Slashdot Mirror

And when Microsoft takes the time and properly releases a patch, all the Linux zealots jump to critize them for taking so long.

I wonder what they will say now.

I think its time for them to look at another Unix-like OS whose number one focus is security and stability.

Compare Apache license in OpenBSD cvsweb with the XFree 86 4.4 license and clue me into what's the difference between these except for the organization name and URL?

At least one BSD is unhappy about the prospect of the new license and is threatening to fork. Hopefully everyone can get together and have a single fork with a license like the older X license if it does end up coming to a fork.

BSE can be found in Canada as well...

Installing OpenBSD was a piece of cake, just some new users might be put off by the text only installer at first, but if you can get past that, you'll realize that it is so straight forward.

One of the things I love about OpenBSD is that the documentation and man pages are so well done, having a look at the Installation Guide and the afterboot(8) man page, virtually anyone can have full fledged secure by default OS installed configured in a breeze.

Installing OpenBSD was a piece of cake, just some new users might be put off by the text only installer at first, but if you can get past that, you'll realize that it is so straight forward.

One of the things I love about OpenBSD is that the documentation and man pages are so well done, having a look at the Installation Guide and the afterboot(8) man page, virtually anyone can have full fledged secure by default OS installed configured in a breeze.

Apparently the person who modded you up didn't check on what you said or just doesn't run Linux.

Ever heard of Firestarter? That's one GUI firewall I can think off the top of my head. Let's see here, how about fwall?

As far as your corporate firewall question, you might check into PF and OpenBSD OpenBSD As far as Smoothwall did you try the corporate version or just a free download? Googling, lookg what I found as far as your remark about outgoing ports and Smoothwall.
Haven't seen such a blatantly uninformed post in a long while.

If Debian developers had any balls*, they could have been distributing libdvdcss yesterday.

*OpenBSD balls.

No, because some Debian developers are a bunch of pussies who won't stand up for freedom.

Hell, even OpenBSD distributes libdvdcss:
ftp://ftp.openbsd.org/pub/OpenBSD/dist files/libdvd css-1.2.8.tar.gz

So much for Debian being about freedom. What a bunch of pussies.

No, because some Debian developers are a bunch of pussies who won't stand up for freedom.

Hell, even OpenBSD distributes libdvdcss:
ftp://ftp.openbsd.org/pub/OpenBSD/dist files/libdvd css-1.2.8.tar.gz

So much for Debian being about freedom. What a bunch of pussies.

that was darpa that stopped the funding on openbsd. a nice summary is available here

You're thinking of OpenBSD. Headquarters in Calgary. Take a look at the April 2003 press coverage for stuff on W^X.

You're thinking of OpenBSD. Headquarters in Calgary. Take a look at the April 2003 press coverage for stuff on W^X.

To have the code jump at some unintended place, like that $HOME environment variable where you conveniently put your shellcode. What happens when the section where environment variables are is not executable as it should be? Program segfaults instead of the machine being owned...

It'd be nice to prevent buffer overflows in the first place, but errors do happen and having a single line of defense is a really bad idea if it is ever breached...

The good attitude is do the most you can to prevent buffer overflows (by any means necessary, code reviews, replacing unsafe APIs like OpenBSD did replacing all occurences of strcpy(), strcat(3) and sprintf(3) by safer counterparts) and having tight memory protection. Add to that some privilege separation work, chroot(2) anything chrootable and you have way better sleep...

OpenBSD's W^X (magicpoint slides) and Linux grsecurity PaX both use that on x386 but it has its limitations, think for example that every shared library has its own code and data section (to oversimplify) and you have to do heavy manipulation to cram each part in the right segment... Having a per page protection is way better, more convenient and do not sacrifice usability for security (forget Java with PaX, OpenBSD gets by being slighly less secure, but at least not breaking well known Unix semantics like PaX...).

OpenBSD's W^X (magicpoint slides) and Linux grsecurity PaX both use that on x386 but it has its limitations, think for example that every shared library has its own code and data section (to oversimplify) and you have to do heavy manipulation to cram each part in the right segment... Having a per page protection is way better, more convenient and do not sacrifice usability for security (forget Java with PaX, OpenBSD gets by being slighly less secure, but at least not breaking well known Unix semantics like PaX...).

...already use mprotect() to set the execute permission on the area of memory where they generate the code... On Unix that's it...

By the way... What is (or is there) the Windows equivalent?

See mprotect(2).

This syscall exists since about forever and is pretty standard on *nix platforms. Any well written on the fly code generating code is already relying on it.

It's not exactly like you are the first to foresee the problem...

I think I just made a dupe comment...

Exactly. OpenBSD 3.3 already came with this feature in May 2003.

"W^X (pronounced: "W xor X") on architectures capable of pure execute-bit support in the MMU (sparc, sparc64, alpha, hppa). This is a fine-grained memory permissions layout, ensuring that memory which can be written to by application programs can not be executable at the same time and vice versa. This raises the bar on potential buffer overflows and other attacks: as a result, an attacker is unable to write code anywhere in memory where it can be executed. (NOTE: i386 and powerpc do not support W^X in 3.3; however, 3.3-current already supports it on i386, and both these processors are expected to support this change in 3.4). "

This looks like the W^X (Write XOR Execute) feature of OpenBSD.

This looks like the W^X (Write XOR Execute) feature of OpenBSD.

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD! Hell this girl should be a model!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Wouldn't this just make your Christmas?! Yes doctor, this uber babe definitely gets my pulse racing! Oh how I envy the lucky girl in this shot! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat! Wouldn't this be more liklely to influence your choice of OS?

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

Ask the team:

The OpenBSD project produces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Our efforts emphasize portability, standardization, correctness, proactive security and integrated cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD! Hell this girl should be a model!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Wouldn't this just make your Christmas?! Yes doctor, this uber babe definitely gets my pulse racing! Oh how I envy the lucky girl in this shot! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat! Wouldn't this be more liklely to influence your choice of OS?

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

Really? I always thought it was OpenBSD.

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat!

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD! Hell this girl should be a model!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Wouldn't this just make your Christmas?! Yes doctor, this uber babe definitely gets my pulse racing! Oh how I envy the lucky girl in this shot! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat! Wouldn't this be more liklely to influence your choice of OS?

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD! Hell this girl should be a model!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Wouldn't this just make your Christmas?! Yes doctor, this uber babe definitely gets my pulse racing! Oh how I envy the lucky girl in this shot! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat! Wouldn't this be more liklely to influence your choice of OS?

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat!

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat!

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

basically the argument for closed source was that nobody could read through the code and exloit weaknesses or add trojans without anybody knowing and once linux becomes more mainstream the same virus woes will be the same for both platforms.

I waas going to remind him that linux users are stastictally (spelling???) more security concious (how many linux/unix users spend the bulk of there productivity time running as root?) than windows users but i didnt want to bring it up because he was the leader of our church.

And also more work is put into the linux kernels than in the NT5-5.1 kernels when it comes to the weaknesses that viruses rely on.

I was then going to remind him of OpenBSD, an open source OS that has had only 1 hole in the default install in the last seven years.
maybe next time when i get enough courage I will enlighten him some more.

openbsd.

So now Red Hat is using the tired and cliche approach of getting PR by hosting a cracker contest. You would think that they'd have learned from previous examples. Just because a system hasn't been defeated in a cracker contest doesn't mean its secure. Security is a process not something you can shrinkwrap. The proper way to demonstrate the security of a product is through repeated, thorough code audits like some other software distributions are doing. Things must be looking dire indeed for Redhat if they're starting to make announcements of products like this ala another company we know and love.

Is it any wonder people think Linux users are a bunch of flaming homosexuals when its fronted by obviously gay losers like these?! BSD has a mascot who leaves us in no doubt that this is the OS for real men! If Linux had more hot chicks and gorgeous babes then maybe it would be able to compete with BSD!

Linux is a joke as long as it continues to lack sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?! Linux has nothing that can possibly compete. Come on, you must admit she is better than an overweight penguin or a gay looking goat!

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Don't be a fag! Join the campaign for more cute open source babes today!

http://bsd.slashdot.org/article.pl?sid=04/02/05/20 56234
Remotely Crash OpenBSD
Posted by CowboyNeal on Thu Feb 05, '04 22:49

http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net6/ip6_output.c
CVS log for src/sys/netinet6/ip6_output.c
Revision 1.82 / (download) - annotate - [select for diffs] , Wed Feb 4 08:47:41 2004

Get it?

...the documentation advises against building your own kernel unless you have a very good reason. They won't support you, either (not that their support will solve all your problems).

Under most circumstances you will NOT need to compile your own kernel. The GENERIC kernel will usually be all that you need. In fact, there are several reasons why you do not want to create your own kernel. The main reason is that it is very easy to make changes to the kernel configuration which look logical, but do not work. This is your danger sign. If something does not appear to work properly, please try the GENERIC kernel before sending in a bug report. Developers will usually ignore bug reports dealing with custom kernels, unless the problem can be reproduced in a GENERIC kernel as well. You have been warned.

Fixed? really? Could you point out on the errata page where this is even mentioned, let alone patched?

Remote openbsd crash with ip6, yet still openbsd much better than windows

Systems affected:
tested on openbsd 3.4
not clear about netbsd
freebsd not vulnerable

Risk: Medium
Date: 4 February 2004

Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/obsdmtu.html
Anythi ng in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:
It is possible to remotely crash openbsd 3.4 if the host receives icmpv6
and there is a listening tcp port.
quoting de raadt: "it is just a crash."
remote crash which screws the kernel.
unknown whether this may be exploited for code execution.

Details:
The problem is triggered by setting small ipv6 mtu and then doing tcp
connect.
How to reproduce:
Patch linux kernel 2.4.24 net/ipv6/icmp.c :

case ICMPV6_ECHO_REPLY: /* we coulnd't care less */
icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, 68, skb->dev); //joro

then:
ping6 openbsd
ssh -6 openbsd

Workaround:
It is believed that openbsd current is not vulnerable.
netbsd current also seems to have related changes.
check:
http://www.openbsd.org/cgi-bin/cvsweb/src/sys/neti net6/ip6_output.c
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netine t/tcp_output.c?sortby=date

Vendor status:
open, net and free bsd were notified Sun, 1 Feb 2004 16:35:56 +0200

Georgi Guninski
http://www.guninski.com

I know that the problem has been fixed in -current, but I run a production box that I refuse to bring up to -current. There's no patch or even a mention of this problem on the errata page.

What's a sane admin to do?

one could use Packet filter state synchronization to another public unknown box combined with authpf to use additional ports, rather than using "port knocking clients", which itself sounds kind of needless

My friends, I know we all want Open Source to succeed. However, it has come to my attention that the amount of attention being lavished on Linux by the community at the expense of BSD ignores one key advantage that the vernerable OS from Berkeley has over everyone's favourite from Finland.

How can people say BSD is dying when it has a mascot like this?! Linux needs to get its act together if it's going to compete with the kind of hot chicks and gorgeous babes that BSD has to offer!

How can you take Linux seriously when its fronted by losers like these?! Would you buy software from them? Would you even walk on the same side of the street as them?! I don't think so! You Linux groupies need to find some sexy girls like her! I mean just look at this girl! Doesn't she excite you? I know this little hottie puts me in need of a cold shower! This guy looks like he is about to cream his pants standing next to such a fox. As you can see, no man can resist this sexy little minx. I mean are you telling me you wouldn't like to get your hands on this ass?!

With sexy chicks like the lovely Ceren you could have people queuing up to buy open source products. Could you really refuse to buy a copy of BSD if she told you to? Come on, you must admit she is better than an overweight penguin or a gay looking goat! Don't you wish you could get one of these? Personally I know I would give my right arm to get this close to such a divine beauty!

Join the campaign for more cute open source babes today!

Have a look at this. There is also a lot of email on misc@ telling users whats been discovered, what is being changed, what is being removed and what has been audited and why.

Maybe people in the security community didn't forget about DARPA's decision not to fund OpenBSD anymore. It doesn't pay to mix politics with research...

I don't know what is such a mystery to you.

They explain their philosophy, the source to their patches, the change logs, access to their bug tracking, and mailing list archives.

It is all linked from the front pages. What is so hard to figure out?

I don't know what is such a mystery to you.

They explain their philosophy, the source to their patches, the change logs, access to their bug tracking, and mailing list archives.

It is all linked from the front pages. What is so hard to figure out?

I don't know what is such a mystery to you.

They explain their philosophy, the source to their patches, the change logs, access to their bug tracking, and mailing list archives.

It is all linked from the front pages. What is so hard to figure out?

I don't know what is such a mystery to you.

They explain their philosophy, the source to their patches, the change logs, access to their bug tracking, and mailing list archives.

It is all linked from the front pages. What is so hard to figure out?

<offtopic>Your comments are discussion-worthy! Why post as an AC? I've been reading /. since at least 1998, but never got around to signing up and commenting properly. I'm glad I finally did, but I could have had bragging rights with one of those low UIDs if I had registered earlier.<offtopic>

Anyway, I see these comments often enough so I suppose they merit some response. I'm not sure I'm the one to do it, but anyway . . .

Interestingly, OpenBSD also don't have any documentation as to what it is exactly they are doing with their audit.

People from GNU/Linux land are often not familiar with the structure of the BSD codebase. With GNU/Linux, tar or ls, for example, will have an "upstream maintainer" such as the FSF. When a distribution finds a bug in one of those utilities, it really is important to report it upstream so they can fix it for everyone.

The BSD codebase was handed down as a single unit from Berkeley. Literally, the kernel, tar, and ls build in the same source tree. A small number of groups that formed to maintain this newly-freed source tree split off from each other (often with ugly disagreements). Berkeley wasn't interested in performing coordinating functions as an "upstream maintainer".

So the OpenBSD group doesn't have anyone more "authoritative" than themselves to report changes and fixes to. What they do instead is make every source change available via CVS. You can even subscribe to an email changelist if you want to. The other BSDs are free to (and often do) track these changes.

They talk a good game but let's face it, if you don't run any services on any platform it's about as secure as an OpenBSD install is out of the box. That's not exactly securing the code through audit, it's just locking down a box.

There is still the IP stack and packet filtering code that needs to be secure. There have been significant attacks on those in the past for many OSes. BTW, wouldn't you prefer that things come turned off by default, so you don't have to worry about "locking it down" in the first place? I just re-installed Debian the other day, and it had ports open to notify others of changes to my filesystem (something called fam, just in case I wanted to setup a fileserver). Probably there was some authentication on it, but the point is that I don't remember asking if it was ok to be on in the first place.

I know this may seem old-fashioned in the days of personal UNIX workstations, but local exploits are a concern for many systems. Often this can make the difference between a denial-of-service and a full rooting of a server.

I like what they are saying they are doing but I have no idea what it is they are changing or why those changes make OpenBSD any more secure than anything else. Now if they had a set of documents explaining what it is that they were looking at and fixing and shared some information so that other developers could learn from the mistakes of others it would be more commendable. Throw on to that the attitude of the developers and you've got a real party.

For all the accusations of OpenBSD being self-promoting, I don't think they spend a lot of time trying to explain their work to non-programmers. As they are working for free for their own interests, I can sympathize with them not verbosely explaining every source-code change in layman's terms. I trust them not to hide a bug that would clearly be exploitable, but at the same time, I don't think they need to do more than silently fix those that probably aren't. I can understand that someone not fluent in C could fail to see what the benefit to, say, eliminating sprintf would be. As a professional software developer, I have looked at their work and I believe it has great merit.

Two years after its hopeful launch, a U.S.-backed research project aimed at drawing skilled eyeballs to the thankless task of open-source security auditing is prepared to throw in the towel.

It does seem to be a thankless task. For a new guy on a project, criticizing the leaders' work doesn't seem a good way to gain influence. For an old contributor, you might feel compelled to add functionality the userbase is demanding.

Interestingly, the OpenBSD project has put a lot of effort into auditing, and they also have a reputation of being somewhat, um, "grouchy". I wonder if there's some correlation?