From mcevoy.pat at gmail.com Mon Dec 4 21:33:09 2023 From: mcevoy.pat at gmail.com (Pat McEvoy) Date: Mon, 4 Dec 2023 21:33:09 -0500 Subject: [talk] BSD.network Mastodon membership may be opening up... a little. Message-ID: <15719CAF-DAA4-4B91-A9E4-43A565B1FCBA@gmail.com> If you have been wanting to join the BSD.network Fediverse instance, it would be a good idea to get your spoke in soonish as it sounds like things might be opening up there shortly: https://bsd.network/@pamela/111524357128448533 -------------- next part -------------- An HTML attachment was scrubbed... URL: From stephen at lilmail.xyz Mon Dec 11 15:21:52 2023 From: stephen at lilmail.xyz (Stephen Medina) Date: Mon, 11 Dec 2023 12:21:52 -0800 Subject: [talk] BSD.network Mastodon membership may be opening up... a little. In-Reply-To: <15719CAF-DAA4-4B91-A9E4-43A565B1FCBA@gmail.com> References: <15719CAF-DAA4-4B91-A9E4-43A565B1FCBA@gmail.com> Message-ID: <6019895.lOV4Wx5bFT@wheezy.lsm.root> Link is broken. On Monday, December 4, 2023 6:33:09 PM PST Pat McEvoy wrote: If you have been wanting to join the BSD.network Fediverse instance, it would be a good idea to get your spoke in soonish as it sounds like things might be opening up there shortly: https://bsd.network/@pamela/111524357128448533[1] -------- [1] https://bsd.network/@pamela/111524357128448533 -------------- next part -------------- An HTML attachment was scrubbed... URL: From mcevoy.pat at gmail.com Mon Dec 11 15:32:37 2023 From: mcevoy.pat at gmail.com (Pat McEvoy) Date: Mon, 11 Dec 2023 15:32:37 -0500 Subject: [talk] BSD.network Mastodon membership may be opening up... a little. In-Reply-To: <6019895.lOV4Wx5bFT@wheezy.lsm.root> References: <6019895.lOV4Wx5bFT@wheezy.lsm.root> Message-ID: > On Dec 11, 2023, at 15:22, Stephen Medina wrote: > > ? > Link is broken. > Thank you for letting me know. Long and the sort of it, looks like BSD.network maybe getting more resources and the registrations may open again. I think a few here may be interested. I will be sure to let you all know if / when the registrations open again. Be well. P > On Monday, December 4, 2023 6:33:09 PM PST Pat McEvoy wrote: > > > If you have been wanting to join the BSD.network Fediverse instance, it would be a good idea to get your spoke in soonish as it sounds like things might be opening up there shortly: > > https://bsd.network/@pamela/111524357128448533 > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > https://lists.nycbug.org:8443/mailman/listinfo/talk -------------- next part -------------- An HTML attachment was scrubbed... URL: From jklowden at schemamania.org Sat Dec 16 15:55:36 2023 From: jklowden at schemamania.org (James K. Lowden) Date: Sat, 16 Dec 2023 15:55:36 -0500 Subject: [talk] BSDcan 2024 Message-ID: <20231216155536.24cfcd06f76ff4444520cb1a@schemamania.org> Has the BSDCAN 2024 Call for Papers been issued? On the main page on their site, it says the 1 December announcement is delayed, and on the CfP page there's much discussion about what's involved, but no advice on where to submit a proposal (that I see). I subscribed to the announcement list, but haven't seen any messages. --jkl From mwl at mwl.io Sun Dec 17 18:16:18 2023 From: mwl at mwl.io (Michael W. Lucas) Date: Sun, 17 Dec 2023 18:16:18 -0500 Subject: [talk] BSDcan 2024 In-Reply-To: <20231216155536.24cfcd06f76ff4444520cb1a@schemamania.org> References: <20231216155536.24cfcd06f76ff4444520cb1a@schemamania.org> Message-ID: Not yet. We have a cantankerous SMTP server for the registration server. We get that fixed, the CFP will open. On Sat, Dec 16, 2023 at 03:55:36PM -0500, James K. Lowden wrote: > Has the BSDCAN 2024 Call for Papers been issued? On the main page on > their site, it says the 1 December announcement is delayed, and on > the CfP page there's much discussion about what's involved, but no > advice on where to submit a proposal (that I see). > > I subscribed to the announcement list, but haven't seen any messages. > > --jkl > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > https://lists.nycbug.org:8443/mailman/listinfo/talk -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Absolute FreeBSD, Butterfly Stomp Waltz, Forever Falls, etc... ### New books: DNSSEC Mastery, Letters to ed(1), $ git sync murder ### From pete at nomadlogic.org Mon Dec 18 14:15:24 2023 From: pete at nomadlogic.org (Pete Wright) Date: Mon, 18 Dec 2023 11:15:24 -0800 Subject: [talk] BSDcan 2024 In-Reply-To: References: <20231216155536.24cfcd06f76ff4444520cb1a@schemamania.org> Message-ID: On Sun, Dec 17, 2023 at 06:16:18PM -0500, Michael W. Lucas wrote: > > Not yet. We have a cantankerous SMTP server for the registration > server. We get that fixed, the CFP will open. lmk if you need help with the mail server, i got a pretty good book on the topic that may be helpful on my bookshelf :p can't wait for the CFP to open, and wishing the new cabal running BSDCan the best of luck this year! -pete -- Pete Wright pete at nomadlogic.org From ike at blackskyresearch.net Wed Dec 20 10:21:21 2023 From: ike at blackskyresearch.net (Isaac (.ike) Levy) Date: Wed, 20 Dec 2023 10:21:21 -0500 Subject: [talk] Heads Up, OpenSSH MITM "Terrapin" Message-ID: <01E62608-BB68-44EF-9C8F-48BB7DDB60E3@blackskyresearch.net> Hey all, If it's not on your holiday radar, there's a serious OpenSSH vulnerability, "Terrapin". -- For busy folks, the fastest mitigation I've read is in the FreeBSD advisory, https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc IV. Workaround Add the following lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config: Ciphers -chacha20-poly1305 at openssh.com MACs -*etm at openssh.com (restart sshd) -- Gory details, history, and fancy blowfish graphics: https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ Happy Holidays! Best, .ike From callab5 at rpi.edu Wed Dec 20 11:13:52 2023 From: callab5 at rpi.edu (Callahan, Brian Robert) Date: Wed, 20 Dec 2023 16:13:52 +0000 Subject: [talk] [EXTERNAL] Heads Up, OpenSSH MITM "Terrapin" In-Reply-To: <01E62608-BB68-44EF-9C8F-48BB7DDB60E3@blackskyresearch.net> References: <01E62608-BB68-44EF-9C8F-48BB7DDB60E3@blackskyresearch.net> Message-ID: Terrapin is not that serious. >From the OpenSSH 9.6 release notes: "While cryptographically novel, the security impact of this attack is fortunately very limited as it only allows deletion of consecutive messages, and deleting most messages at this stage of the protocol prevents user user authentication from proceeding and results in a stuck connection. The most serious identified impact is that it lets a MITM to delete the SSH2_MSG_EXT_INFO message sent before authentication starts, allowing the attacker to disable a subset of the keystroke timing obfuscation features introduced in OpenSSH 9.5. There is no other discernable impact to session secrecy or session integrity." https://www.openssh.com/releasenotes.html ~Brian -- Brian Robert Callahan, Ph.D., CISSP, CCSP, SSCP, CC Graduate Program Director, ITWS at RPI Director, Rensselaer Cybersecurity Collaboratory Office: Lally 304 -----Original Message----- From: talk On Behalf Of Isaac (.ike) Levy Sent: Wednesday, December 20, 2023 10:21 AM To: talk at lists.nycbug.org Subject: [EXTERNAL][talk] Heads Up, OpenSSH MITM "Terrapin" CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hey all, If it's not on your holiday radar, there's a serious OpenSSH vulnerability, "Terrapin". -- For busy folks, the fastest mitigation I've read is in the FreeBSD advisory, https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc IV. Workaround Add the following lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config: Ciphers -chacha20-poly1305 at openssh.com MACs -*etm at openssh.com (restart sshd) -- Gory details, history, and fancy blowfish graphics: https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ Happy Holidays! Best, .ike _______________________________________________ talk mailing list talk at lists.nycbug.org https://lists.nycbug.org:8443/mailman/listinfo/talk From george at ceetonetechnology.com Wed Dec 20 12:56:52 2023 From: george at ceetonetechnology.com (George Rosamond) Date: Wed, 20 Dec 2023 12:56:52 -0500 Subject: [talk] [EXTERNAL] Heads Up, OpenSSH MITM "Terrapin" In-Reply-To: References: <01E62608-BB68-44EF-9C8F-48BB7DDB60E3@blackskyresearch.net> Message-ID: To continue the top-posting debacle here... Yes, it's not some broad sweeping vulnerability if you read the OSS-Security post by one of the finders: https://www.openwall.com/lists/oss-security/2023/12/18/3 But like most people, if I hear any SSH-related CVE, I sort of jump out of my chair in the immediate 30 seconds. g On 12/20/23 11:13, Callahan, Brian Robert wrote: > Terrapin is not that serious. > > From the OpenSSH 9.6 release notes: > "While cryptographically novel, the security impact of this attack > is fortunately very limited as it only allows deletion of > consecutive messages, and deleting most messages at this stage of > the protocol prevents user user authentication from proceeding and > results in a stuck connection. > > The most serious identified impact is that it lets a MITM to > delete the SSH2_MSG_EXT_INFO message sent before authentication > starts, allowing the attacker to disable a subset of the keystroke > timing obfuscation features introduced in OpenSSH 9.5. There is no > other discernable impact to session secrecy or session integrity." > > https://www.openssh.com/releasenotes.html > > ~Brian > > -- > Brian Robert Callahan, Ph.D., CISSP, CCSP, SSCP, CC > Graduate Program Director, ITWS at RPI > Director, Rensselaer Cybersecurity Collaboratory > Office: Lally 304 > > -----Original Message----- > From: talk On Behalf Of Isaac (.ike) Levy > Sent: Wednesday, December 20, 2023 10:21 AM > To: talk at lists.nycbug.org > Subject: [EXTERNAL][talk] Heads Up, OpenSSH MITM "Terrapin" > > CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. > > Hey all, > > If it's not on your holiday radar, there's a serious OpenSSH vulnerability, "Terrapin". > > -- > For busy folks, the fastest mitigation I've read is in the FreeBSD advisory, https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc > > IV. Workaround > > Add the following lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config: > Ciphers -chacha20-poly1305 at openssh.com > MACs -*etm at openssh.com > > (restart sshd) > > -- > Gory details, history, and fancy blowfish graphics: > https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ > > Happy Holidays! > > Best, > .ike > > > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > https://lists.nycbug.org:8443/mailman/listinfo/talk > > _______________________________________________ > talk mailing list > talk at lists.nycbug.org > https://lists.nycbug.org:8443/mailman/listinfo/talk From mwl at mwl.io Tue Dec 26 14:47:17 2023 From: mwl at mwl.io (Michael W. Lucas) Date: Tue, 26 Dec 2023 14:47:17 -0500 Subject: [talk] BSDCan CFP open Message-ID: I told someone here I'd let them know when the CFP was open. I completely forget who that person was. So, uh... the CFP is open. Everyone from NYCBUG should send proposals. And attend. https://www.bsdcan.org/2024/papers.php -- Michael W. Lucas https://mwl.io/ author of: Absolute OpenBSD, SSH Mastery, git commit murder, Absolute FreeBSD, Butterfly Stomp Waltz, Forever Falls, etc... ### New books: DNSSEC Mastery, Letters to ed(1), $ git sync murder ### From george at ceetonetechnology.com Thu Dec 28 15:26:58 2023 From: george at ceetonetechnology.com (George Rosamond) Date: Thu, 28 Dec 2023 15:26:58 -0500 Subject: [talk] another cloud=>colo story Message-ID: <76f79524-4300-405e-aaea-f4f307ab7173@ceetonetechnology.com> 37Signals... https://thenewstack.io/merchants-of-complexity-why-37signals-abandoned-the-cloud/ Got to love the phrase "Merchants of Complexity". Is there a term for renaming standard concepts into obscured cloud-provider phraseology? HNY all! g