The #HardenedBSD April 2024 Status Report is out!
https://hardenedbsd.org/article/shawn-webb/2024-05-06/hardenedbsd-april-2024-status-report
@paco #HardenedBSD provides a public instance of #Vaultwarden: https://vaultwarden.hardenedbsd.org/
It's incredibly easy to self-host your own Vaultwarden instance, too. It's compatible with the #Bitwarden mobile and desktop apps.
Vaultwarden is incredibly easy to self-host. Backing up the stored data is simple: just create a tar archive of the data directory (or, in my case, a zfs send of a snapshot.)
@unixviking This masochist runs #HardenedBSD. ;-)
Here we see two #Radicle seed nodes, running behind my fully Tor-fied network.
This is a test of exposing a Radicle seed node as a Tor Onion Service endpoint.
These two Radicle nodes are deployed on a #HardenedBSD 14-STABLE VM.
Huge step forward for #HumanRightsTech.
For more information on Radicle (a sovereign {code forge} built on Git): https://radicle.xyz/
Huge shout-out to the Radicle dev team for this collaboration. It has been a blast working with them.
#Tor #HumanRights #Git #SelfHosting #infosec
One bug running #HardenedBSD on this Dell Precision 7680: the keyboard becomes unresponsive sometimes.
I mostly use external keyboards, anyways. I'm not even sure what steps to take to debug this kind of thing.
#HardenedBSD 14-STABLE running flawlessly on a Dell Precision 7680.
It's a 24-core Intel Raptor Lake laptop with a discrete NVIDIA GPU. Using the nvidia-drm-kmod graphics driver.
64GB RAM, 1TB NVMe.
Current status: Replacing #Win11 on my ${DAYJOB} laptop with #HardenedBSD 14-STABLE.
Whenever my #Win11 laptop wakes up from sleep mode, the trackpad becomes nonfunctional. Mouse cursor doesn't move, tap-to-click does nothing, etc.
I miss you, #HardenedBSD.
Current status: Deploying a test #Radicle node on #HardenedBSD behind my Tor-ified network.
Gonna see if I can get two #Tor Onion Service endpoints for Radicle seeds. I want to see if they will talk to each other and seed each other's repos.
That moment when you expose an NFS mount over HTTP as a Tor Onion Service website. :-)
I fixed our nginx web server to properly expose /pub on our onion site. I had accidentally forgotten to set the server_name directive.
@Ryan Ideally the mesh nodes themselves would not be desktop systems. They would be network appliances running #HardenedBSD.
I have some options in mind for network appliance vendors that could bundle the right wireless chipset(s).
This is what I'm hoping we can achieve in the next decade: at least one deployment of a censorship- and surveillance-resistant wireless mesh network.
We would run these nodes (and supsernodes) on #HardenedBSD.
There is work in #FreeBSD to support wireless mesh networking. There's even a presentation on it coming up at #BSDCan 2024: https://indico.bsdcan.org/event/1/contributions/12/
The work we're doing in HardenedBSD would pair very well with this.
Long post
Different timezones make it really hard to just have a single meeting and it might end up in two or even three ones but also trying to avoid fragmentation. But this will probably work out more in an iterative way…
The current idea is to start Thursdays, 7pm GMT+2 in an unmoderated public jitsi session where everyone can join. I think the targeted user group is able to handle it in that way, like we always do.
The question is also, do we want to have an agenda or only open minded jump in and see how it works out?! My experience is, that people might be shy to start talking, it’ll be silent and people start to drop’s drop. An agenda might be helpful for an initial start but I also want to avoid having an introduction round where everyone tells something about himself. I mean, this can be done optionally, but I’m also aware of it that some may feel uncomfortable with this. This round should just make fun and not make any pressure or someone feeling uncomfortable.
So, agenda or open minded and free to talk for the first sessions?
#BSDPub #BSDCafe #BSDNetwork
#helloSystem #DragonFlyBSD #HardenedBSD #GhostBSD #pfSense #illumos #tribblix #solaris #opensolaris #zfs #community #social
Do you do anything interesting with any of the *BSDs 
? If so, please consider giving a talk at EuroBSDCon, which is held in Dublin, September 19-22. More info on submitting your paper can be found here.
#RUNBSD #OpenBSD #SecBSD #HardenedBSD #FreeBSD #NetBSD #DragonflyBSD #Darwin #GhostBSD #BSDFAM #EuroBSDCon2024
I've asked the #HardenedBSD Users mailing list: https://groups.google.com/a/hardenedbsd.org/g/users/c/tb21Is881V8
And the #FreeBSD Hackers mailing list: https://lists.freebsd.org/archives/freebsd-hackers/2024-April/003154.html
From the #FreeBSD crunchgen(1) manual page:
The main reason to crunch programs together is for fitting as many programs as possible onto an installation or system recovery floppy.
The /rescue binaries on #HardenedBSD are 17MB in size.
I wonder if crunchgen, with all its hackiness, is really worth it in 2024.
I'm wondering if we should just build the various /rescue binaries as normal, statically-linked applications rather than use crunchgen(1).
We either have to teach crunchgen(1) how to deal with a libc that has been built with LTO or live without LTO-ified libc.
Link Time Optimization (LTO) is a prerequisite for Cross-DSO CFI. With libc being a huge target, it seems we should kick crunchgen(1) out the door.
I realize, though, that I have quite a few blind spots. Are there any reasons to continue using crunchgen(1) in 2024, sacrificing Cross-DSO CFI and LTO for libc?
Hey #BSD Fans!
We all share the same interests - #BSD based systems like #FreeBSD, #OpenBSD and #NetBSD.
We chat all day, sharing thoughts, questions and help. We talk on Matrix across different channels, we share on the #Fediverse. We have @vermaden@bsd.cafe's newsletter, we have @dexter@bsd.network's #FreeBSD #Jails and #bhyve calls and many other ones I can't list here.
Wondering if there would be and interests in the #BSDNetwork, #BSDCafe, etc., for a weekly smalltalk session like in a pub. Just a Jitsi based video/audio call where we can meet, discuss things from newsletter, trending things from the #Fediverse or just have off-topic and openminded discussions. This could result into the #BSDPub meeting.
I know, some people are shy - keep your cam off until you feel comfortable and feel free to join the discussions. Even this meetings should make fun and no pressure - so if someone is not in the mood or can't make it - no worries. No one will judge.
Would you be interested?
#helloSystem #DragonFlyBSD #HardenedBSD #GhostBSD #pfSense #illumos #tribblix #solaris #opensolaris #zfs #community #social
| Yes: | 44 |
| No: | 4 |
Closed
Seems like #Radicle does not like larger repos. Trying to rad clone the #HardenedBSD src and ports repos is proving problematic.
Happy decade birthday, #HardenedBSD!
$ fetch -q -o - https://api.github.com/repos/HardenedBSD/HardenedBSD | jq -r .created_at
2014-04-08T10:10:24Z
Current status: Deploying a test #Radicle node on #HardenedBSD. Going to seed the HardenedBSD src and ports repos.
I'm hoping to continue expanding alternative forms of access to our resources (both code and infrastructure).
If this test proves successful, we may have another official method of getting HardenedBSD-related stuffs.
The #HardenedBSD infrastructure is back online. Maintenance has completed successfully.
The #HardenedBSD infrastructure has been taken offline in preparation for electrical work.
The #HardenedBSD development/build infrastructure is back online. We will closely monitor temperature as the evening progresses.
The #HardenedBSD development/build infrastructure is currently offline due to an overheated server room.
We're letting the room cool before powering things up again.
@EdanOsborne The sadist in me recommends giving #HardenedBSD a try.
${DAYJOB} delivered a new Dell Precision laptop.
I absolutely love the Precision line. Runs #HardenedBSD very, very well.
Though, I'll be stuck on #Win11 on this laptop. Customer requirements come first.
Oh look! My favorite Mastodon host is back online!
That's reason to say Hey! The @bsdcan planning team has some amazing sponsors lined up but we'd appreciate another Bronze or two, and would flip for another Silver.
The schedule is awesome and I hope to see you there.
Could you please nudge your team about a sponsorship?
Thank you!
Please RT!
(I love how that out-lasted its origin)
#BSDCan #BSDCons #FreeBSD #HardenedBSD #NetBSD #OpenBSD (in alphabetical order)
The #HardenedBSD March 2024 Status Report is out!
https://hardenedbsd.org/article/shawn-webb/2024-03-31/hardenedbsd-march-2024-status-report
The fact that #bsdnetwork is still offline worries me a bit. Hope they are doing okay and that recovery is imminent.
While Exquisite requires account approval, it is more of an abuse and spam countermeasure. Should you be interested in a second fediverse account, feel free to signup. Exquisite runs on #OpenBSD in DC1, two racks from @OpenBSDAms.
We welcome everyone from the #BSDfam - whether that be OpenBSD, #HardenedBSD, #SecBSD, #FreeBSD, #DragonflyBSD, #NetBSD and yes even #Darwin.
The code for the program that toggles exploit mitigations and security hardening techniques in #HardenedBSD has been rewritten from scratch.
This rewritten version will land in 15-CURRENT no later than the end of this month/weekend:
https://groups.google.com/u/1/a/hardenedbsd.org/g/users/c/6Z7Rx9cOg7s
This change is transparent to users. The only folks that might be affected are those who consume the libhbsdcontrol library directly. The ABI and API have both been changed.
The command-line arguments to the hbsdcontrol(8) utility are unchanged.
It would be cool to see this running on #HardenedBSD : https://radicle.xyz/
It would be even cooler to have it exposed as a #Tor Onion Service.
I'll be giving a presentation on #HardenedBSD today in Denver, Colorado at 6:30pm. If you're interested in #FreeBSD, #infosec, and/or #HumanRightsTech, I'd love for you to come join me.
@mikael The sadist in me wants to suggest #HardenedBSD. ;-)
Mod @pfr
Reddit alternative BSD community #FreeBSD #NetBSD #OpenBSD #DragonflyBSD #GhostBSD #MidnightBSD #HardenedBSD #OS108 #RunBSD
I'll be giving a practice run of my presentation titled "HardenedBSD 2024 State of the Union: A Decade of Hardened Bits" on March 23rd, 2024 up in Denver, Colorado: https://www.meetup.com/dc303denver/events/298257710/
If you're in the greater Denver area and interested in #BSD or #infosec, I would love for you to join and give me feedback.
#SoldierX has a new code hosting partner: #HardenedBSD. The first project being hosted is #libhijack: https://git.hardenedbsd.org/SoldierX/libhijack
The #HardenedBSD 13-STABLE package builder ran out of disk space, causing the current package build to fail.
I'm reclaiming space now and will start a new fresh build.
The BSDCan talk committee is pleased to announce that your abstract "HardenedBSD 2024 State of the Hardened Union: A Decade of Hardened Bits" with ID #12 has been accepted (Lecture 50 min). We are delighted that you will be contributing to the 20th annual BSDCan.
The #HardenedBSD February 2024 status report is out!
https://hardenedbsd.org/article/shawn-webb/2024-03-01/hardenedbsd-february-2024-status-report
Also limiting the number of recursions in this directory removal function: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/148478d5743a8dd4362fd31dca4371618716d0a8
This #HardenedBSD commit fixes two potential NULL pointer derefs in the new pam_xdg(8) #FreeBSD PAM module: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/0b5bf32630b3429e0b5a321e6621a404dc93ecc5
edit[0]: Fixed a typo in a follow-up commit: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/commit/865994a5cf20937224bde0662bb1f96ba18e072f
@HardenedBSD @lattera
FYI: Found possibly related commit.
https://cgit.freebsd.org/src/commit/?id=baa7d0741b9a2117410d558c6715906980723eed
Lightly tested new build of #hbsdfw released: https://hardenedbsd.org/~shawn/hbsdfw/hbsdfw_installer_vga_14.0-20240223-222012.iso.xz
Your usual upgrade instructions:
- Back up your configuration
- Reinstall from scratch
- Restore configuration file
Default username/password: root/hbsdfw
hbsdfw is a #HardenedBSD 14-STABLE fork of #OPNsense.
edit[0]: Add usual upgrade instructions.
edit[1]: Add default username and password
From @lattera at the #HardenedBSD Users mailing list:
#FreeBSD recently introduced some changes that separate out the userspace handling of system calls to a new library, libsys. I think the change overall is good, but it does cause issues with HardenedBSD.
There is a dance between libc, libsys, libthr, and the CSU at various stages of a process's lifecycle. We compile both applications and libraries with Link-Time Optimization (LTO), which seems to be causing issues with the dance.
I'm hoping to resolve this before the next monthly OS build (01 March 2024). But there's a chance I might not fix it in time. I need to have a better understanding of the code as there are some gaps of knowledge to be filled.
I'll keep everyone informed as to my progress. If I can't fix it in time for the next monthly build cycle, I plan to disable the build of 15-CURRENT (and *ONLY* 15-CURRENT). We will still build 13-STABLE and 14-STABLE.
Reference: https://groups.google.com/a/hardenedbsd.org/g/users/c/Cw3g0cl_UKc
FreeBSD 15.0-CURRENT-HBSD #0 hardened/current/master-n193382-7d849178809c: Mon Feb 12 19:03:14 UTC 2024
shawn@hbsd-current-01:/usr/obj/usr/src/riscv.riscv64/sys/HARDENEDBSD riscv
#HardenedBSD #RISCV64 #VisionFive2
Thank you #NetBSD Foundation and #HardenedBSD for your support of the 20TH ANNIVERSARY @bsdcan !
Thermometer updates to come and a lot more outreach!
Current status:
$ sudo make real-release NODOC=1 NOSRC=1 NOPORTS=1 NODOCS=1 TARGET=riscv TARGET_ARCH=riscv64
The USB prohibition work has been merged/cherry-picked to #HardenedBSD 13-STABLE and 14-STABLE.
Re-deployed my #HardenedBSD wireless access point at home today. I now have one wireless network that routes directly out to the public Internet, and another that routes all traffic via #Tor.
@ianbetteridge #HardenedBSD masochist here!
Right. The Bitlocker key can be obtained in under a minute, by sniffing the TPM. This goes for the most recent build of Windows 11 and includes TPM 2.0.
Fortunately, there is a quick fix. Run #OpenBSD or #HardenedBSD with full disk encryption . Case closed. #RUNBSD
The #HardenedBSD January 2024 status report is out!
https://hardenedbsd.org/article/shawn-webb/2024-01-31/hardenedbsd-january-2024-status-report
Major thanks to https://exquisite.social/@h3artbl33d for helping fix cloning our #git repositories over HTTPS! This command should now work: `git clone https://git.hardenedbsd.org/HardenedBSD/HardenedBSD.git`
Interesting new commit in #HardenedBSD:
HBSD: Provide support for prohibiting new USB device connectionsThis commit introduces the hardening.pax.prohibit_new_usb sysctl
tunable node. This node can be set to one of three values:
0: Disabled
1: Enabled
2: Enabled without possibility to disable
When set to 2, a reboot is required to end the prohibition on new USB
connections.
This is based on a patch by Loic F <loic.f@hardenedbsd.org>.
Goal for next week: start the process on getting a new passport. My wife removed our passports from our safe, so now we can't find them--especially with moving twice in one year.
My passport was expired, anyways.
I'm really hoping to start traveling the world again this year, giving presentations on #HardenedBSD and libhijack.