Slashdot Mirror

If we could focus on fixing bugs and not see everything through the lens of security ...

I bought the CD and have been either doing that or downloading via ftp since 1999. There are around 4,000 companies and individuals which have felt compelled to donate. Take a look at the donations page. This does not include CD or T-shirt sales.

Some organizations openly using OpenBSD for firewalls or servers:

* NASA Advanced Supercomputing (NAS) Division
* Adobe
* Armorlogic
* Human Rights and Equal Opportunity Commission, Australia
* INFN Italian Institute of Nuclear Physics, Florence, Italy

Companies typically don't advertise what security products they use though. Often when they do it's a commercial endorsement, which is a conflict of interest and so pretty worthless. However these following companies have donated to OpenBSD, as if they have vested interests:

* VMware, Inc.
* Intel
* Advanced Micro Devices, Inc.
* Google
* Adobe
* Ernst & Young
* Price Waterhouse
* Hewlett-Packard
* Compaq Computer Corp.
* US DoD via DARPA (Pentagon and US Air Force).
* LSI Logic Corporation
* Motorola Labs - Schaumburg, IL
* Vonage * Xircom * AMI * Adaptec, Inc * Cyclades Corporation * Emulex Corporation * HighPoint-Tech * ICP-Vortex * Infineon Technologies * Internet Engineering Group * Internet Software Consortium * SmoothWall Ltd. * 3Ware * ADMtek * Areca Technology Corporation * GoDaddy * Hawk Technologies, Inc * Initio Corporation * Iron Systems, Inc. * Knowledge Matters Ltd * KoreLogic, Inc. * New York Internet * Tehuti Networks Ltd * Tekram Technology Co., Ltd. * The USENIX Association * WildPackets, Inc.

That's just the cream from around 400 companies (plus 3,600 individuals).

Some companies and projects using software developed by the OpenBSD developers in their own products:

* Microsoft (Microsoft Services for UNIX)
* Cisco (switches and routers - OpenSSH)
* Juniper (JUNOS - OpenSSH)
* Nokia IPSO (Nokia Firewalls - OpenSSH)
* Novell(OpenSSH)
* Dell (switches - OpenSSH)
* Cacheflow proxies (now known as Bluecoat - OpenSSH)
* Packeteer (PacketShapers - OpenSSH)
* Top Layer (IDS load balancers)
* IBM (AIX - OpenSSH)
* Hewlett-Packard (switches and HPUX - OpenSSH)
* Sun Microsystems (Solaris - OpenSSH)
* Apple (OS X)
* Silicon Graphics (IRIX - OpenSSH)
* Armorlogic
* Stallion (Firewalls)
* IPCop (Firewalls - OpenSSH)
* SmoothWall (Firewalls - OpenSSH)
* GeNUA (Firewall and VPN appliances)
* CebaTech (OpenBSD based ASIC and FPGA logic)
* Core Security (security products)
* assurent (uses OpenBSD for firewall and VPN solutions)
* NetThruPut (anonymous crude oil trading systems, IDS)
* Network Security Technologies (IDS and VPN for US DoD and govt.)
* Digi
* Alcatel
* All Linux systems
* FreeBSD
* NetBSD
* BSDi

From your comments, it seems that OpenBSD's success somehow upsets you. Why don't you move on and be positive with whatever it is that you like to use, instead of being negative about a successful project which many people enjoy working on and using?

First off, you seem to not know what that thread was about. I suggest that you read it before making any other comments that suggest that you haven't a clue as to what was discussed.

Secondly, his beliefs have changed significantly over time. It's just that the changes are viewed by his followers as still "in the spirit" of his previous views. If you would have been involved in that thread, or even had read it, you would have seen his position change significantly even in that short period of time.

You see, the problem with his opinions is that they are very context sensitive. He'll take a point of view that allows him to "win" an argument. Then later on, when that point of view works against him, he'll say that people misinterpreted him ignoring quotes and requests for explanation side stepping the issue by ignoring the issue itself.

Trust me, I've had conversation(s) with him before, and he completely ignores any questions that the answers would work against him. He'll even ignore further requests at answering the questions. It's extremely frustrating to have non-discussions that go like this:

Me: You said "quote 1" and now you say "quote 2". These contradict each other.
RMS: You're misquoting me. You're taking "quote 1" out of context.
Me: We were talking about x then and we are talking about x now. How is that taking it out of context?
RMS: --- talks about something else ---
Me: Please answer the question.
RMS: --- continues along another line ---
Me: Seriously, just answer the question.
RMS: ...

You get the point.

Third, this didn't have anything to do with Theo's moving or unmoving attitude. It had everything to do with RMS spreading FUD about OpenBSD then RMS coming on misc@ and picking a fight. He's done that before to the Subversion project among others.

http://www.linux-watch.com/news/NS6278881818.html
http://fitz.blogspot.com/2007/07/stallman-shoots-free-software-movement.html

Among others.

Fourthly, you're going to have to explain to me how the below describes a stable person (i.e. clicking links in posts helps):

http://openbsd.org/lyrics.html#43
"""
We are just plain tired of being lectured to by a man who is a lot like Naomi Campbell.

In 1998 when a United Airlines plane was waiting in the queue at Washington Dulles International Airport for take-off to New Orleans (where a Usenix conference was taking place), one man stood up from his seat, demanded that they stop waiting in the queue and be permitted to deplane. Even after orders from the crew and a pilot from the cockpit he refused to sit down. The plane exited the queue and returned to the airport gangway. Security personnel ran onto the plane and removed this man, Richard Stallman, from the plane. After Richard was removed from the plane, everyone else stayed onboard and continued their journey to New Orleans. A few OpenBSD developers were on that same plane, seated very closeby, so we have an accurate story of the events.

This is the man who presumes that he should preach to us about morality, freedom, and what is best for us. He believes it is his God-given role to tell us what is best for us, when he has shown that he takes actions which are not best for everyone. He prefers actions which he thinks are best for him -- and him alone -- and then lies to the public. Richard Stallman is no Spock.

We release our software in ways that are maximally free. We remove all restrictions on use and distribution, but leave a requirement to be known as the authors. We follow a pattern of free source code distribution that started in the mid-1980's in Berkeley, from before Richard Stallman had any powerful influence which he could use so falsely.

We have a development sub-tree called "ports". Our

There is a very good reason why the release focus is the way it is this time. It all started with this email with RMS trolling on the misc@ list (ended up being around an 800 email thread with RMS proving what a nutter he is):

http://marc.info/?l=openbsd-misc&m=119730630513821&w=2

You should also read the comment on the lyrics page. It's just under the picture in the left column:

http://openbsd.org/lyrics.html#43

"""
OK, there was the problem of relicensing of a driver for the Linux kernel
"""

Which people made him aware of, which should have been concerning to him because how that ended up would have negatively impacted his OS. But, his answer to people was to leave him alone on that matter. As in, he'll use any technique, no matter how shady to promote and further his own goals.

"""
but they should begin to work together instead of beginning a war
"""

Kinda hard when RMS works to license everything under the "you either license it all under our license or you can't work with us" GPL. Which, btw, is incompatible with the BSD. There's also the fact that he's been quoted as saying that he'd rather see all programmers be taxi drivers having all code free (using his NON-dictionary definition) than having any proprietary software at all.

Rather hard to work with someone when they are completely uncompromising. Seriously, read the thread. It tells of a *very* unstable person.

Whew! Somebody needs a timeout. List of MD5s.

Yes, but does it run Linux?

Yes.

Yeah. It's a nice article and there are a lot of improvements. Some unexpected like the better performance for SSDs.

Speaking of SSDs, I see CDs slowly but surely heading the way of the floppy. At some point, they're going to disappear from more or less all new units. They're off a few models already, but it's too soon to say when the tipping point will hit. When it does, the sales of read-only CDs will have to be replaced, possibly with read-write SD flash or USB sticks or something similar. Some thought will have to be put into how to best deal with that when the time comes.

Most likely these And what's wrong with SS20's or some other, older hardware?

I've always liked the idea of OpenBSD but stuck with Linux because OpenBSD ISO images are so hard to find. IIRC, they do this on purpose.

ftp://ftp.openbsd.org/pub/OpenBSD/4.3/i386/install43.iso (replace with address and path to your nearest mirror and architecture where appropriate)

I've always liked the idea of OpenBSD but stuck with Linux because OpenBSD ISO images are so hard to find. IIRC, they do this on purpose.

ftp://ftp.openbsd.org/pub/OpenBSD/4.3/i386/install43.iso (replace with address and path to your nearest mirror and architecture where appropriate)

Um, Sure, openBSD is secure, until you install anything other than the limited subset it comes with. and even without that, they have a couple of security fixes a month from what I remember when on the mailing list. As for OS-X, I don't see how having a huge hole in safari can be classed as "secure". Note that in that competition, it took allowing the install of random third party software before the windows box was compromised. The apple one was compromised by just going to a website.

So, please, hate on Microsoft all you want, just try do it with actual facts.

"Microsoft hasn't been fixing many security issues in Vista because they think it is very secure."

I think that Microsoft has not been fixing security issues in Vista because, if they ever deliver a secure operating system, PC customers will never buy another.

It's not an impossible challenge, making a secure operating system. Other organizations have done it. If Microsoft hasn't, that is because it doesn't want to.

Microsoft exploits the ignorance of its customers. But now the customers are beginning to be more technically knowledgeable. Many are, for example, rejecting Vista. Eventually Microsoft's abusive practices will have more complete recognition. What will it do then?

Of course, if Microsoft had a good reputation, there is a huge amount of other software that needs to be wriiten. But that is not an option, because Microsoft has never been known for creativity.

Maybe Microsoft's slogan should be, "Making money through doing evil." That's my opinion, but I'm not the only one who thinks that way.

Eventually software's Dr. Death, the Chief of Grief, the Main Chain of Pain, will become much less influential. Until then, the company is putting the world through a lot of hassle and extra expense, and wasting the time of some of the world's most capable people.

There is no perfect solution to this problem: using a public terminal is fundamentally insecure, and nothing you can do will change that. However, when I am faced with this problem, I log in using SSH and S/KEY. This prevents a key logger from gathering useful password data. You still have to be careful that no sensitive information is inputted or returned, this without fail will go into the hands of your attackers.

http://www.openbsd.org/

Ok, so 2 times in 10 years, but I'd say that's a bit better than say windows.

I have a lot of respect for Larry Roberts. The idea of only discarding a single packet per flow on a congested interface in order to slow things down is a good one.

If WRED didn't exist on every production-grade router made in the last 10+ years then there would certainly be a need for this technology. However, I'm not really sure how much benefit the "multi-flow fairness" concept would provide vs. just configuring WRED to discard only payload packets & not TCP control traffic. The tradeoff is the added complexity of the congestion avoidance mechanism having to be flow-aware, which increases cost, time to market, heat & power consumption, etc.

Such a technique combined with microflow policing would come closer to what he describes. In fact one could probably refer to the congestion avoidance technique described in the article as "adaptive microflow policing".

A pretty standard config used with OpenBSD's PF firewall is to prioritize ACKs in both directions so that a line congested in one direction is still useful in the other.

BTW, TCP has already been re-engineered; it's called SCTP. If you've got a custom high-bandwidth point-to-point application where you have complete control over both ends (mostly research stuff at this point), check it out.

A different approach to bandwidth management that is being developed by the major router vendors is the application-aware network. Imagine if the router was smart enough to read a field in an XML stream that indicates that this particular flow requires 64kbps or it should be dropped, it should have 256kbps to work well, and giving it more than 1mbps is not useful and you start to get the idea. That's just the tip of the iceberg.

Anyway, congestion control is useful & necessary, but "quality of service is no substitute for quantity of service"...

I notice that this page on the OpenBSD sire says:

"If you find a new security problem, you can mail it to deraadt@openbsd.org."

If he's going to be out of the country and unavailable for contact, perhaps you should provide an alternative method of reporting security issues that doesn't go through him. (Admittedly, it is the wrong way to report OpenSSH vulnerabilities - presumably the person looked at the wrong page - but it seems to be the official way of reporting issues that affect the rest of OpenBSD.)

Actually, the OpenBSD guys believed the original NTP implementation to be a security risk and thus created their own: see Using OpenNTPD and this post by the OpenNTPD maintainer.

I do vulnerability management for my employer, which means I'm responsible for making sure we don't get pwned through a known issue for which there's a patch, fix or workaround. Believe me EVERYTHING needs patching, including your printer firmware, Cisco IOS and CATOS, hell even the building access system needs a fix patch or update now & then.

Ahem, of course having a Cube running OpenBSD as my webserver, support for FireWire is something I've wished was present in OpenBSD. But you know what they say, free, functional, secure, choose any three.

I can't speak for the OP, but if I were using Mac minis or other "unreliable" hardware, I'd use CARP for redundancy.

It doesn't make sense for every application, but if you can adopt a clustering approach to your services, suddenly you have redundant RAM, redundant power, redundant CPUs... Go cheap and double up.

Personally, I think racking up minis is a silly marketing ploy that ends up looking a lot more like a total wiring and cooling clusterfuck.

You must be new here. Let me introduce you to OpenBSD.

http://www.openbsd.org/

http://www.lynuxworks.com/solutions/security.php

http://www.coyotos.org/

There is a whole lot of available crypto hardware listed here.
I've used a Hifn Crypto Accelerator a year or three ago. Worked with OpenSSL for the most part.

If you use OpenBSD you'll see that OpenBSD 4.1 had only 11 bugs on its first year (http://www.openbsd.org/errata41.html).

...here is why:

• strlcpy() and strlcat()
• Memory protection purify
  • W^X
  • .rodata segment
  • Guard pages
  • Randomized malloc()
  • Randomized mmap()
  • atexit() and stdio protection
• Privilege separation
• Privilege revocation
• Chroot jailing
• New uids
• ProPolice
• ... and others

sorry, but stuff like Linux only works BECAUSE of copyright... The only reason if i modify the kernel source and distribute the binary, that I HAVE to give the source with it, is because of copyright. Otherwise I could just take the code that was released, make a closed source software, and watch as people interested are forced to decompile it to figure out my changes.

Sorry, that's just not the case. OO is just a formalization of what was already happening with good procedural programmers. OO is not fundamentally different that procedural programming-- it is a superset. OO languages force the programmer to do certain things: code modularity, polymorphism, typedefs/classes, etc, and does so in a way that encourage a programmer NOT to come up with their own system to do the same thing.

If you look at developers who spend a lot of time doing things in C (e.g., the OpenBSD developers-- have a look at their repository), you'll see that they are keenly aware of "object-oriented" design principles. They also tend to know exactly when things like byte alignment is an issue, and when you really should just use a void pointer, because they are forced to think about their machines. Most OO programmers I know have no idea why they would need OO language features-- they just use them because that's what they've been taught-- and they know next to nothing about the machines themselves. I would argue that a good programmer is a good programmer; and if they have standard procedural programming experience, that will nicely complement their future OO work.

GP is right-- OO is simply a design philosophy. The actual mechanics of building an application are no different.

Even better is using authpf to modify the firewall's running ruleset. This way, you get the advantage of portknocking, since the protected port is not open until the user does their little dance with the firewall, and also the advantage of a real authentication system, since authpf uses SSH to authenticate the user. Because the authentication part uses SSH, you can plug in any authentication source you want, via GSSAPI, or /etc/passwd or whatever. We use SSH public keys, and the protected ports in question are port-forwarded to something nonstandard and tunnelled via SSL. Works great for us.

If you're any sort of a system administrator and you haven't heard about OpenBSD or Trusted Solaris, then you're incompetent, plain and simple. You can read up about them at the sites below.

OpenBSD: http://openbsd.org/
Trusted Solaris: http://www.sun.com/software/solaris/trustedsolaris/

I've been using OpenBSD PF for years and is much better than iptables. There is also a nice, up-to-date User's Guide available as well.

I've been using OpenBSD PF for years and is much better than iptables. There is also a nice, up-to-date User's Guide available as well.

I don't think that the OpenBSD folks are complexity junkies. OK, I'm not really up on all this stuff, but I think I get the gist of their thinking. Here's what I believe the pro-capabilities people would tell you:

You're advocating a false economy. Sure, capabilities are potentially complex and the implementation is hard to get right. Still, you only have to do it right one time and everything else benefits. In today's situation, we have things like "ping" running setuid root so that it can create raw sockets and Apache launching as root so that it can bind port 80 before dropping privileges.

Instead of counting on one central well-audited capabilities system, you're now counting on two applications to Do The Right Thing under all circumstances. That seems simpler from the perspective of someone who believes that central library to be an unobtainable goal, but a whole lot more complex for someone who thinks that can make capabilities work correctly.

Again, I don't really understand all the implications and haven't wittingly used such a system, but I believe that's the reasoning people give for doing this stuff.

But on the more serious note:

Why not Linux?

A: http://www.openbsd.org/

Which at one time was a DARPA funded project.

Ah, so I go and look at the licenses for FreeBSD, OpenBSD and NetBSD, which all seem to come with strings attached, no matter how loose. Note that each of these licenses are based on the premise that copyright law is valid and enforceable.

Filtering may work decently, but it is resource intensive and depending on your email load, you may need a scanning box as big as your regular email server.

Try http://en.wikipedia.org/wiki/Greylisting
or
http://projects.puremagic.com/greylisting/whitepaper.html

Our own office only has about 150 mailboxes but we don't do any filtering at all because of our greylisting as implemented by http://www.openbsd.org/spamd

Even better we can greylist at the perimeter instead of letting all of that pointless traffic onto our own network.

And if you're feeling particularily vindictive start posting trapped email address on your own publicly available webpages. Make them invisible or hidden under other content but still harvestable by bots. And soon enough a significant percentage of email addresses out there will point to tarpits. Making botnet spamming a much slower proposition, and should therefore decrease the total ammount of spam.

Any chance you can bump that up to 12MB? That'll get you OpenBSD 4.2, although it probably won't be a screamer.

So everyone who downloads software to provide them with more security from http://openbsd.org/ or http://www.openssh.com/ or http://www.gnupg.org/ is an idiot?

When I put together a system and security is paramount, there's really only one choice: OpenBSD.

Their no-bullshit policy with regards to security and high-quality code is what allows them to put together such a stable, secure, and high-quality operating system.

And I always use their security-hardened versions of GCC and Apache, just to ensure that the web sites I'm serving are as secure as possible.

• ...and most Slashdot users don't know that printf is not a system call

• ...and most Slashdot users don't know that printf is not a system call

If I understand correctly you must build from source if you want to use stable branch.
Binary set for 4.2 are just relase binaries, no errata patches are applied.

http://www.openbsd.org/stable.html

http://safari.oreilly.com/9780596510152/switching_to_the_openbsd_stable_branch

Do you even know what you are talking about?

OpenBSD indicates all changes to its Ports/Packages on the following page.

If you have configured your OpenBSD machine properly, all that is needed to upgrade an installed package is to enter sudo pkg_add -vv -i -u package_name. No fuss, no muss, and it only takes a few minutes to upgrade all the installed programs to the latest version. No need to read mailing lists or web pages.

Finally, if you can't be bothered to read mailing lists and/or web pages to make sure your system is secure, I don't think you should be using OpenBSD in the first place. Stay with Windows, it's probably where you belong.

You provided a shitty bug report with no information, so it was closed.
You then provided the same shitty bug report, with a tiny snippet of info.
Read this: http://www.openbsd.org/report.html

Do you realise that an entire dmesg, ps and trace are required in a bug report?

"When I try rsync", "rsync from another machine", "just rerun rsync".
These are not useful to reproduce the problem. Clearly you can reproduce it, so how about some step-by-step instructions to do so - or better yet a script which consistently reproduces the problem. The *exact* commands used are necessary.