneak peek of FreeNAS 11.1, which has some neat features: A complete rewrite of the Jails/Plugins system as FreeNAS moves from warden to iocage Writing new plugins with just a few lines of code A brand new asynchronous middleware API Who's going? Attending this year are: Dru Lavigne (dlavigne): Dru leads the technical documentation team at iX, and contributes heavily to open source documentation projects like FreeBSD, FreeNAS, and TrueOS. Ken Moore (beanpole134): Ken is the lead developer of Lumina and a core contributor to TrueOS. He also works on a number of other Qt5 projects for iXsystems. J.T. Pennington (q5sys): Some of you may be familiar with his work on BSDNow, but J.T. also contributes to the TrueOS, Lumina, and SysAdm projects, helping out with development and general bug squashing. *** Beastie Bits Lumina Development Preview: Theme Engine (https://www.trueos.org/blog/lumina-development-preview-theme-engine/) It's happening! Official retro Thinkpad lappy spotted in the wild (https://www.theregister.co.uk/2017/09/04/retro_thinkpad_spotted_in_the_wild/) LLVM libFuzzer and SafeStack ported to NetBSD (https://blog.netbsd.org/tnf/entry/llvm_libfuzzer_and_safestack_ported) Remaining 2017 FreeBSD Events (https://www.freebsdfoundation.org/news-and-events/event-calendar/2017-openzfs-developer-summit/) *** Feedback/Questions Andrew - BSD Teaching Material (http://dpaste.com/0YTT0VP) Seth - Switching to Tarsnap after Crashplan becomes no more (http://dpaste.com/1SK92ZX#wrap) Thomas - Native encryption in ZFS (http://dpaste.com/02KD5FX#wrap) Coding Cowboy - Coding Cowboy - Passwords and clipboards (http://dpaste.com/31K0E40#wrap) ***

BSD Now
195: I don't WannaCry

BSD Now

Play Episode Listen Later May 24, 2017 75:15


A pledge of love to OpenBSD, combating ransomware like WannaCry with OpenZFS, and using PFsense to maximize your non-gigabit Internet connection This episode was brought to you by Headlines ino64 project committed to FreeBSD 12-CURRENT (https://svnweb.freebsd.org/base?view=revision&revision=318736) The ino64 project has been completed and merged into FreeBSD 12-CURRENT Extend the inot, devt, nlinkt types to 64-bit ints. Modify struct dirent layout to add doff, increase the size of dfileno to 64-bits, increase the size of dnamlen to 16-bits, and change the required alignment. Increase struct statfs fmntfromname[] and fmntonname[] array length MNAMELEN to 1024 This means the length of a mount point (MNAMELEN) has been increased from 88 byte to 1024 bytes. This allows longer ZFS dataset names and more nesting, and generally improves the usefulness of nested jails It also allow more than 4 billion files to be stored in a single file system (both UFS and ZFS). It also deals with a number of NFS problems, such as Amazon's EFS (cloud NFS), which uses 64 bit IDs even with small numbers of files. ABI breakage is mitigated by providing compatibility using versioned symbols, ingenious use of the existing padding in structures, and by employing other tricks. Unfortunately, not everything can be fixed, especially outside the base system. For instance, third-party APIs which pass struct stat around are broken in backward and forward incompatible ways. A bug in poudriere that may cause some packages to not rebuild is being fixed. Many packages like perl will need to be rebuilt after this change Update note: strictly follow the instructions in UPDATING. Build and install the new kernel with COMPAT_FREEBSD11 option enabled, then reboot, and only then install new world. So you need the new GENERIC kernel with the COMPAT_FREEBSD11 option, so that your old userland will work with the new kernel, and you need to build, install, and reboot onto the new kernel before attempting to install world. The usual process of installing both and then rebooting will NOT WORK Credits: The 64-bit inode project, also known as ino64, started life many years ago as a project by Gleb Kurtsou (gleb). Kirk McKusick (mckusick) then picked up and updated the patch, and acted as a flag-waver. Feedback, suggestions, and discussions were carried by Ed Maste (emaste), John Baldwin (jhb), Jilles Tjoelker (jilles), and Rick Macklem (rmacklem). Kris Moore (kmoore) performed an initial ports investigation followed by an exp-run by Antoine Brodin (antoine). Essential and all-embracing testing was done by Peter Holm (pho). The heavy lifting of coordinating all these efforts and bringing the project to completion were done by Konstantin Belousov (kib). Sponsored by: The FreeBSD Foundation (emaste, kib) Why I love OpenBSD (https://medium.com/@h3artbl33d/why-i-love-openbsd-ca760cf53941) Jeroen Janssen writes: I do love open source software. Oh boy, I really do love open source software. It's extendable, auditable, and customizable. What's not to love? I'm astonished by the idea that tens, hundreds, and sometimes even thousands of enthusiastic, passionate developers collaborate on an idea. Together, they make the world a better place, bit by bit. And this leads me to one of my favorite open source projects: the 22-year-old OpenBSD operating system. The origins of my love affair with OpenBSD From Linux to *BSD The advantages of OpenBSD It's extremely secure It's well documented It's open source > It's neat and clean My take on OpenBSD ** DO ** Combating WannaCry and Other Ransomware with OpenZFS Snapshots (https://www.ixsystems.com/blog/combating-ransomware/) Ransomware attacks that hold your data hostage using unauthorized data encryption are spreading rapidly and are particularly nefarious because they do not require any special access privileges to your data. A ransomware attack may be launched via a sophisticated software exploit as was the case with the recent “WannaCry” ransomware, but there is nothing stopping you from downloading and executing a malicious program that encrypts every file you have access to. If you fail to pay the ransom, the result will be indistinguishable from your simply deleting every file on your system. To make matters worse, ransomware authors are expanding their attacks to include just about any storage you have access to. The list is long, but includes network shares, Cloud services like DropBox, and even “shadow copies” of data that allow you to open previous versions of files. To make matters even worse, there is little that your operating system can do to prevent you or a program you run from encrypting files with ransomware just as it can't prevent you from deleting the files you own. Frequent backups are touted as one of the few effective strategies for recovering from ransomware attacks but it is critical that any backup be isolated from the attack to be immune from the same attack. Simply copying your files to a mounted disk on your computer or in the Cloud makes the backup vulnerable to infection by virtue of the fact that you are backing up using your regular permissions. If you can write to it, the ransomware can encrypt it. Like medical workers wearing hazmat suits for isolation when combating an epidemic, you need to isolate your backups from ransomware. OpenZFS snapshots to the rescue OpenZFS is the powerful file system at the heart of every storage system that iXsystems sells and of its many features, snapshots can provide fast and effective recovery from ransomware attacks at both the individual user and enterprise level as I talked about in 2015. As a copy-on-write file system, OpenZFS provides efficient and consistent snapshots of your data at any given point in time. Each snapshot only includes the precise delta of changes between any two points in time and can be cloned to provide writable copies of any previous state without losing the original copy. Snapshots also provide the basis of OpenZFS replication or backing up of your data to local and remote systems. Because an OpenZFS snapshot takes place at the block level of the file system, it is immune to any file-level encryption by ransomware that occurs over it. A carefully-planned snapshot, replication, retention, and restoration strategy can provide the low-level isolation you need to enable your storage infrastructure to quickly recover from ransomware attacks. OpenZFS snapshots in practice While OpenZFS is available on a number of desktop operating systems such as TrueOS and macOS, the most effective way to bring the benefits of OpenZFS snapshots to the largest number of users is with a network of iXsystems TrueNAS, FreeNAS Certified and FreeNAS Mini unified NAS and SAN storage systems. All of these can provide OpenZFS-backed SMB, NFS, AFP, and iSCSI file and block storage to the smallest workgroups up through the largest enterprises and TrueNAS offers available Fibre Channel for enterprise deployments. By sharing your data to your users using these file and block protocols, you can provide them with a storage infrastructure that can quickly recover from any ransomware attack thrown at it. To mitigate ransomware attacks against individual workstations, TrueNAS and FreeNAS can provide snapshotted storage to your VDI or virtualization solution of choice. Best of all, every iXsystems TrueNAS, FreeNAS Certified, and FreeNAS Mini system includes a consistent user interface and the ability to replicate between one another. This means that any topology of individual offices and campuses can exchange backup data to quickly mitigate ransomware attacks on your organization at all levels. Join us for a free webinar (http://www.onlinemeetingnow.com/register/?id=uegudsbc75) with iXsystems Co-Founder Matt Olander and learn more about why businesses everywhere are replacing their proprietary storage platforms with TrueNAS then email us at info@ixsystems.com or call 1-855-GREP-4-IX (1-855-473-7449), or 1-408-493-4100 (outside the US) to discuss your storage needs with one of our solutions architects. Interview - Michael W. Lucas - mwlucas@michaelwlucas.com (mailto:mwlucas@michaelwlucas.com) / @twitter (https://twitter.com/mwlauthor) Books, conferences, and how these two combine + BR: Welcome back. Tell us what you've been up to since the last time we interviewed you regarding books and such. + AJ: Tell us a little bit about relayd and what it can do. + BR: What other books do you have in the pipeline? + AJ: What are your criteria that qualifies a topic for a mastery book? + BR: Can you tell us a little bit about these writing workshops that you attend and what happens there? + AJ: Without spoiling too much: How did you come up with the idea for git commit murder? + BR: Speaking of BSDCan, can you tell the first timers about what to expect in the http://www.bsdcan.org/2017/schedule/events/890.en.html (Newcomers orientation and mentorship) session on Thursday? + AJ: Tell us about the new WIP session at BSDCan. Who had the idea and how much input did you get thus far? + BR: Have you ever thought about branching off into a new genre like children's books or medieval fantasy novels? + AJ: Is there anything else before we let you go? News Roundup Using LLDP on FreeBSD (https://tetragir.com/freebsd/networking/using-lldp-on-freebsd.html) LLDP, or Link Layer Discovery Protocol allows system administrators to easily map the network, eliminating the need to physically run the cables in a rack. LLDP is a protocol used to send and receive information about a neighboring device connected directly to a networking interface. It is similar to Cisco's CDP, Foundry's FDP, Nortel's SONMP, etc. It is a stateless protocol, meaning that an LLDP-enabled device sends advertisements even if the other side cannot do anything with it. In this guide the installation and configuration of the LLDP daemon on FreeBSD as well as on a Cisco switch will be introduced. If you are already familiar with Cisco's CDP, LLDP won't surprise you. It is built for the same purpose: to exchange device information between peers on a network. While CDP is a proprietary solution and can be used only on Cisco devices, LLDP is a standard: IEEE 802.3AB. Therefore it is implemented on many types of devices, such as switches, routers, various desktop operating systems, etc. LLDP helps a great deal in mapping the network topology, without spending hours in cabling cabinets to figure out which device is connected with which switchport. If LLDP is running on both the networking device and the server, it can show which port is connected where. Besides physical interfaces, LLDP can be used to exchange a lot more information, such as IP Address, hostname, etc. In order to use LLDP on FreeBSD, net-mgmt/lldpd has to be installed. It can be installed from ports using portmaster: #portmaster net-mgmt/lldpd Or from packages: #pkg install net-mgmt/lldpd By default lldpd sends and receives all the information it can gather , so it is advisable to limit what we will communicate with the neighboring device. The configuration file for lldpd is basically a list of commands as it is passed to lldpcli. Create a file named lldpd.conf under /usr/local/etc/ The following configuration gives an example of how lldpd can be configured. For a full list of options, see %man lldpcli To check what is configured locally, run #lldpcli show chassis detail To see the neighbors run #lldpcli show neighbors details Check out the rest of the article about enabling LLDP on a Cisco switch experiments with prepledge (http://www.tedunangst.com/flak/post/experiments-with-prepledge) Ted Unangst takes a crack at a system similar to the one being designed for Capsicum, Oblivious Sandboxing (See the presentation at BSDCan), where the application doesn't even know it is in the sandbox MP3 is officially dead, so I figure I should listen to my collection one last time before it vanishes entirely. The provenance of some of these files is a little suspect however, and since I know one shouldn't open files from strangers, I'd like to take some precautions against malicious malarkey. This would be a good use for pledge, perhaps, if we can get it working. At the same time, an occasional feature request for pledge is the ability to specify restrictions before running a program. Given some untrusted program, wrap its execution in a pledge like environment. There are other system call sandbox mechanisms that can do this (systrace was one), but pledge is quite deliberately designed not to support this. But maybe we can bend it to our will. Our pledge wrapper can't be an external program. This leaves us with the option of injecting the wrapper into the target program via LD_PRELOAD. Before main even runs, we'll initialize what needs initializing, then lock things down with a tight pledge set. Our eventual target will be ffplay, but hopefully the design will permit some flexibility and reuse. So the new code is injected to override the open syscall, and reads a list of files from an environment variable. Those files are opened and the path and file descriptor are put into a linked list, and then pledge is used to restrict further access to the file system. The replacement open call now searches just that linked list, returning the already opened file descriptors. So as long as your application only tries to open files that you have preopened, it can function without modification within the sandbox. Or at least that is the goal... ffplay tries to dlopen() some things, and because of the way dlopen() works, it doesn't go via the libc open() wrapper, so it doesn't get overridden ffplay also tries to call a few ioctl's, not allowed After stubbing both of those out, it still doesn't work and it is just getting worse Ted switches to a new strategy, using ffmpeg to convert the .mp3 to a .wav file and then just cat it to /dev/audio A few more stubs for ffmpeg, including access(), and adding tty access to the list of pledges, and it finally works This point has been made from the early days, but I think this exercise reinforces it, that pledge works best with programs where you understand what the program is doing. A generic pledge wrapper isn't of much use because the program is going to do something unexpected and you're going to have a hard time wrangling it into submission. Software is too complex. What in the world is ffplay doing? Even if I were working with the source, how long would it take to rearrange the program into something that could be pledged? One can try using another program, but I would wager that as far as multiformat media players go, ffplay is actually on the lower end of the complexity spectrum. Most of the trouble comes from using SDL as an abstraction layer, which performs a bunch of console operations. On the flip side, all of this early init code is probably the right design. Once SDL finally gets its screen handle setup, we could apply pledge and sandbox the actual media decoder. That would be the right way to things. Is pledge too limiting? Perhaps, but that's what I want. I could have just kept adding permissions until ffplay had full access to my X socket, but what kind of sandbox is that? I don't want naughty MP3s scraping my screen and spying on my keystrokes. The sandbox I created had all the capabilities one needs to convert an MP3 to audible sound, but the tool I wanted to use wasn't designed to work in that environment. And in its defense, these were new post hoc requirements. Other programs, even sed, suffer from less than ideal pledge sets as well. The best summary might be to say that pledge is designed for tomorrow's programs, not yesterday's (and vice versa). There were a few things I could have done better. In particular, I gave up getting audio to work, even though there's a nice description of how to work with pledge in the sio_open manual. Alas, even going back and with a bit more effort I still haven't succeeded. The requirements to use libsndio are more permissive than I might prefer. How I Maximized the Speed of My Non-Gigabit Internet Connection (https://medium.com/speedtest-by-ookla/engineer-maximizes-internet-speed-story-c3ec0e86f37a) We have a new post from Brennen Smith, who is the Lead Systems Engineer at Ookla, the company that runs Speedtest.net, explaining how he used pfSense to maximize his internet connection I spend my time wrangling servers and internet infrastructure. My daily goals range from designing high performance applications supporting millions of users and testing the fastest internet connections in the world, to squeezing microseconds from our stack —so at home, I strive to make sure that my personal internet performance is running as fast as possible. I live in an area with a DOCSIS ISP that does not provide symmetrical gigabit internet — my download and upload speeds are not equal. Instead, I have an asymmetrical plan with 200 Mbps download and 10 Mbps upload — this nuance considerably impacted my network design because asymmetrical service can more easily lead to bufferbloat. We will cover bufferbloat in a later article, but in a nutshell, it's an issue that arises when an upstream network device's buffers are saturated during an upload. This causes immense network congestion, latency to rise above 2,000 ms., and overall poor quality of internet. The solution is to shape the outbound traffic to a speed just under the sending maximum of the upstream device, so that its buffers don't fill up. My ISP is notorious for having bufferbloat issues due to the low upload performance, and it's an issue prevalent even on their provided routers. They walk through a list of router devices you might consider, and what speeds they are capable of handling, but ultimately ended up using a generic low power x86 machine running pfSense 2.3 In my research and testing, I also evaluated IPCop, VyOS, OPNSense, Sophos UTM, RouterOS, OpenWRT x86, and Alpine Linux to serve as the base operating system, but none were as well supported and full featured as PFSense. The main setting to look at is the traffic shaping of uploads, to keep the pipe from getting saturated and having a large buffer build up in the modem and further upstream. This build up is what increases the latency of the connection As with any experiment, any conclusions need to be backed with data. To validate the network was performing smoothly under heavy load, I performed the following experiment: + Ran a ping6 against speedtest.net to measure latency. + Turned off QoS to simulate a “normal router”. + Started multiple simultaneous outbound TCP and UDP streams to saturate my outbound link. + Turned on QoS to the above settings and repeated steps 2 and 3. As you can see from the plot below, without QoS, my connection latency increased by ~1,235%. However with QoS enabled, the connection stayed stable during the upload and I wasn't able to determine a statistically significant delta. That's how I maximized the speed on my non-gigabit internet connection. What have you done with your network? FreeBSD on 11″ MacBook Air (https://www.geeklan.co.uk/?p=2214) Sevan Janiyan writes in his tech blog about his experiences running FreeBSD on an 11'' MacBook Air This tiny machine has been with me for a few years now, It has mostly run OS X though I have tried OpenBSD on it (https://www.geeklan.co.uk/?p=1283). Besides the screen resolution I'm still really happy with it, hardware wise. Software wise, not so much. I use an external disk containing a zpool with my data on it. Among this data are several source trees. CVS on a ZFS filesystem on OS X is painfully slow. I dislike that builds running inside Terminal.app are slow at the expense of a responsive UI. The system seems fragile, at the slightest push the machine will either hang or become unresponsive. Buggy serial drivers which do not implement the break signal and cause instability are frustrating. Last week whilst working on Rump kernel (http://rumpkernel.org/) builds I introduced some new build issues in the process of fixing others, I needed to pick up new changes from CVS by updating my copy of the source tree and run builds to test if issues were still present. I was let down on both counts, it took ages to update source and in the process of cross compiling a NetBSD/evbmips64-el release, the system locked hard. That was it, time to look what was possible elsewhere. While I have been using OS X for many years, I'm not tied to anything exclusive on it, maybe tweetbot, perhaps, but that's it. On the BSDnow podcast they've been covering changes coming in to TrueOS (formerly PC-BSD – a desktop focused distro based on FreeBSD), their experiments seemed interesting, the project now tracks FreeBSD-CURRENT, they've replaced rcng with OpenRC as the init system and it comes with a pre-configured desktop environment, using their own window manager (Lumina). Booting the USB flash image it made it to X11 without any issue. The dock has a widget which states the detected features, no wifi (Broadcom), sound card detected and screen resolution set to 1366×768. I planned to give it a try on the weekend. Friday, I made backups and wiped the system. TrueOS installed without issue, after a short while I had a working desktop, resuming from sleep worked out of the box. I didn't spend long testing TrueOS, switching out NetBSD-HEAD only to realise that I really need ZFS so while I was testing things out, might as well give stock FreeBSD 11-STABLE a try (TrueOS was based on -CURRENT). Turns out sleep doesn't work yet but sound does work out of the box and with a few invocations of pkg(8) I had xorg, dwm, firefox, CVS and virtuabox-ose installed from binary packages. VirtualBox seems to cause the system to panic (bug 219276) but I should be able to survive without my virtual machines over the next few days as I settle in. I'm considering ditching VirtualBox and converting the vdi files to raw images so that they can be written to a new zvol for use with bhyve. As my default keyboard layout is Dvorak, OS X set the EFI settings to this layout. The first time I installed FreeBSD 11-STABLE, I opted for full disk encryption but ran into this odd issue where on boot the keyboard layout was Dvorak and password was accepted, the system would boot and as it went to mount the various filesystems it would switch back to QWERTY. I tried entering my password with both layout but wasn't able to progress any further, no bug report yet as I haven't ruled myself out as the problem. Thunderbolt gigabit adapter –bge(4) (https://www.freebsd.org/cgi/man.cgi?query=bge) and DVI adapter both worked on FreeBSD though the gigabit adapter needs to be plugged in at boot to be detected. The trackpad bind to wsp(4) (https://www.freebsd.org/cgi/man.cgi?query=wsp), left, right and middle clicks are available through single, double and tripple finger tap. Sound card binds to snd_hda(4) (https://www.freebsd.org/cgi/man.cgi?query=snd_hda) and works out of the box. For wifi I'm using a urtw(4) (https://www.freebsd.org/cgi/man.cgi?query=urtw) Alfa adapter which is a bit on the large side but works very reliably. A copy of the dmesg (https://www.geeklan.co.uk/files/macbookair/freebsd-dmesg.txt) is here. Beastie Bits OPNsense - call-for-testing for SafeStack (https://forum.opnsense.org/index.php?topic=5200.0) BSD 4.4: cat (https://www.rewritinghistorycasts.com/screencasts/bsd-4.4:-cat) Continuous Unix commit history from 1970 until today (https://github.com/dspinellis/unix-history-repo) Update on Unix Architecture Evolution Diagrams (https://www.spinellis.gr/blog/20170510/) “Relayd and Httpd Mastery” is out! (https://blather.michaelwlucas.com/archives/2951) Triangle BSD User Group Meeting -- libxo (https://www.meetup.com/Triangle-BSD-Users-Group/events/240247251/) *** Feedback/Questions Carlos - ASUS Tinkerboard (http://dpaste.com/1GJHPNY#wrap) James - Firewall question (http://dpaste.com/0QCW933#wrap) Adam - ZFS books (http://dpaste.com/0GMG5M2#wrap) David - Managing zvols (http://dpaste.com/2GP8H1E#wrap) ***

BSD Now
170: Sandboxing Cohabitation

BSD Now

Play Episode Listen Later Nov 30, 2016 76:24


This week on the show, we've got some new info on the talks from EuroBSDCon, a look at sharing a single ZFS pool between Linux and BSD, Sandboxing and much more! Stay tuned for your place to B...SD! This episode was brought to you by Headlines EuroBSDcon 2016 Presentation Slides (https://2016.eurobsdcon.org/PresentationSlides/) Due to circumstances beyond the control of the organizers of EuroBSDCon, there were not recordings of the talks given at the event. However, they have collected the slide decks from each of the speakers and assembled them on this page for you Also, we have some stuff from MeetBSD already: Youtube Playlist (https://www.youtube.com/playlist?list=PLb87fdKUIo8TAMC2HJLZ7H54edD2BeGWv) Not all of the sessions are posted yet, but the rest should appear shortly MeetBSD 2016 Trip Report: Domagoj Stolfa (https://www.freebsdfoundation.org/blog/meetbsd-2016-trip-report-domagoj-stolfa/) *** Cohabiting FreeBSD and Gentoo Linux on a Common ZFS Volume (https://ericmccorkleblog.wordpress.com/2016/11/15/cohabiting-freebsd-and-gentoo-linux-on-a-common-zfs-volume/) Eric McCorkle, who has contributed ZFS support to the FreeBSD EFI boot-loader code has posted an in-depth look at how he's setup dual-boot with FreeBSD and Gentoo on the same ZFS volume. He starts by giving us some background on how the layout is done. First up, GRUB is used as the boot-loader, allowing boot of both Linux and BSD The next non-typical thing was using /etc/fstab to manage mount-points, instead of the typical ‘zfs mount' usage, (apart from /home datasets) data/home is mounted to /home, with all of its child datasets using the ZFS mountpoint system data/freebsd and its child datasets house the FreeBSD system, and all have their mountpoints set to legacy data/gentoo and its child datasets house the Gentoo system, and have their mountpoints set to legacy as well So, how did he set this up? He helpfully provides an overview of the steps: Use the FreeBSD installer to create the GPT and ZFS pool Install and configure FreeBSD, with the native FreeBSD boot loader Boot into FreeBSD, create the Gentoo Linux datasets, install GRUB Boot into the Gentoo Linux installer, install Gentoo Boot into Gentoo, finish any configuration tasks The rest of the article walks us through the individual commands that make up each of those steps, as well as how to craft a GRUB config file capable of booting both systems. Personally, since we are using EFI, I would have installed rEFInd, and chain-loaded each systems EFI boot code from there, allowing the use of the BSD loader, but to each their own! HardenedBSD introduces Safestack into base (https://hardenedbsd.org/article/shawn-webb/2016-11-27/introducing-safestack) HardenedBSD has integrated SafeStack into its base system and ports tree SafeStack (http://clang.llvm.org/docs/SafeStack.html) is part of the Code Pointer Integrity (CPI) project within clang. “SafeStack is an instrumentation pass that protects programs against attacks based on stack buffer overflows, without introducing any measurable performance overhead. It works by separating the program stack into two distinct regions: the safe stack and the unsafe stack. The safe stack stores return addresses, register spills, and local variables that are always accessed in a safe way, while the unsafe stack stores everything else. This separation ensures that buffer overflows on the unsafe stack cannot be used to overwrite anything on the safe stack.” “As of 28 November 2016, with clang 3.9.0, SafeStack only supports being applied to applications and not shared libraries. Multiple patches have been submitted to clang by third parties to add support for shared libraries.” SafeStack is only enabled on AMD64 *** pledge(2)… or, how I learned to love web application sandboxing (https://learnbchs.org/pledge.html) We've talked about OpenBSD's sandboxing mechanism pledge() in the past, but today we have a great article by Kristaps Dzonsons, about how he grew to love it for Web Sandboxing. +First up, he gives us his opening argument that should make most of you sit up and listen: I use application-level sandboxing a lot because I make mistakes a lot; and when writing web applications, the price of making mistakes is very dear. In the early 2000s, that meant using systrace(4) on OpenBSD and NetBSD. Then it was seccomp(2) (followed by libseccomp(3)) on Linux. Then there was capsicum(4) on FreeBSD and sandbox_init(3) on Mac OS X. All of these systems are invoked differently; and for the most part, whenever it came time to interface with one of them, I longed for sweet release from the nightmare. Please, try reading seccomp(2). To the end. Aligning web application logic and security policy would require an arduous (and usually trial-and-error or worse, copy-and-paste) process. If there was any process at all — if the burden of writing a policy didn't cause me to abandon sandboxing at the start. And then there was pledge(2). This document is about pledge(2) and why you should use it and love it. “ +Not convinced yet? Maybe you should take his challenge: Let's play a drinking game. The challenge is to stay out of the hospital. 1.Navigate to seccomp(2). 2. Read it to the end. 3. Drink every time you don't understand. For capsicum(4), the challenge is no less difficult. To see these in action, navigate no further than OpenSSH, which interfaces with these sandboxes: sandbox-seccomp-filter.c or sandbox-capsicum.c. (For a history lesson, you can even see sandbox-systrace.c.) Keep in mind that these do little more than restrict resources to open descriptors and the usual necessities of memory, signals, timing, etc. Keep that in mind and be horrified. “ Now Kristaps has his theory on why these are so difficult (NS..), but perhaps there is a better way. He makes the case that pledge() sits right in that sweet-spot, being powerful enough to be useful, but easy enough to implement that developers might actually use it. All in all, a nice read, check it out! Would love to hear other developer success stories using pledge() as well. *** News Roundup Unix history repository, now on GitHub (http://www.osnews.com/story/29513/Unix_history_repository_now_on_GitHub) OS News has an interesting tidbit on their site today, about the entire commit history of Unix now being available online, starting all the way back in 1970 and bringing us forward to today. From the README The history and evolution of the Unix operating system is made available as a revision management repository, covering the period from its inception in 1970 as a 2.5 thousand line kernel and 26 commands, to 2016 as a widely-used 27 million line system. The 1.1GB repository contains about half a million commits and more than two thousand merges. The repository employs Git system for its storage and is hosted on GitHub. It has been created by synthesizing with custom software 24 snapshots of systems developed at Bell Labs, the University of California at Berkeley, and the 386BSD team, two legacy repositories, and the modern repository of the open source FreeBSD system. In total, about one thousand individual contributors are identified, the early ones through primary research. The data set can be used for empirical research in software engineering, information systems, and software archaeology. This is a fascinating find, especially will be of value to students and historians who wish to look back in time to see how UNIX evolved, and in this repo ultimately turned into modern FreeBSD. *** Yandex commits improvements to FreeBSD network stack (https://reviews.freebsd.org/D8526) “Rework ip_tryforward() to use FIB4 KPI.” This commit brings some code from the experimental routing branch into head As you can see from the graphs, it offers some sizable improvements in forwarding and firewalled packets per second commit (https://svnweb.freebsd.org/base?view=revision&revision=309257) *** The brief history of Unix socket multiplexing – select(2) system call (https://idea.popcount.org/2016-11-01-a-brief-history-of-select2/) Ever wondered about the details of socket multiplexing, aka the history of select(2)? Well Marek today gives a treat, with a quick look back at the history that made today's modern multiplexing possible. First, his article starts the way all good ones do, presenting the problem in silent-movie form: In mid-1960's time sharing was still a recent invention. Compared to a previous paradigm - batch-processing - time sharing was truly revolutionary. It greatly reduced the time wasted between writing a program and getting its result. Batch-processing meant hours and hours of waiting often to only see a program error. See this film to better understand the problems of 1960's programmers: "The trials and tribulations of batch processing". Enter the wild world of the 1970's, and we've now reached the birth of UNIX which tried to solve the batch processing problem with time-sharing. These days when a program was executed, it could "stall" (block) only on a couple of things1: + wait for CPU + wait for disk I/O + wait for user input (waiting for a shell command) or console (printing data too fast)“ Jump forward another dozen years or so, and the world changes yet again: This all changed in 1983 with the release of 4.2BSD. This revision introduced an early implementation of a TCP/IP stack and most importantly - the BSD Sockets API.Although today we take the BSD sockets API for granted, it wasn't obvious it was the right API. STREAMS were a competing API design on System V Revision 3. Coming in along with the sockets API was the select(2) call, which our very own Kirk McKusick gives us some background on: Select was introduced to allow applications to multiplex their I/O. Consider a simple application like a remote login. It has descriptors for reading from and writing to the terminal and a descriptor for the (bidirectional) socket. It needs to read from the terminal keyboard and write those characters to the socket. It also needs to read from the socket and write to the terminal. Reading from a descriptor that has nothing queued causes the application to block until data arrives. The application does not know whether to read from the terminal or the socket and if it guesses wrong will incorrectly block. So select was added to let it find out which descriptor had data ready to read. If neither, select blocks until data arrives on one descriptor and then awakens telling which descriptor has data to read. [...] Non-blocking was added at the same time as select. But using non-blocking when reading descriptors does not work well. Do you go into an infinite loop trying to read each of your input descriptors? If not, do you pause after each pass and if so for how long to remain responsive to input? Select is just far more efficient. Select also lets you create a single inetd daemon rather than having to have a separate daemon for every service. The article then wraps up with an interesting conclusion: > CSP = Communicating sequential processes In this discussion I was afraid to phrase the core question. Were Unix processes intended to be CSP-style processes? Are file descriptors a CSP-derived "channels"? Is select equivalent to ALT statement? I think: no. Even if there are design similarities, they are accidental. The file-descriptor abstractions were developed well before the original CSP paper. It seems that an operating socket API's evolved totally disconnected from the userspace CSP-alike programming paradigms. It's a pity though. It would be interesting to see an operating system coherent with the programming paradigms of the user land programs. A long (but good) read, and worth your time if you are interested in the history how modern multiplexing came to be. *** How to start CLion on FreeBSD? (https://intellij-support.jetbrains.com/hc/en-us/articles/206525024-How-to-start-CLion-on-FreeBSD) CLion (pronounced "sea lion") is a cross-platform C and C++ IDE By default, the Linux version comes bundled with some binaries, which obviously won't work with the native FreeBSD build Rather than using Linux emulation, you can replace these components with native versions pkg install openjdk8 cmake gdb Edit clion-2016.3/bin/idea.properties and change run.processes.with.pty=false Start CLion and open Settings | Build, Execution, Deployment | Toolchains Specify CMake path: /usr/local/bin/cmake and GDB path: /usr/local/bin/gdb Without a replacement for fsnotifier, you will get a warning that the IDE may be slow to detect changes to files on disk But, someone has already written a version of fsnotifier that works on FreeBSD and OpenBSD fsnotifier for OpenBSD and FreeBSD (https://github.com/idea4bsd/fsnotifier) -- The fsnotifier is used by IntelliJ for detecting file changes. This version supports FreeBSD and OpenBSD via libinotify and is a replacement for the bundled Linux-only version coming with the IntelliJ IDEA Community Edition. *** Beastie Bits TrueOS Pico – FreeBSD ARM/RPi Thin Clients (https://www.trueos.org/trueos-pico/) A Puppet package provider for FreeBSD's PkgNG package manager. (https://github.com/xaque208/puppet-pkgng) Notes from November London *BSD meetup (http://mailman.uk.freebsd.org/pipermail/ukfreebsd/2016-November/014059.html) SemiBug meeting on Dec 20th (http://lists.nycbug.org/pipermail/semibug/2016-November/000131.html) Feedback/Questions Erno - SSH without password (http://pastebin.com/SMvxur9v) Jonathan - Magical ZFS (http://pastebin.com/5ETL7nmj) George - TrueOS (http://pastebin.com/tSVvaV9e) Mohammad - Jails IP (http://pastebin.com/T8nUexd1) Gibheer - BEs (http://pastebin.com/YssXXp70) ***