NYCBSDCon 2005

September 7, 2005

In the mail yesterday; pretty much speaks for itself. :

> (REMINDER: There is no monthly September meeting at the Apple Store this month due to NYCBSDCon.)
>
>Speakers and topics are now set for NYCBSDCon 2005 to be held at Columbia University in Manhattan on September 17th 2005.
>
> The speaker list is impressive. Scheduled speakers and topics includes:
>
> Jason Dixon will speak on “Failover Firewalls with OpenBSD and CARP”
>
> Jeffrey Hsu of DragonFlyBSD will cover the “History, Goals, Objectives, and Structure of DragonFlyBSD”
>
> Dru Lavigne will provide an update on BSD Certification.org
>
> Michael Lucas will speak on “Network Management Tools to Make your Boss your Willing Slave”
>
> Marshall Kirk McKusick will address “Enhancements to the Fast Filesystem to Support Multi-Terabyte Storage Systems”
>
> Bruce Momjian will enchant attendees with “PostgreSQL in BSD Land”
>
> Phillip Moore will cover “Practical Enterprise Scalability: Case Studies of Infrastructure Software Deployed in Production”
>
> Already registered attendees include dozens of developers, systems administrators and end-users of the BSD operating systems. Besides the well-known speakers at the event, NYCBSDCon 2005 will also be an excellent opporunity for networking with others in the BSD community.
>
> NYCBSDCon registration is open online until September 10th at http://www.nycbsdcon.org.
>
> Registration by September 10th is only $20, payable during the morning of the conference. Onsite registration is $40. As the conference fee is quite low, only cash will be accepted.
>
> A light continental breakfast will be provided throughout the morning, while snacks and beverages will be available during the afternoon.
>
> After the conference concludes at around 5:30 pm, attendees will meet at >the West End bar, in a back room reserved for the conference, just across Broadway from Columbia University. The after-party is sponsored by OrgCom, the entity that held last year’s New York Technical Community Holiday Party.
>
> Sponsors, besides the hosting technical user group NYC*BUG, include USENIX and New York Internet.

If only Michael Lucas were going to open things out a bit more…

Advertisements

Big News for OpenBSD

August 23, 2005

Theo de Raadt publically announced yesterday that the 3.8 release will make possibly the biggest change in the changelog to date: they’re recongfiguring malloc(3):

> This release will bring a lot of new ideas from us. One of them in particular is somewhat risky. I think it is time to talk about that one, and let people know what is ahead on our road.
>
> Traditionally, Unix malloc(3) has always just “extended the brk”, which means extending the traditional Unix process data segment to allocate more memory. malloc(3) would simply extend the data segment, and then calve off little pieces to requesting callers as needed. It also remembered which pieces were which, so that free(3) could do it’s job.
>
> The way this was always done in Unix has had a number of consequences, some of which we wanted to get rid of. In particular, malloc & free have not been able to provide strong protection against overflows or other corruption.
>
> Our malloc implementation is a lot more resistant (than Linux) to “heap overflows in the malloc arena”, but we wanted to improve things even more.
>
>Starting a few months ago, the following changes were made:
>
> – We made the mmap(2) system call return random memory addresses. As well the kernel ensures that two objects are not mapped next to each other; in effect, this creates unallocated memory which we call a “guard page”.
>
> – We have changed malloc(3) to use mmap(2) instead of extending the data segment via brk()
>
> – We also changed free(3) to return memory to the kernel, un-allocating them out of the process.
>
> – As before, objects smaller than a page are allocated within shared pages that malloc(3) maintains. But their allocation is now somewhat randomized as well.
>
> – A number of other similar changes which are too dangerous for normal software or cause too much of a slowdown are available as malloc options as described in the manual page. These are very powerful for debugging buggy applications.

Sounds good, and hopefully others will follow OpenBSD’s lead here. The new malloc configuration will make exploitable buffer overflows almost a thing of the past.

Here’s the catch, though, if your code has an overflow or overread, even one that’s not particularly dangerous, it will break under 3.8:

> – When you free an object that is >= 1 page in size, it is actually returned to the system. Attempting to read or write to it after you free is no longer acceptable. That memory is unmapped. You get a SIGSEGV.
>
> – For a decade and a bit, we have been fixing software for buffer overflows. Now we are finding a lot of software that reads before the start of the buffer, or reads too far off the end of the buffer. You get a SIGSEGV.

This has the potential to cause growing pains for a lot of people. If all goes according to plan, though, everyone wins with this setup. OpenBSD itself is stronger, and programmers will be forced to rewrite offending code in ways that make it more stable and secure for everyone. For most big projects, the openBSD porters are undoubtedly already submitting patches back to the main development trees.

OpenNTPD 3.7 Released

June 8, 2005

Just received from Henning Brauer on openbsd-announce:

>OpenNTPD 3.7 has just been released. It will be available from the mirrors listed at http://www.openntpd.org/ shortly. This is our third formal release.
>
> OpenNTPD is a FREE, easy to use implementation of the Network Time Protocol. It provides the ability to sync the local clock to remote NTP servers and can act as NTP server itself, redistributing the local clock.
>
> OpenNTPD is developed as part of the OpenBSD project

OpenSSH 4.1 Released

May 26, 2005

Latest news from the hackathon: OpenSSH 4.1 has been officially released. Damien (drm@) just sent the email:

> OpenSSH 4.1 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

> OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.

> Changes since OpenSSH 4.0:

> `============================`

> * This is a bugfix release, no new features have been added. Some notable fixes are:

> – Fix segfault when using forwardings configured in ssh_config(5) and ClearAllForwardings (bugzilla #996).

> – Limit input buffer size for channels. A peer could send more data than the buffer code was willing to accept. This would cause OpenSSH to abort the connection (bugzilla #896).

> * Several improvements to the regression tests

> * Portable OpenSSH:

> – OpenSSH will now always normalise IPv4 in IPv6 mapped addresses back to IPv4 addresses. This means that IPv4 addresses in log messages on IPv6 enabled machines will no longer be prefixed by “::ffff:” and AllowUsers, DenyUsers, AllowGroups, DenyGroups will match IPv4-style addresses only for 4-in-6 mapped connections. This ensures a consistent representation of IPv4 addresses regardless of whether or not the machine is IPv6 enabled.

> * Other bugfixes, including bugzilla #950, #997, #998, #999, #1005, #1006, #1024, and #1038

To get back a little more into tech content:

If you’re like me, you spend a lot of time with a lot of xterms open: local session, ssh sessions, database connections, you name it. Keeping track of all those windows can get confusing, especially if you aren’t always at the same physical console. Different window managers, shells and OSs all suoort different naming conventions, and it’s easy to forget which window is which. Most admins and “power users” have some tricks to help them deal with the mess. The problem is that these solutions are almost always shell or OS dependant. Bash scripts that set KDE window titles. Csh scripts that query `/proc` for process information. That’s how I started out, too: with a bash script called `tl` that I picked up somewhere. I have no idea, now, what “tl stands for (“terminal load”?), but it’s a useful little program. It cats `/proc/loadavg` in a Linux system, and uses that, the neame of the computer, and the current time to dynamically set the titlebar of an xterm session. The problem is, it only works on Linux under bash.

So one day I rewrote it. The result was `tlp` (“tl-perl”), an OS independant script to help me keep organized. Run in the background, it sets the window title to display the name of the machine I’m logged into, the 3, 5, and 15 minute load averages on that machine, and the current time. This lets me take a quick glance across my desktop and get a feel for how my different machines are doing: if usage spikes, I’ll want to look into it, and if the times start drifting, I’ll want to check on NTP before internet apps start complaining.
Read the rest of this entry »

OpenBSD’s (and now FreeBSD’s) pf(4) is by far the most sophisticated built-in firewall distributed with an current OS. It catches packets early, allows for stateful filtering based on almost any attribute, maintains state cleanly even with NAT, and implements binat and queues, among other things. pf also provides powerful features like macros and tables. As a consequence, pf sees a lot of action on dedicated front-line and internal firewalls, and using pf to filter packets for passing between interfaces is the subject of most tutorials.

What there isn’t, however is any advice on how to configure pf for a standalone workstation.
Read the rest of this entry »

BSDCan 2005 Roundups

May 16, 2005

[BSDCan 2005](http://www.bsdcan.org/2005/) wrapped up yesterday in Ottowa. Looks like it was a good time, and at least two people blogged it. [Dru Lavigne](http://www.oreillynet.com/pub/au/73) should probably be considered the blogger of record, and has a great rundown on who was there, who wasn’t, and what went on at the panels. She also offers some insight into what O’Reilly’s authors do when their publicists aren’t watching, and what it takes from an organizational standpoint to pull off something like this. [Greg Lehey](http://www.lemis.com/~grog/diary-may2005.html) blogged the conference-goer’s perspective and his posts are well worth a read, both for his insight into the panels, and his observations on the personalities that make up the *BSD communities.