Slashdot Mirror

Ugh... why not just put your networks behind a reasonable firewall and block those incoming ports?

Hate to rail on it, but even if I don't patch my Win2K box at home (used for gaming), I don't need to worry about it because my OpenBSD firewall protects me from this crap.

Or isn't this solution obvious enough?

Funny, many people ragged on Theo de Raadt when he said "I try to convince myself that our grant means a half of a cruise missile doesn't get built." Yes these scientists are being painted as super-duper people with minty-fresh breath because they seemingly have some of the same convictions.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

There is a new Tshirt: 3.4 Tshirt $20 or for Europe EUR 20

The new 3.4 poster is very nice too, get it for $10 US or EUR 14 in Europe

If you prefer OpenSSH, have a look at this new Tshirt OpenSSH 2 $20 or for Europe EUR 20

thank you.

It doesn't work without other effort to keep it secure, but OpenBSD is the only OS I really trust to have a chance at standing against a determind attacker. You still have to harden your databases, and a seperate firewall is still a good idea, and good passwords and such are still required. Other OSs may or may not be good, but only OpenBSD has a track record to brag of: Only one remove hole in the default install, in more than 7 years. (Note that overtime the wording has changed as holes were discovered, this is the one they use now, and it is true)

Remember if you install bad software on top of it, you are insecure. However it is a good starting point, and careful thought can minimize other problems. (If you go through the effort, security is not easy)

check out OpenBSD's systrace:
http://www.citi.umich.edu/u/provos/systrace/
http://www.openbsd.org/cgi-bin/man.cgi?query=systr ace&apropos=0&sektion=0&manpath=OpenBSD+Current&ar ch=i386&format=html

The OS is going to also be DRM enabled and will detect the BIOS type.

Oh, really? I don't think so

If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.

Linux != Red Hat
Red Hat != Linux

Red Hat == Linux(bastardized)+GNU(bastardized)+OSS(bastardize d_inc_kitchen_sink).

Did you install default, BTW? Try installing minimal and then adding what you want. Better still, do the same, but with Debian.

Or even better yet... OpenBSD...

Features added and minor bugs squashed in the last 127 days of OpenBSD development.

Worse, potential security and stability bugs found and squashed in that same time.

1 remote exploit in the system as shipped, in the past SEVEN YEARS.

Plus, the next remote exploit probably won't be capable of much, with all the extra security measures they've made lately with propolice, W^X, privilege separation, gradual elimination of setuid and setgid binaries, now that all kernels are propolice enabled, the modules will be too in 3.4.

Oh, then there is the sheer beauty of pf!

I actually thought for a while there, that within this 6 month dev cycle, we'd see no errata for OpenBSD. Maybe 3.4?

Why not go and pre-order 3.4?

If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.

Linux != Red Hat
Red Hat != Linux

Red Hat == Linux(bastardized)+GNU(bastardized)+OSS(bastardize d_inc_kitchen_sink).

Did you install default, BTW? Try installing minimal and then adding what you want. Better still, do the same, but with Debian.

Or even better yet... OpenBSD...

Features added and minor bugs squashed in the last 127 days of OpenBSD development.

Worse, potential security and stability bugs found and squashed in that same time.

1 remote exploit in the system as shipped, in the past SEVEN YEARS.

Plus, the next remote exploit probably won't be capable of much, with all the extra security measures they've made lately with propolice, W^X, privilege separation, gradual elimination of setuid and setgid binaries, now that all kernels are propolice enabled, the modules will be too in 3.4.

Oh, then there is the sheer beauty of pf!

I actually thought for a while there, that within this 6 month dev cycle, we'd see no errata for OpenBSD. Maybe 3.4?

Why not go and pre-order 3.4?

If I put RedHat9 next to Windows Server 2003 I have significantly more updates to apply to my Linux box.

Linux != Red Hat
Red Hat != Linux

Red Hat == Linux(bastardized)+GNU(bastardized)+OSS(bastardize d_inc_kitchen_sink).

Did you install default, BTW? Try installing minimal and then adding what you want. Better still, do the same, but with Debian.

Or even better yet... OpenBSD...

Features added and minor bugs squashed in the last 127 days of OpenBSD development.

Worse, potential security and stability bugs found and squashed in that same time.

1 remote exploit in the system as shipped, in the past SEVEN YEARS.

Plus, the next remote exploit probably won't be capable of much, with all the extra security measures they've made lately with propolice, W^X, privilege separation, gradual elimination of setuid and setgid binaries, now that all kernels are propolice enabled, the modules will be too in 3.4.

Oh, then there is the sheer beauty of pf!

I actually thought for a while there, that within this 6 month dev cycle, we'd see no errata for OpenBSD. Maybe 3.4?

Why not go and pre-order 3.4?

OpenBSD has FLAVOR and MULTI_PACKAGES exactly for this. Each port has a set of knobs that can be twiddled, and the binary packages are generated and named appropriately.

OpenBSD has FLAVOR and MULTI_PACKAGES exactly for this. Each port has a set of knobs that can be twiddled, and the binary packages are generated and named appropriately.

I can't imagine they'd start from scratch when there's code lying around to build upon. But that doesn't mean their modified version will be open source. Somehow I don't think the GPL will stand in their way.


Especially when there's code around with an extra 10-20 years of maturity under a more friendly (BSD) license.

Exhibits:

1
2
3

After that, maybe we can look into programming languages that actually have a string type, and don't tend to make every bug exploitable by default.

Using thisduring my install of an OpenBSD firewall taught me a quite a bit.

It took some time to explain to the government that the "bad guys" already have access to strong encryption

you must mean those damn Canadians

I realize you're probably not entirely serious, but this is definitely the wrong attitude. The flood of virus warnings and bounces caused by Sobig, not to mention all the machines knocked off the Internet by Blaster, shows that a horde of hopelessly insecure machines on the Internet are dangerous to everyone, including those of us with some common sense about security. If one acknowledges that spam costs time and money to deal with, then Sobig is damaging even people who have gone completely uninfected - the virus messages and bounces are every bit as annoying and numerous as spam, albeit easier to filter.

At any rate, although it would be nice to see businesses move away from Windows after this or the next MS "trustworthy computing" fiasco, I doubt it will happen. In my experience, anyway, the MCSE types will probably be more likely to shell out big bucks for a mail filter on their Exchange server (you know, the ones generating all the "YOUR MESSAGE CONTAINS A VIRUS" warnings sent to addresses that Sobig spoofed) than to switch from Windows or even patch it more often. One can always hope, though...

Anyway, even if everyone switched to real OSes, most of them have their share of security problems, too. These types of virus epidemics will probably still be a danger until either the majority of people get a clue about security, or until the majority of OS vendors get a clue about designing systems that are secure by default so the users don't have to work quite as hard to make and keep them safe.

You mean ipfw, see the Personal Firewall heading on this page.

If they switched pf, I sure hope that they update their product information soon and contribute to the project by purchasing a cd.

Maybe what we really need is an OS that supports an easy-to-configure "sandbox" for each app to run in. That way if you are worried about Application X sending out network packets on the sly, you can just tell the OS to disallow network connections from that app.

OpenBSD ships with systrace, which does exactly what you describe. Systrace is also available for NetBSD, Linux, and Mac OS X.

Of course, with the exception of Mac OS X, these aren't really platforms where you have to worry so much about software phoning home to the vendor or other forms of spyware. On Windows you can always use ZoneAlarm, though.

If SCO is bound and determined to commit public-relations and corporate suicide, all in one swell foop, I'm sure there are cleaner and quieter ways to go about it.

All this grandstanding (without presenting independently-verifiable proof of their claims, I think that's all they're doing) is only going to do one thing: Create a serious financial drain on the company in terms of court costs.

One interesting side effect to this whole mess may be that BSD-based OS's will get more attention. As far as I know, neither NetBSD, nor FreeBSD, nor OpenBSD have ever been the subject of lawsuits of the type that SCO is pushing.

Whatever happens, I think SCO has gone utterly, irretrievably bonkers if they think this kind of behavior will help them in any way. I feel sorry for the employees...

If they only used the crown jewel of Canadian technology, they wouldn't have this problem. Ironic.

We'll set aside the fact that it is a copy of a US product and received substantial funding from the US taxpayer.

Retard, they chose Linux because they had full access to the source code.

I think it would have been *erm* cost prohibitive to get that kind of access to windows, to say the least.

This is a secure OS

As per the FSF recommedations, I only use free software

I think you're thinking of something else. Seriously, I've been on the debian-users mailing list for a long time, and it's made up almost exclusively of nice, outgoing, helpful people. I've never seen a newbie with a legitimate question get an RTFM from the regulars. Sometimes you'll see stupid questions like "y isn't debyan as cool as red hat?" get flamed, but you'll see that anywhere.

On a Mac, I have:

• Mac OS X (who knew?)
• BSD via Darwin or OpenBSD if you prefer.
• Linux (Suse, Mandrake, Yellow Dog and probably more that I've missed).
• BeOS for PowerPC
• And, of course, good old Virtual PC which, despite being now owned by Microsoft is still a great product, and allows you to run *any* x86-compatible OS on your Mac. And since most of the other OSs you mentioned (OS/2, AtheOS etc) are either old or low-resource, there will be negligible speed hit

In fact, I would go so far as to say that the Mac is the most-compatible platform out there. Personally, I have six different OSs on my Mac right now (Mac OS X, Mac OS 9.1, 9.2.2, Mandrake Linux, Win98 SE and PC-DOS). And that's not even breaking a sweat.

Look, we all know this is just a temporary solution, since the next worm will target the new web site. Microsoft has planned ahead with a series of new web sites that should be able to handle any future problems.

How about a non-executable stack, like every other OS is getting these days? (Well, except OSes that run on UltraSPARC. ;-)

Bullshit. Apparently you haven't read the FAQ or looked in the right people.

OpenBSD was the easiest install I've ever done because I READ the FAQ. Setting up a DHCP server was simplicity itself because I READ the man page. Seriously, setting up DHCP took less time than my Linksys router's GUI. OpenBSD is EASIER than Linux because of the sheer quality of help that is already there waiting for you like the FAQ and man pages.

When I asked for help w/ my OpenBSD firewall, people on the forums responded instantly, offered to help me troubleshoot my problems on IRC, and emailed me their ideas.

Stop propagating a stereotype.

The OpenBSD i386 boot loaders (biosboot(8) and boot(8)) also have their own internal 8G limitation, from an older BIOS limit.

For this reason, the entire /bsd file (the kernel) must be located on the disk within the boot ROM addressable area, or within the first 8G of the disk,

On the other hand, Redhat 9 has 3 kernel security updates containing multipe security issues each, while OpenBSD has just one....

Maybe I'm biting at a troll, but I'll do it anyway...

There are a few basic areas where OpenBSD is "unique" to my knowledge. It is certainly unique among the BSDs in these respects. The first is proactive security. They audit all code going into the OS and all code that was legacied (is that a word?) into the OS. I can't count the number of times I've heard something like "This problem was fixed in OpenBSD 6 months ago in a routine audit" as the page linked above states. Hell, people in the OpenBSD community were actually complaining about the routine security fixes not being released as actual security patches with alerts. The fact of the matter was that they had no idea if the old code could lead to an exploit or not; it was flawed so they fixed it. This leads into a second part of this aspect, which is full disclosure. Anytime there is any kind of exploit or potential exploit, you hear about it along wiith a bugfix immediately. None of this waiting 3 months for it to be recognized by the vendor and then another two for the patch to be publicly available.

The second part is integrated cryptography. This doesn't mean just including IPsec. This means using 128-bit AES on the *swap* partitions to prevent them from being used against the system administrator in cases where the regular filesystem is also encrypted. I have never seen encrypted *swap* in an OS before. The design is ingenious; I've been looking at it very closely with an eye for porting it to another OS, and it's way cool.

The third aspect, and perhaps the most important in my mind, is the ridiculously detailed and useful man pages. They are the best I've seen in any Unix, period. The FAQ on the website will answer almost any question you can think of for getting started. And if the man pages don't answer your question, you are probably looking in the wrong place or asking the wrong question. Well, that's what it's been any time I couldn't find stuff there.

Oh and then there's the "Only one remote hole in the default install, in more than 7 years!" thing. Anyone can screw up a system, but OpenBSD sets you up for success where with the others it is truly a challenge to get the system as secure.

Maybe I'm biting at a troll, but I'll do it anyway...

There are a few basic areas where OpenBSD is "unique" to my knowledge. It is certainly unique among the BSDs in these respects. The first is proactive security. They audit all code going into the OS and all code that was legacied (is that a word?) into the OS. I can't count the number of times I've heard something like "This problem was fixed in OpenBSD 6 months ago in a routine audit" as the page linked above states. Hell, people in the OpenBSD community were actually complaining about the routine security fixes not being released as actual security patches with alerts. The fact of the matter was that they had no idea if the old code could lead to an exploit or not; it was flawed so they fixed it. This leads into a second part of this aspect, which is full disclosure. Anytime there is any kind of exploit or potential exploit, you hear about it along wiith a bugfix immediately. None of this waiting 3 months for it to be recognized by the vendor and then another two for the patch to be publicly available.

The second part is integrated cryptography. This doesn't mean just including IPsec. This means using 128-bit AES on the *swap* partitions to prevent them from being used against the system administrator in cases where the regular filesystem is also encrypted. I have never seen encrypted *swap* in an OS before. The design is ingenious; I've been looking at it very closely with an eye for porting it to another OS, and it's way cool.

The third aspect, and perhaps the most important in my mind, is the ridiculously detailed and useful man pages. They are the best I've seen in any Unix, period. The FAQ on the website will answer almost any question you can think of for getting started. And if the man pages don't answer your question, you are probably looking in the wrong place or asking the wrong question. Well, that's what it's been any time I couldn't find stuff there.

Oh and then there's the "Only one remote hole in the default install, in more than 7 years!" thing. Anyone can screw up a system, but OpenBSD sets you up for success where with the others it is truly a challenge to get the system as secure.

Maybe I'm biting at a troll, but I'll do it anyway...

There are a few basic areas where OpenBSD is "unique" to my knowledge. It is certainly unique among the BSDs in these respects. The first is proactive security. They audit all code going into the OS and all code that was legacied (is that a word?) into the OS. I can't count the number of times I've heard something like "This problem was fixed in OpenBSD 6 months ago in a routine audit" as the page linked above states. Hell, people in the OpenBSD community were actually complaining about the routine security fixes not being released as actual security patches with alerts. The fact of the matter was that they had no idea if the old code could lead to an exploit or not; it was flawed so they fixed it. This leads into a second part of this aspect, which is full disclosure. Anytime there is any kind of exploit or potential exploit, you hear about it along wiith a bugfix immediately. None of this waiting 3 months for it to be recognized by the vendor and then another two for the patch to be publicly available.

The second part is integrated cryptography. This doesn't mean just including IPsec. This means using 128-bit AES on the *swap* partitions to prevent them from being used against the system administrator in cases where the regular filesystem is also encrypted. I have never seen encrypted *swap* in an OS before. The design is ingenious; I've been looking at it very closely with an eye for porting it to another OS, and it's way cool.

The third aspect, and perhaps the most important in my mind, is the ridiculously detailed and useful man pages. They are the best I've seen in any Unix, period. The FAQ on the website will answer almost any question you can think of for getting started. And if the man pages don't answer your question, you are probably looking in the wrong place or asking the wrong question. Well, that's what it's been any time I couldn't find stuff there.

Oh and then there's the "Only one remote hole in the default install, in more than 7 years!" thing. Anyone can screw up a system, but OpenBSD sets you up for success where with the others it is truly a challenge to get the system as secure.

Let me count the ways...

• Here is a list of the RedHat 9 errata. Here is the list of OpenBSD 3.3 errata. Notice a slight difference in the number of errata that have been issued between these distributions?

  I may be generalizing, but when you need hardware compatibility, go with Linux; when you require security, go with OpenBSD.

• If you run OpenBSD, you will immediately notice your Apache process:

  httpd: parent [chroot /var/www] (httpd)

  AFAIK, OpenBSD is the only UNIX(like) distribution with chroot Apache out of the box.

• OpenBSD comes with the spamd daemon/system, which pulls information from spews.org and links it into the local pf routing, pointing spammers at a resource-consuming tarpit at little cost to you.

• More importantly, this software is bound by the BSD license, which gives you much more freedom to do with the code as you will. Apple Mac OS X probably couldn't have been done with a GPL system (excepting gcc), for example. While the GPL is fantastic in that it will eventually destroy Microsoft, if you truly love software freedom, you will prefer BSD.

• All the BSDs continue the legacy of the CSRG at UCB. Each (major version of) BSD is worth preserving for historical purposes alone.

There are quite a few things that I don't like about OpenBSD, but I've learned to live with them.

If you follow the OpenBSD mailinglists you'll see that it's not quite the case. On the other hand, if you have not read the online FAQ they'll tell you so.

Note that the man-pages in OpenBSD is very good, which is not quite the case for several Linux distros.

As an example, try 'man starttls' on you favorite Linux distro, and compare it with man starttls. Now, which one gives you the best information about how to setup starttls on your mail-server, including how to generate certificates?

I use SuSE on my desktop, but still refer to the OpenBSD man-pages for Linux work.

Yes. From the OpenBSD FAQ:

Although none of the developers think it is particularly relevant, this question comes up frequently enough in the mailing lists that it is answered here. www.openbsd.org and the main OpenBSD ftp site are hosted at a SunSITE at the University of Alberta, Canada. These sites are hosted on a large Sun system, which has access to lots of storage space and Internet bandwidth. The presence of the SunSITE gives the OpenBSD group access to this bandwidth. This is why the main site runs here. Many of the OpenBSD mirror sites run OpenBSD, but since they do not have guaranteed access to this large amount of bandwidth, the group has chosen to run the main site at the University of Alberta SunSITE.

Once again, it should not come as a suprise that ftp.gnu.org was compromised. Hackers target centralized source code and binary distribution sites. That way, they can backdoor 200,000 birds with one stone. cvs.openbsd.org was hacked last summer too. My advice: build everything from source.

Since when is OpenBSD FreeBSD?
Correct link: Netcraft (but it says they use Solaris on their site?)

Not 100%, but 99.9%, sure.

Obviously a complete block is not going to work, but there's plenty of systems that filter traffic smartly. Leaving an IIS server open like that is just asking for trouble. I reckon I get more hits from IIS exploits than genuine web hits. You need a firewall of some kind - take a look at something like Smoothwall with it's Sort IDS, or if you're hardcore, OpenBSD plus httpf or Pound (along with Snort or Port Sentry and co.).

Good sir, I'm afraid you mistyped it as well.

Shoot, man, that's just silly. The only real solution...
Trust OpenBSD. :)

Puffy is the name of the BSD fish, I believe.. (Puffy the Barbarian)

Supposted to be a knock-off of the BSD blowfish, but I couldn't remember the proper name? Can anyone chime in with the correct answer?