JustAnotherOldGuy shares a report from Boing Boing: Early versions of the free/open Unix variant BSD came with password files that included hashed passwords for such Unix luminaries as Dennis Ritchie, Stephen R. Bourne, Eric Schmidt, Brian W. Kernighan and Stuart Feldman. Leah Neukirchen recovered an BSD version 3 source tree and revealed that she was able to crack many of the weak passwords used by the equally weak hashing algorithm from those bygone days.

Dennis MacAlistair Ritchie's was "dmac," Bourne's was "bourne," Schmidt's was "wendy!!!" (his wife's name), Feldman's was "axlotl," and Kernighan's was "/.,/.,." Four more passwords were cracked by Arthur Krewat: Ozalp Babaolu's was "12ucdort," Howard Katseff's was "graduat;," Tom London's was "..pnn521," Bob Fabry's was "561cml.." and Ken Thompson's was "p/q2-q4!" (chess notation for a common opening move). BSD 3 used Descrypt for password hashing, which limited passwords to eight characters, salted with 12 bits of entropy.

Slashdot reader sfcrazy writes: The Linux Foundation hosted the executive director of the FreeBSD Foundation, Deb Goodkin, at the Open Source Summit in San Diego. In this episode of Let's Talk, we sat down with Goodkin to talk about the FreeBSD project and the foundation.
"How did they let you in?" jokes their interviewer.

"They didn't realize that FreeBSD was not a Linux distribution," the executive director replies. "No, but seriously, they've been very welcoming to the FreeBSD community and wanting to include our voice in conversations about open source." FreeBSD is about five and a half million lines of code, versus 35 million for Linux, so "If you want to learn, it's a great way to learn... Someone said they believed that they were a great Linux sys-admin because of knowing FreeBSD."

Founded in 2000 in Boulder, Colorado, the FreeBSD project is a 501(c)(3) -- a public charity -- where the Linux Foundation is a 501(c)(6) -- a trade association. They have 400 committers, and "We're known for excellent documentation," the executive director says in the interview, describing how the community works to welcome new-comers and mentor new contributors. "We actually descended from the original Berkeley Unix. Some of those original people who worked on Berkeley Unix are still involved in the FreeBSD project. They're very approachable. So these young people go to conferences, and here you have Kirk McKusick, who developed UFS and still works on file systems, and he's there, and he's telling stories about back in the day, when he was at Berkeley working with Bill Joy, and he is really interested in helping these new people contribute."

Companies using FreeBSD include Netflix and Apple -- and according to Phoronix, the number of FreeBSD ports has increased to nearly 37,000 packages.

New submitter vivekgite writes: The 12th version of the FreeBSD has been released, bringing support for updated hardware. Some of the highlights include: OpenSSL has been updated to version 1.1.1a (LTS). Unbound has been updated to version 1.8.1, and DANE-TA has been enabled by default. OpenSSH has been updated to version 7.8p1. Additonal capsicum(4) support has been added to sshd(8). Clang, LLVM, LLD, LLDB, compiler-rt and libc++ has been updated to version 6.0.1. The vt(4) Terminus BSD Console font has been updated to version 4.46. The bsdinstall(8) utility now supports UEFI+GELI as an installation option. The VIMAGE kernel configuration option has been enabled by default. The NUMA option has been enabled by default in the amd64 GENERIC and MINIMAL kernel configurations. The netdump(4) driver has been added, providing a facility through which kernel crash dumps can be transmitted to a remote host after a system panic. The vt(4) driver has been updated with performance improvements, drawing text at rates ranging from 2- to 6-times faster.

Various improvements to graphics support for current generation hardware. Support for capsicum(4) has been enabled on armv6 and armv7 by default. The UFS/FFS filesystem has been updated to consolidate TRIM/BIO_DELETE commands, reducing read/write requests due to fewer TRIM messages being sent simultaneously. The NFS version 4.1 server has been updated to include pNFS server support. The pf(4) packet filter is now usable within a jail(8) using vnet(9). The bhyve(8) utility has been updated to add NVMe device emulation. The bhyve(8) utility is now able to be run within a jail(8). Various Lua loader(8) improvements. KDE has been updated to version 5.12.

The 45th version of the OpenBSD project has been released, bringing more hardware support (Radeon driver updates, Intel microcode integration, and more), a virtualization tool that supports the disk format qcow2, and a network interface where you can quickly join and switch between different Wi-Fi networks.

Root.cz also notes that audio recording is now disabled by default. If you need to record audio, it can be enabled with the new sysctl variable. An anonymous Slashdot reader first shared the announcement. You can download it from any of the mirrors here.

Recompiling is unlikely to be a catch-all solution for a recently unveiled Intel CPU vulnerability known as TLBleed, the details of which were leaked on Friday, the head of the OpenBSD project Theo de Raadt says. iTWire reports: The details of TLBleed, which gets its name from the fact that the flaw targets the translation lookaside buffer, a CPU cache, were leaked to the British tech site, The Register; the side-channel vulnerability can be theoretically exploited to extract encryption keys and private information from programs. Former NSA hacker Jake Williams said on Twitter that a fix would probably need changes to the core operating system and were likely to involve "a ton of work to mitigate (mostly app recompile)." But de Raadt was not so sanguine. "There are people saying you can change the kernel's process scheduler," he told iTWire on Monday. "(It's) not so easy."

He said that Williams was lacking all the details and not thinking it through. "They actually have sufficient detail to think it through: the article says the TLB is shared between hyperthreading CPUs, and it is unsafe to share between two different contexts. Basically you can measure evictions against your own mappings, which indicates the other process is touching memory (you can determine the aliasing factors)." De Raadt said he was still not prepared to say more, saying: "Please wait for the paper [which is due in August]."

The OpenBSD project announced today plans to disable support for Intel CPU hyper-threading due to security concerns regarding the theoretical threat of more "Spectre-class bugs." Bleeping Computer reports: Hyper-threading (HT) is Intel's proprietary implementation of Simultaneous Multithreading (SMT), a technology that allows processors to run parallel operations on different cores of the same multi-core CPU. The feature has been added to all Intel CPUs released since 2002 and has come enabled by default, with Intel citing its performance boost as the main reason for its inclusion.

But today, Mark Kettenis of the OpenBSD project, said the OpenBSD team was removing support for Intel HT because, by design, this technology just opens the door for more timing attacks. Timing attacks are a class of cryptographic attacks through which a third-party observer can deduce the content of encrypted data by recording and analyzing the time taken to execute cryptographic algorithms. The OpenBSD team is now stepping in to provide a new setting to disable HT support because "many modern machines no longer provide the ability to disable hyper-threading in the BIOS setup."

BrianFagioli writes: GNOME 3.28 is the latest version of GNOME 3, and is the result of 6 months' hard work by the GNOME community. It contains several major new features, as well as many smaller improvements and bug fixes. In total, the release incorporates 24105 changes, made by approximately 778 contributors.

The Project explains, "GNOME 3.28 comes with more beautiful things! First, and most significantly, GNOME's default interface font (called Cantarell) has undergone a significant update. Character forms and spacing have been evolved, so that text is more readable and attractive. Several new weights have also been added -- light and extra bold -- which are being used to produce interfaces that are both modern and beautiful. Other beautiful things include GNOME's collection of background wallpapers, which has been updated to include a lovely set of photographs, and the selection of profile pictures, which has been completely updated with attractive new images to pick from."

Unfortunately, you can't just click on a button and upgrade to GNOME 3.28 today. Actually, for the most part, you will need to wait for it to become available for your operating system. Sadly, this can take a while. Fedora users, for instance, will have to wait for a major OS upgrade for it to become available.

itwbennett writes: The BSDs have lost the battle for mindshare to Linux, and that may well bode ill for the future sustainability of the BSDs as viable, secure operating systems, writes CSO's JM Porup. The reason why is a familiar refrain: more eyeballs mean more secure code. Porup cites the work of Ilja von Sprundel, director of penetration testing at IOActive, who, noting the "small number of reported BSD kernel vulnerabilities compared to Linux," dug into BSD source code. His search 'easily' turned up about 115 kernel bugs. Porup looks at the relative security of OpenBSD, FreeBSD and NetBSD, the effect on Mac OS, and why, despite FreeBSD's relative popularity, OpenBSD may be the most likely to survive.

troublemaker_23 quotes ITWire: Disclosure of the Meltdown and Spectre vulnerabilities, which affect mainly Intel CPUs, was handled "in an incredibly bad way" by both Intel and Google, the leader of the OpenBSD project Theo de Raadt claims. "Only Tier-1 companies received advance information, and that is not responsible disclosure -- it is selective disclosure," De Raadt told iTWire in response to queries. "Everyone below Tier-1 has just gotten screwed."
In the interview de Raadt also faults intel for moving too fast in an attempt to beat their competition. "There are papers about the risky side-effects of speculative loads -- people knew... Intel engineers attended the same conferences as other company engineers, and read the same papers about performance enhancing strategies -- so it is hard to believe they ignored the risky aspects. I bet they were instructed to ignore the risk."

He points out this will make it more difficult to develop kernel software, since "Suddenly the trickiest parts of a kernel need to do backflips to cope with problems deep in the micro-architecture." And he also complains that Intel "has been exceedingly clever to mix Meltdown (speculative loads) with a separate issue (Spectre). This is pulling the wool over the public's eyes..."

"It is a scandal, and I want repaired processors for free."

24 years after its release, NetBSD is getting a security upgrade -- specifically, Address Space Layout Randomization (ASLR). An anonymous reader writes: Support for Kernel ASLR was added on NetBSD-amd64 a few weeks ago. KASLR basically randomizes the address of the kernel, and makes it harder to exploit several classes of vulnerabilities [including privilege escalations and remote code execution]. It is still a work-in-progress, but it's already fully functional, and can be used following the instructions on this post from the NetBSD blog. It will be available starting from NetBSD 9, but may be backported to NetBSD 8 once it is stabilized.
NetBSD says they're the first BSD system to support ASLR.

basscomm writes: OpenBSD 6.2 has now been released. Check out the release notes if you're into that kind of thing. Some of the new features and systems include improved hardware support, vmm(4)/ vmd(8) improvements, IEEE 802.11 wireless stack improvements, generic network stack improvements, installer improvements, routing daemons and other userland network improvements, security improvements and more. Here is the full list of changes.

Billly Gates writes: Linux is not the only free open-source operating system. FreeBSD, which is based off of the historical BSD Unix in which TCP/IP was developed on from the University of California at Berkeley, has been updated. It does not include systemd nor PulseAudio and is popular in many web server installations and networking devices. FreeBSD 11.1 is out with improvements in UEFI and Amazon cloud support in addition to updated userland programs. EFI improvements including a new utility efivar(8) to manage UEFI variables, EFI boot from TFTP or NFS, as well as Microsoft Hyper-V UEFI and Secure Boot for generation 2 virtual machines for both Windows Server and Windows 10 Professional hosts. FreeBSD 11.1 also has extended support Amazon Cloud features. A new networking stack for Amazon has been added with the ena(4) driver, which adds support for Amazon EC2 platform. This also adds support for using Amazon EC2 NFS shares and support for the Amazon Elastic Filesystem for NFS. For application updates, FreeBSD 11.1 Clang, LLVM, LLD, LLDB, and libc++ to version 4.0.0. ZFS has been updated too with a new zfsbootcfg with minor performance improvements. Downloads are here which include Sparc, PowerPC, and even custom SD card images for Raspberry Pi, Beagle-bone and other devices.

msm1267 writes: Linux, BSD, Solaris and other open source systems are vulnerable to a local privilege escalation vulnerability known as Stack Clash that allows an attacker to execute code at root. Major Linux and open source distributors made patches available Monday, and systems running Linux, OpenBSD, NetBSD, FreeBSD or Solaris on i386 or amd64 hardware should be updated soon.

The risk presented by this flaw, CVE-2017-1000364, becomes elevated especially if attackers are already present on a vulnerable system. They would now be able to chain this vulnerability with other critical issues, including the recently addressed Sudo vulnerability, and then run arbitrary code with the highest privileges, said researchers at Qualys who discovered the vulnerability.

New submitter fisted writes: The NetBSD Project is pleased to announce NetBSD 7.1, the first feature update of the NetBSD 7 release branch. It represents a selected subset of fixes deemed important for security or stability reasons, as well as new features and enhancements. Some highlights of the 7.1 release are:

-Support for Raspberry Pi Zero.
-Initial DRM/KMS support for NVIDIA graphics cards via nouveau (Disabled by default. Uncomment nouveau and nouveaufb in your kernel config to test).
The addition of vioscsi, a driver for the Google Compute Engine disk.
-Linux compatibility improvements, allowing, e.g., the use of Adobe Flash Player 24.
-wm(4): C2000 KX and 2.5G support; Wake On Lan support; 82575 and newer SERDES based systems now work.
-ODROID-C1 Ethernet now works.
-Numerous bug fixes and stability improvements.

NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone. Free support services are available via our mailing lists and website. Commercial support is available from a variety of sources. More extensive information on NetBSD is available from http://www.NetBSD.org. You can download NetBSD 7.1 from one of these mirror sites.

An anonymous reader writes: "After spending six months in development, the NetBSD 7.0.2 release is now available for those running NetBSD 7.0 or NetBSD 7.0.1," reports Softpedia, "but also for those who are still using an older version of the BSD-based operating system and haven't managed to upgrade their systems, bringing them a collection of security patches and recent software updates." Release engineer Soren Jacobsen wrote that "It represents a selected subset of fixes deemed important for security or stability reasons. If you are running an earlier release of NetBSD, we strongly suggest updating to 7.0.2."

The security fixes eliminate a race condition in mail.local(8), and also update OpenSSL, ntp and BIND. In addition, "there are various MIPS pmap improvements, a patch for an NFS (Network File System) crash, as well as a crash that occurred when attempting to mount an FSS snapshot as read and write. NetBSD 7.0.2 also fixes an issue with the UFS1 file system when it was created outside the operating system." Download NetBSD 7.0.2 at one of these mirror sites.