Slashdot Mirror

A honey trap is fun to prepare, but beware of actually beeing exploited. To limit damage, it will help to put a transparent firewall in front of the honeypot and start blocking (perhaps allow a few outbound connections, and then block). You don't want your owned honeyput as a base of attack, do you? The OpenBSD packet filter has the needed funcionality using an OS that does not have a few local root kernel exploits a month.

A honey trap is fun to prepare, but beware of actually beeing exploited. To limit damage, it will help to put a transparent firewall in front of the honeypot and start blocking (perhaps allow a few outbound connections, and then block). You don't want your owned honeyput as a base of attack, do you? The OpenBSD packet filter has the needed funcionality using an OS that does not have a few local root kernel exploits a month.

Actually I think they'll be both trumped by the project affiliated with the Flying Spaghetti Monster. Of course in some circles he is venerated as the Buoyant Spaghetti Deity; hence, OpenBSD.

On the other hand, the NVidia FX5900 in my desktop machine (also running OpenSuSE 10.1) was a breeze. Drop to run level 3, run installer, reboot, job done.

NVidia seems to make better blobs than ATI, but it is still a blob:

Blobs are expedient. Many other open source operating
systems cheerfully incorporate them; in fact their
users demand them.

There are people who know how to write complex software that is secure.

It seems amazing to me that there are so many very critical flaws in Microsoft products. If someone else can find the flaws, why didn't Microsoft?

I've heard that Microsoft is managed in such a way that programmers don't have time to finish their work. I know that Microsoft makes more money if there are more flaws, because users can be expected to upgrade.

However, it seems that there are too many bugs for that to be the whole explanation.

So, why, year after year, has Microsoft been at the top of the vulnerabilities list? I don't accept the argument that "software is complex, and always has bugs. There are people who know how to write complex software that is secure. Microsoft could certainly hire such people. If the company wanted to have software that was relatively free of vulnerabilities, it could.

The argument that Microsoft vulnerabilities get more attention doesn't seem adequate to me to explain the huge number of very severe bugs.

But, what is the explanation?

I am certainly aware that Microsoft employees have been recommending SysInternals free utilities over Microsoft's sloppily coded and primitive utilities that do the same thing.

I am also very aware that Microsoft has no utilities at all for some of the Windows functions people need, and Microsoft employees have long been recommending SysInternals utilities for those functions.

Remember, the Windows Command Line Interface and command line utilities are upgraded DOS programs. DOS is shockingly primitive compared to the Linux command line interfaces, for example. And not all of the DOS utilities have been converted completely to 32-bit Windows; they fail in weird ways that have not been fixed even though the failures have been discussed thoroughly over the years.

The SysInternals programmers are some of the finest Windows coders in the world, if not THE finest, in my opinion. However, I don't think the SysInternals employees will stay long in the abusive and adversarial and socially backward and ignorant Microsoft climate.

I think what will happen is that Microsoft will embrace and extend and poison the SysInternals software, as they have done for the dBase language, or, much more recently, for Giant's AntiSpyware.

Microsoft began tinkering with Giant AntiSpyware, which became Windows Defender. Giant was considered the best in its field. Now the Microsoft version has problems. Sometimes, for example, it will fail, and re-installing will not fix the failure.

Of course, Giant AntiSpyware was only a bandaid for problems that exist because of Microsoft's sloppy coding that leaves huge numbers of vulnerabilities. Remember that Microsoft makes more money if there are more vulnerabilities, because people buy new computers as their old computer become slow because of infestation.

Anyone who thinks that an OS is complicated, and therefore must have vulnerabilities, should buy a secure OS like OpenBSD for $5,000 per copy. The really expensive operating system organizations can hire extremely skilled programmers who know how to eliminate vulnerabilities. Oh, wait, sorry, OpenBSD is FREE, and is coded by volunteers.

Microsoft is a socially backward and adversarial organization, in my experience, but they aren't so dumb they don't know how to hire people who can write secure software. The reason for the huge number of vulerabilities seems to be that, when a company effectively has a temporary monopoly, more vulnerabilities make more money.

http://www.openbsd.org/

You might not have noticed this, but the SMTP protocol has several places where the server is allowed to refuse a message based on things like the client's IP address, the destination email address, or even the content of the message body. So no, just speaking SMTP does not mean you've "already given your permission" to anything.

Well of course the server can refuse it at any point... in fact you can implement something like spamd and refuse everything if you so choose. I'm talking about when you get to the end of the SMTP exchange and the server response with "250 message accepted for delivery" or whatever. If the server accepts it all the way through, how can you later say you didn't want the sender to have permission to deliver that message? If you didn't want the sender to deliver it, you would have had the message rejected before it got that far, right?

... is that the map is about open source vendors .

If you count open-source software companies (I have seen ActiveState and CodeWeavers, for instance), sure, it seems most of it is gathered in the USA and in Europe.

But take a look at, for instance, the map of the OpenBSD developers (at the bottom of the link): there are individuals working on OpenBSD all over the place.

Another case that I know well is Slackware: there are developers helping Patrick Volkerding all over the world, with strong clusters in Italy, Brazil, the UK and other countries. Mandriva is a French/Brazilian companies, with strong sales in the USA, and so on and so forth. And there are so many other projects out there that are definitely not US-centric.

So, again: count companies and Open Source seems to be based in Silicon Valley. Take a look at individual developers and the picture becomes a lot more international.

My security solution that handles 95% of what I need is OpenBSD (plus a couple of ports) The documenation is awesome as is the community, and it is built to be proactively secure. Give it a try: http://www.openbsd.org/

You can't hack an OS X system in 30 minutes? Granted, they were literally asking for it, but the point remains that it was hacked in a very short period of time, and you kind of have to question the security stuff there.

Personally, I'd say that it would make a lot more sense just to switch to Linux – not only does it work with your existing PC hardware, but it's also usually free or inexpensively-priced. And despite what a lot of people have claimed, it's really not very hard to install or use – as a distribution maintainer myself, I get a lot of e-mails, etc. from users, and most of the time if there are problems, they're usually either really small things after installation, almost never something that would render the whole system entirely unbootable. (A lot of my family and friends are using it now too, without any sort of problems, and considering that they were all Microsoft junkies for years it's not as insignificant as it may seem...) Obviously I may as well promote Ultima Linux here, but there are many others available – I'd stay away from Ubuntu, I've had some bad experiences with it myself*, but the hell with it, you have a choice, so you choose what's best for you.

Of course, if security's the number one priority and absolutely nothing else matters, the only way to go is OpenBSD... it's also pretty damn fast, too, even on a P-133/80MB laptop.

Having said all that, I do have to admit my iPod nano is the best thing since sliced bread...

*Tried it out in my spare time, mostly out of curiosity (I sometimes like playing around with other systems just for the hell of it)... among other things I've noticed: No wireless support, slow as hell, and it uses GNOME, which I can't stand. And don't even get me started on apt-get.

DISCLAIMER: Probably some bias in there, since I'm a distro maintainer myself. Take with a grain of salt...

As a lot of other posters have said, there's not very much software for it other than what they themselves provide, but there's another side of it, too – hardware. If I remember right, last time I saw anything about SkyOS (I will admit it was a while ago) there was very little hardware or software support. Couple that with the high price tag – i.e., any price tag – and lack of publically-available source code, and I honestly just don't see any reason other than the hell of it.

Personally, if there's any "alternative" OS I hope takes off, it would have to be either Linux [insert obligatory reference to Ultima here], or one of my favorite "pet" projects, ReactOS. The nice thing about the latter is that it (will eventually) support the same software running on Windows, so if not the most ideal system – obviously, if it runs the same software, a lot of vendors may not see any reason for an open-source, Linux-compatible, etc. version of their product – at least it (will be) a somewhat practical one than a Linux system. And OpenBSD is totally kick-ass, although honestly I'd say it's probably in exactly the right place right now; those who can understand it can use it, and everyone else can stick with something better suited for them.

DISCLAIMER: I will admit I'm a Linux dev / distro maintainer and there may be some bias here...

There are virtually no restrictions on the use of cryptography or encryption technology in Canada. Famously, this is the reason that the OpenBSD project is based in Canada and not the US - the extensive use of encryption in OpenSBD would mean that, amongst other things, if it were US-based its development and distribution would be severely curtailed. People distributing the software may technically even be arrested, depending on how stringently their laws were interpreted.

This proposed "warrantless" internet surveillance bill will encounter a great deal of resistance in Canada, and with a minority government it's passage is by no means guaranteed. In the event that it does become law, at least people can encrypt anything & everything they send over the internet. A law such as this, however, would be challenged in the courts almost immediately here.

ok, i'll bite

And these snobbish attitudes are exactly the reason why linux has difficulty in desktop penetration and overall mindshare.

first of all, i see you have a lowish uid and should know better before talking shit. second, i know that OpenBSDs `mission statement' is to provide a solid, free, secure OS -- what's the goal of Linux, handholding and making friends? i think not.

and before the RMS-squad starts gnawing on the back of my head, lets assume he wrote GNU/Linux and was not referring just at the kernel.

However, Free Software, and Open Source software for that matter, would have died long ago if Stallman had not been defending it

Right, because projects like these would have never been developed were it not for RMS.

Stallman may have done some things to advance Free Software and Open Source, but to claim he is solely responsible is ludicrous.

Gates obviously was listening when the man in charge of this asked for money :)

http://www.openbsd.org/faq/pf/authpf.html

Wrap around some web based account password generator which prints a ticket to a simple serial line printer to hand over with the coffee, set a script to remove the account after the allowable period, and away you go...

Again we hear of a vulnerability and again it is one which need never have existed in the first place. We know a song about that!

It's time that access to source code for device drivers was mandated by law: if hardware manufacturers will not supply the source code for their drivers, then they simply should not be allowed to sell the product. It has to be demanded from above, because of the {false, and patently so} perception that releasing driver source code or specifications might benefit competitors: if everyone has to do it then no-one will benefit unfairly.

Now, in the case of wireless devices, there is a definite possibility that the device could be reprogrammed to operate in a different way to that for which type-approval was granted. So it should be made clear that the approval covers the hardware and software as a combination, and altering the software may cause the device to operate in a non-approved manner. Just by the general principle of "innocent until proven guilty", anyone using a modified version of a device driver would only be liable for prosecution if they actually caused undesirable interference. Anyway, this is how it works in industry: type-approval procedures are published, you can certify your own products, but if at a later date they are discovered not to meet the requirements, then it's your responsibility to deal with it.

http://www.openbsd.org/:
Only one remote hole in the default install, in more than 8 years!

I finally broke down and bought an Areca card for one of my home-office servers (I had read some nice reviews and wanted to test one myself before recommending it). Seems reliable (at least from my single, lonely sample point) - it handled a drive failure perfectly (that is, it caught ugly S.M.A.R.T. statistics and notified us before the drive actually failed completely) - and it's very fast. Their Linux driver is BLOB-Free, well-commented and 100% GPL. Prices are reasonable, but it'd be nice if they were available through mainstream distribution (Ingram, TechData, etc) - not yet, apparently.

According to the OpenBSD i386 supported hardware website, out of the cards reviewed, only Adaptec and LSI cards are compatible with OpenBSD.
However, Adaptec has refused to provide documentation so that the OpenBSD project may improve the drivers.
"Note: In the past year Adaptec has lied to us repeatedly about forthcoming documentation so that RAID support for these (rather buggy) raid controllers could be stabilized, improved, and managed. As a result, we do not recommend the Adaptec cards for use."
Other *nix variants might support the Adaptec and Promise cards a little more, but the hardware fully supported by OpenBSD is generally well-supported across all *nix variants.
Out of the cards reviewed, only the one from LSI is worth buying. Adaptec may have a little support, but it's not a good idea to purchase any RAID cards from them until they start providing better documentation.

Creating a US-based tax-exempt foundation specifically to export money to Canada is almost impossible. Lack of such foundation hasn't stopped any of the people and companies listed on http://www.openbsd.org/donations.html

Indeed having it GPL counts a lot.

But still, if the driver was developed under NDA and is bloated of "magic numbers" (as often in drivers under NDA, the implementation can't contain too much comment/infos), practicaly, we're near to loose one of the fundamentals rights supposedly granted by the GPL: the right to modify and re-use it. Well, you have this right, but you can hardly use it.

In practice, source code designed to hide IP secrets is in-between normal source code and binary exec. That's why, by the way, OpenBSD devs never accept and never signs NDA, as stated there http://www.openbsd.org/goals.html for instance.

very good. we need opensource supporting all sorts of hardware. only this discussion is in regards to WiFi support.

i don't see where the flame is. the OpenBSD folks want open unencumbered drivers (hence the 3.9 blob theme) while the Linux folks have NDIS wrappers, blobs and other such hacks. it's fact. no need to get melodramatic over anything.

and they showed us that they can deliver while sticking to their goals and principles

very good. we need opensource supporting all sorts of hardware. only this discussion is in regards to WiFi support.

i don't see where the flame is. the OpenBSD folks want open unencumbered drivers (hence the 3.9 blob theme) while the Linux folks have NDIS wrappers, blobs and other such hacks. it's fact. no need to get melodramatic over anything.

and they showed us that they can deliver while sticking to their goals and principles

can be found by reading the man pages

Nope. Linux is far from having all the functionality of Windows. Sure, if you use it for work, or for school, then you can find programs that can do most things, but you will not find Quake 4 or World of Warcraft on Linux. Gimp is no paintshop killer, and WINE is nowhere near as robust as a real Windows system.

The mods must be dabbling in the crack again. The above was modded flamebait. The truth hurts, doesn't it?

The truth is, the software may be out there, but getting it to actually work on Linux is a different problem altogether. Did you check to see if your video card has open-source drivers? It doesn't (and most of them don't)? Tough. Even if it does, you'll spend hours upon hours editing config files, installing packages, and generally mucking about trying to get it to work before it actually does. If you post to any of the online forums, you'll likely be met with a loud chorus of "RTFM!!!" Of course, all of this will involve recompiling your kernel multiple times, etc. These are things that are difficult for techie people. My mom could never get it going in a million years and nor would she want to spend the time trying.

Don't get me wrong, I'm not anti-Linux by any means, although I do think there exist far superior FOSS operating systems. I just think many Linux people don't appreciate the amount of dinking with it that is required to get it to effing work. "I just want it to work, I just want to watch my stupid DVD!" was a common laement of mine.

You can then literally apply Linux's security modules to individual Win32 applications -- or to individual instances of the same Win32 application -- by running the Win32 app under WINE.

Or run WINE under a different OS (e.g. OpenBSD) or emulator if you want different security tools.

I've done this with/for a number of customers, & integrating the security manageability with a system which has no viruses or spyware to speak of has saved them each endless damage (and endless payments to recover from that damage).

I've also convinced other developers to make their applications portable -- which has instantly increased their productivity and their market, too, sloughing off obsolete dependencies -- and simply stopped running the users under Windows (or anything from MS). This particular tactic earns you much peace & security in one step.

From commit message removing Ethereal:

Revision 1.4, Wed Jul 14 21:52:26 2004 UTC (22 months, 3 weeks ago) by pvalchev
Branch: MAIN
CVS Tags: HEAD
Changes since 1.3: +0 -0 lines
FILE REMOVED

Remove ethereal from the ports tree. Right during 3.5, it had more than
a dozen remote holes being fixed, that we shipped with. Weeks later
things have not improved, and there continue to be problems reported
to bugtraq, and respective band-aids - but it is clear the ethereal
team does not care about security, as new protocols get added, and
nothing gets done about the many more holes that exist.

Maybe someone will at least privilege separate this one day, and then
the OpenBSD stance with respect to this may change.

Encouraging people to run broken software by distributing packages
with known security holes is not desired by any of us.

The Coverity program is useful for detecting some types of bugs in C and C++ programs. The OpenBSD developers has recently put effort into make lint more useful i.e. don't let you drown in false warnings.

I've never used Coverity since it's impossible to get the program, but it wouldn't surprise me if it called anything that wasn't safe or good coding style a "bug". Like, yell at you if you use "strcpy". Or if you don't check for a NULL pointer when it can't be.

There are some open source tools for this, like lint, but you easily will be drowned in warnings. On OpenBSD, gcc/linker has been enhanced to detect certain types of problems (like format errors in printf, or use of strcpy).

> I just want the installer to do its job and install the bloody thing.

Then bitch to nVidia about their driver (which violates the GPL to distribute). The Ubuntu people have no control over nVidia's poor choice of licensing. If you want everything to be easy, get a video card that has OSS drivers. I have a 945GM from Intel, and it works fine, no binary blobs required.

http://www.openbsd.org/lyrics.html#39

Note the picture of Tux caught in an oil spill. That's what demanding binary blobs does to Linux.

https://shipit.ubuntu.com/

http://www.apple.com/

http://www.debian.org/

http://www.openbsd.org/

in case I missed somebody :-) -> http://distrowatch.com/

( I could go on and on here, no offense to any I left out )

http://openbsd.org/faq/faq1.html#HowAbout

trunk and pf should meet your binding and shaping needs.

trunk and pf should meet your binding and shaping needs.

It is not disabled by default, and I am glad it's not.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ ssh/sshd_config

Perhaps the author of the article should have read the source of the text you quoted. The preceding paragraph:

ForwardAgent Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine. The argument must be "yes" or "no". The default is "no".

So the only people who will be caught out by this are those who:

1. Blindly enable ForwardAgent without reading the security considerations mentioned in the manual.
2. Set up ssh-agent without considering how it will expose their private key.

Configuring the agent to prompt the user to confirm any signing request can be as complicated as putting the private key on a smart card (which will make the reader prompt for a PIN whenever the card recieves a signing request) or it can be as simple as using the -c option when calling ssh-add; therefore this does not seem like a big deal to me.

That's odd, because I installed 3.9 last wednesday and ssh was definately enabled on default install. You don't have to take my word for it, just head over to the Installation FAQ and see for yourself:

Start sshd(8) by default? [yes] y

If asking a question that defaults to "yes" isn't "default install", I don't know what it is.

Yeah, they do. If they have it in their repository for download, they do. Let's drop this Debian sainthood bullshit.
Want an uncompromising OS? Look elsewhere.

It's a blob.

I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD, its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made.

Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.

Not if you use an OS that encrypts the swap file.

You have kids trying to "make a name" by breaking things. You have companies paying these kids to find vulnerabilities, I've heard that there is a 6-figure type bounty on certain specific vulnerabilities. At the same time you have big corporations that are taking a beating in the media because vulnerabilities are disclosed before they have time to react; you also have big corporations being told about problems (whether or not it is through proper channels remains to be seen, I don't expect that the new Windows bug is going to get fixed when you tell MS Sales about it.) You have security companies like eEye publishing every vulnerability they can find to give their company some "street cred." You have companies like Foundstone (now Symantec) pirating software to search for holes in it. There is this whole rationalization in the "hacker community" that they are some how doing the software vendors favors by finding the stuff; so just randomly postscanning hosts is really "research," huh? Dispite your lack of any publishing, education and any agreements with anybody that you're "researching" on? You have frauds like Steve Gibson saying that big corporations are putting backdoors in to code on purpose. You have opensource tools changing their license and close sourcing because of companies that are simply packaging their work can charging a lot of money for it; who can blame them? There are companies that now sell exploits and "0days." You have a whole OS "designed" around security, yet they cannot publish any of the changes they've actually made and explain why they have made them (come on guys, this would be a best seller of a book, just lists of code, this is the bug, this is why it's a bug, this is how we fixed it...) At the same time, I don't want Apple and MS pushing out patches minutes after they hear about things, I want the code QAed.

Now the lawyers are getting involved. We need to check ourselves as an industry. We are a stones throw away from developers being held responsible for damages caused by software, there are already people in favor of that. Just stop and think about that. There is no union, there is no protection for the worker here, we're held in contempt at a lot of places, because of the highly paid prima donnas jerking around writing shitty code. It will only get worse right now.

It's a sort of hot area right now, the feds are spending money. You can't be involved with software or networking and not have some kind of concern for security. This may sound old fashioned but to get a cert, whatever certs the security world wants to embrace, there should be an oath that encourages security always, encourages openess, discourages black market tactics for trading viruses and exploits, discourages this whole notion of "black magic," and discourages profiting from secrecy regarding security. I'd even go one better and add to the oath that there should be a certain and accepted public disclosure process for when a vulnerability is found in a network or application, the owner is told and then after 90 days the whole world is told, all of the time. I know of companies that have found problems in networks and then extorted money for information regarding them. That's just wrong and that should be criminal.

There are no security best practices, not in any formal sense. You can pull 100 consultants or CISSPs off the street and you'll get a 100 different sets of things you should and shouldn't do. We need to formalize the discipline. We need to encourage practices during the writing of software and constuction of networks for security.

For another, please point me to the linux equivalent of CARP ( an incredibly easy to set up redundant firewall ). If you are in charge of running a firewall for a company, redundant hardware at the firewall is nice.

And the man page: pf.conf(5)

Check out the examples. Bridging with OpenBSD is a piece of cake. It takes only a few minutes to set it up. OpenBSD has the info you need.

And the man page: pf.conf(5)

Check out the examples. Bridging with OpenBSD is a piece of cake. It takes only a few minutes to set it up. OpenBSD has the info you need.

If you want to consider a BSD and need it to work with Wireless, I highly recommend openbsd (see http://openbsd.org./ They have quite excellent support for wireless NICs.

Ease of use?? Well, if you want a CLI then you should seriously consider BSD. However, if you absolutely must boot from KDE the first time the OS is installed, then stick to Ubuntu. OpenBSD in particular has EXCELLENT man pages. I think it's probably the most complete, well written and up-to-date OSS project documentation I've found anywhere. Bar none.

> You don't get it, many (of course not all) *nix geeks can't differentiate the meaning of commercial and evil, even if they try real hard.

That's because there isn't a difference. Code that you can't change, modify, or improve is evil. Commercial software can't be changed, modified, or improved. Hence commercial and evil are one in the same.

Here's an interesting take: http://openbsd.org/lyrics.html#39

If it takes an entire developement cycle to simply improve the current version's bugs, I'd gladly accept and encourage that.