Slashdot Mirror

Hey, there are even gays on the other side of the fence, so to speak...

Here is Theo de Raadt slamming into Darren Reed over Darren having a bit of a poke at OpenBSD practices in the shadow of the recent OpenSSH hole that led to a remote exploit in the default install.

I spend more than 8 hours of every single day of my life auditing code (and over the last week, 16+ hours a day), and here is some gay guy from Australia who spent all of Usenix in San Antonio years ago moping with droopy eyes after a very straight and girlfriended Mudge is not going to tell me that I am not doing enough

I love reading Theo's posts.

Which is not very surprising for an OS that has had "One remote hole in the default install, in nearly 6 years!". An interesting read 'though.

By the way, there is a slashbox for OpenBSD Journal, which can be enabled here. It featured this story yesterday.

www.slackware.com
www.redhat.com
www.debian.org
www.mandrake.org
cm.bell-labs.com/plan9dist/
www.atheos.cx
www.freebsd.org
www.openbsd.org
www.netbsd.org

That's that problem solved, then. Next, please!

The OpenBSD site has some pretty cool t-shirts.

That would be Openbsd dumbass. I seen they've also changed it to 1 remote root exploit in 6 years now.

anyone who has anything to do with a standards body nowadays know's that people try and hijack standards so their tech/patent gets into it

this way if you implement the standard you have to pay

you can't have an opensource MPEG 4 without paying 3million bucks when you distribute it and they call that a standard

ok real hardware and software

in terms of a kernel their is in My Humble Opinion

Linux

Open BSD

netbsd for every arch under the sun (joke included)

then we have the problem of hardware

Opencores provides some of the effort BUT my favorate is

LEON-1 VHDL model
- Functional SPARC compatible processor core integer unit. Runs on Altera, Mietec, Temic MG2, Xilinx. Developed for space missions. Implemented as a highly configurable, synthesisable GPL VHDL model.

Altera 10K200E FPGA or Xilinx XCV300 enable this you can also get a LCD and keyboard AMBA devices from www.gaisler.com

what I would like is a machine that you could say that the whole thing is opensource

regards

john jones

in fact, have them buy the cd. that'll lend some weight to your argument

https://https.openbsd.org/cgi-bin/order

besides, it's the right thing to do. =)

-Triumph

2 billion people shave everyday, at an average of 4 minutes, which means 133333333 _years_ are wasted off people's live each day they shave. I propose everyone take a cue from the BSD visionaries and never shave again.

How can this be?

Well, simple really:

• 1. You're not telling the truth. The link and count you gave was for all patches against Red Hat 7.2 since its release, not "alone in 2002" -- and includes enhancements as well as security patches. Microsoft doesn't hand out enhancements to its software as patches -- it charges for them as new releases.
• 2. Red Hat has more software. The amount of functionality Red Hat ships dwarfs that available in Windows. The diversity of software shipped on two or three CDs of Red Hat dwarfs that in a comparable amount of OS and application distribution from Microsoft. Microsoft has a few large "integrated" applications, whereas Red Hat has many smaller, intercompatible ones.
• 3. Red Hat doesn't delay and hide. Microsoft has a practice of delaying patches and releasing several in one bundled "service pack" -- whereas Red Hat releases one patch per problem, promptly. That inflates the counts on Red Hat's side, but improves the actual security -- and actions count more than words, or numbers.
• 4. Red Hat actually releases fixes! Microsoft's software has at least 18 publicly known, exploitable, unpatched vulnerabilities -- and that's just in one product, Internet Explorer. Show me a comparable list for any current version of any open-source product or distribution.

As we can read from: http://www.openbsd.org/faq/faq8.html#SKey

S/Key is a ``one-time password'' scheme. This allows for one-time passwords for use on un-secured channels. This can come in handy for those who don't have the ability to use ssh or any other encrypted channels.

Then why the hell is enable by default in OpenBSD sshd daemon?

OpenBSD is insecure! It has a remote hole and it even ADMITS IT ON ITS WEBSITE Another thing, openbsd is crap, and even the openbsd project it self dosen't use it! It runs on solaris!

I notice that OpenBSD, which used to say something like "four years without a remote hole", now says "One remote hole in the default install, in nearly 6 years!" Don't know when it changed - would this be the "one", then? Anyone know?

"One remote hole in the default install, in nearly 6 years!" you can see it here: OpenBSD

~Shane

The computer will now know everything about you -- who you talk to, where you go, how you work. And all of this will be owned by Microsoft.

they won't know about me.

Go get the RPMs here ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable / rpm/RH73/

I tested this on 3 stock RH 7.3 boxes as well as a RH 7.2 box running 2.4.17 kernel. All still work. Make sure you go into /etc/ssh/sshd_config to uncomment the "UsePrivilegeSeparation yes" line.

You could try this one, Mr Cocks.

Yup there already is a secure OS that provides great strides in privacy as well. You don't need any special hardware to run it, and it doesn't cost you anything. It doesn't include any DRM garbage and it's called Open BSD.

You've heard of the recent apache bug. Apparently, the OpenBSD team is announcing it as a "possible remote crash".

Since a remote exploit already exists, shouldn't they detail the severity on their front page?

Nothing against the OpenBSD team... I believe they do excellent work, but heck, people, PLEASE patch up those systems! It's only a matter of days before someone is going to drop a new worm! This is horribly serious!

"Do tell us not just that he's wrong, but why."

The mathematics is absolutely stupid! The author assumes that bugs are a random event. But they aren't. Bugs are heavily influenced by sociological factors that affect the outcome by more than a factor of ten. A lot of the bugs you seen in Microsoft Internet Explorer, for example, come from the sloppy practices of programmers who are not particularly interested in what they are doing and who are pushed to a tight schedule, so when they see that something needs to be re-written, they can't re-write it, because they don't have time.

Remember when Microsoft released Windows 2000? Someone inside Microsoft said that there were still 63,000 bugs (or known shortcomings) in their database. There was no time to finish the job, and Windows 2000 and Windows XP are still quirky. I just reported a bug in Windows XP, again, which I first saw in Windows 98. All of those operating systems re-configure themselves without telling the user. The company just doesn't care enough to do a good job.

Bugs in software are caused by social factors that we cannot measure. Some programmers write far tighter code than others. Compare the security bugs in OpenBSD and in Windows. OpenBSD is far more secure because the people who control it say they want it that way. Microsoft just announced a greater interest in security, but will the company actually devote resources to fixing the code? That's a sociological issue for a company that has always put money first.

It is impossible to test reliability into software, or anything! Reliability is due to design decisions, or the lack of them.

The author says,

"Reliability growth models seek to make this more precise. Suppose that the probability that the i-th bug remains undetected after t random tests is e-Eit. The models cited above show that, after a long period of testing and bug removal, the net effect of the remaining bugs will under certain assumptions converge to a polynomial rather than exponential distribution. In particular, the probability E of a security failure at time t, at which time n bugs have been removed, is [Equation that Slashdot cannot display: E = 1X i=n+1 e-Eit ~~ K=t] over a wide range of values of t. I give in the appendix a brief proof of why this is the case, following the analysis by Brady, Anderson and Ball [7]. For present purposes, note that this explains the slow reliability growth observed in practice."

He is just pulling your leg, and probably his own. Note the word "random" in the second sentence. In mathematics that is a technical term, a precisely defined term, and it doesn't apply here.

The author is just grabbing attention, and it worked. Now he has something to put on his resume, an article in CNET (by someone who doesn't understand the mathematics, but assumes that it must be okay, because it looks so impressive).

Show me the equation that has a term that explains the difference between OpenBSD (Five years without a remote hole in the default install!) and Windows XP (zero seconds).

Give the source code of Internet Exploder to the OpenBSD coders, and we will see how random bugs are. They could do what they already did with BSD, examine the code for poor practices, and re-design the parts that need it. Then all the "randomness" would stop happening, as if (in the view of some) by magic.

"Do tell us not just that he's wrong, but why."

The mathematics is absolutely stupid! The author assumes that bugs are a random event. But they aren't. Bugs are heavily influenced by sociological factors that affect the outcome by more than a factor of ten. A lot of the bugs you seen in Microsoft Internet Explorer, for example, come from the sloppy practices of programmers who are not particularly interested in what they are doing and who are pushed to a tight schedule, so when they see that something needs to be re-written, they can't re-write it, because they don't have time.

Remember when Microsoft released Windows 2000? Someone inside Microsoft said that there were still 63,000 bugs (or known shortcomings) in their database. There was no time to finish the job, and Windows 2000 and Windows XP are still quirky. I just reported a bug in Windows XP, again, which I first saw in Windows 98. All of those operating systems re-configure themselves without telling the user. The company just doesn't care enough to do a good job.

Bugs in software are caused by social factors that we cannot measure. Some programmers write far tighter code than others. Compare the security bugs in OpenBSD and in Windows. OpenBSD is far more secure because the people who control it say they want it that way. Microsoft just announced a greater interest in security, but will the company actually devote resources to fixing the code? That's a sociological issue for a company that has always put money first.

It is impossible to test reliability into software, or anything! Reliability is due to design decisions, or the lack of them.

The author says,

"Reliability growth models seek to make this more precise. Suppose that the probability that the i-th bug remains undetected after t random tests is e-Eit. The models cited above show that, after a long period of testing and bug removal, the net effect of the remaining bugs will under certain assumptions converge to a polynomial rather than exponential distribution. In particular, the probability E of a security failure at time t, at which time n bugs have been removed, is [Equation that Slashdot cannot display: E = 1X i=n+1 e-Eit ~~ K=t] over a wide range of values of t. I give in the appendix a brief proof of why this is the case, following the analysis by Brady, Anderson and Ball [7]. For present purposes, note that this explains the slow reliability growth observed in practice."

He is just pulling your leg, and probably his own. Note the word "random" in the second sentence. In mathematics that is a technical term, a precisely defined term, and it doesn't apply here.

The author is just grabbing attention, and it worked. Now he has something to put on his resume, an article in CNET (by someone who doesn't understand the mathematics, but assumes that it must be okay, because it looks so impressive).

Show me the equation that has a term that explains the difference between OpenBSD (Five years without a remote hole in the default install!) and Windows XP (zero seconds).

Give the source code of Internet Exploder to the OpenBSD coders, and we will see how random bugs are. They could do what they already did with BSD, examine the code for poor practices, and re-design the parts that need it. Then all the "randomness" would stop happening, as if (in the view of some) by magic.

(assuming you want to run Windows or some other commercial OS and don't wish to steal it)

That's quite an assumption. What happened to slashdot's Linux and *BSD majority? Did everyone here give up and go to Windows or OSX?

In case the poster doesn't know, you can save tons of money on your next PC by skipping the Windows tax and using a free, open-source operating system. email me and I'll mail you a CD of your choice of Debian Linux, FreeBSD or OpenBSD to install on your shiny new PC.

Linux Mandrake is just the latest in a long line of quirkily christened versions of Linux. Previous versions of Linux have been named Red Hat, Slack Ware, Storm and Coral. In stark contrast to the mundane names such as 98, ME or NT preferred by Microsoft, the crazy names of each Linux release hint at its renegade nature.

My foray into the world of Linux began by downloading a "CD image" from the Linux web site. But don't worry, this isn't software piracy, it's perfectly legal! Linux is shareware, meaning that it can be freely redistributed without fear of a visit by the Business Software Alliance. The free availability of Linux is a major reason for its popularity among cash-strapped students and self-styled anti-capitalist hackers.

Before installing new software, it is always advisable to read the documentation. Unfortunately, an unpleasant surprise was in store for me in the "required configuration" section of the manual. I was shocked to learn that Linux Mandrake only runs on Pentium processors, meaning that my hopes of testing the water with my old Gateway 486 were dashed. Furthermore, a whopping 32 megabytes of memory are required to run Linux! Although the advocates of Linux self-righteously boast the efficiency of their chosen operating system and deride the "bloatware" produced by Microsoft, it appears that their claims are blatantly incorrect. Although my humble 486 will happily run Windows 95, it seems that Linux requires far more powerful, and more expensive, computer hardware. Is this really the sign of a lean, mean operating system? Of course not.

Sadly, not even being able to install Linux is just the first of my many complaints. A brief perusal of the features of Linux Mandrake reveals that Linux is sorely lacking many crucial productivity applications. For example, why isn't the industry standard web browser, Internet Explorer, included with Linux? Despite the best efforts of the experts at the Internet Engineering Task Force to encourage adoption of the Internet Explorer standard, the creators of Linux seem to think that they know better. By refusing to adhere to recognised standards, Linux is simply undermining its own credibility.

Similarly, almost all of the world's most popular and widely used software is completely incompatible with Linux! It may surprise you to learn that your copy of Microsoft Office, Outlook Express, or Lotus Notes will not work under Linux. Those who wish to use their computer for recreational purposes are also out of luck, for almost all of the most popular games are unavailable for Linux. Although a wide range of software is freely available for Linux, these pitiful offerings are mostly unfinished, unreliable and do not bear comparison to their commercial counterparts.

Computer security is also an area that seems to have been overlooked by the developers of Linux. In these times when hacking and viruses are commonplace, it defies belief to learn that no anti-virus software is available for Linux. To add insult to injury, there is no Linux version of the popular ZoneAlarm firewall. By using Linux, you are issuing an open invitation to the hordes of ne'er-do-wells on the Internet.

The shortcomings of Linux are obvious. Without even installing Linux Mandrake, I have exposed several fundamental flaws. Surely it is not too much to expect that, after ten years of development, the creators of Linux would have addressed these problems? The real question that the prospective Linux user must ask himself is, "Why bother?" After all, Microsoft Windows comes free with most PCs and there simply isn't a need to replace it, particularly not with a product of inferior quality.

Although it is always tempting to support the underdog, Windows XP will be the deserved victor in the battle ahead. I recommend that those Adequacy readers who are hoping to upgrade their operating system patiently wait for the release of Windows XP, rather than foolishly wasting their time, effort and money on Linux.

You mean *BSD (instead of BSD*). Like FreeBSD, OpenBSD, NetBSD. Its just a little thing but it shows you probably don't know what you are talking about.

Pilsner!

Huh, so it does. Shame on me for not checking before posting, but I had thought that OpenBSD only supported x86 and Alpha. (Must have confused it with FreeBSD.)

I dunno -- if it weren't for the parts wrapped in plastic I'd be sure it's actually "chair collapses under weight of OpenBSD hacker".

Also, of interest "drahn" on a TiBook. Looks like Apple's really making some inroads in the Unix world. OpenBSD doesn't really run on that, does it?

I dunno -- if it weren't for the parts wrapped in plastic I'd be sure it's actually "chair collapses under weight of OpenBSD hacker".

Also, of interest "drahn" on a TiBook. Looks like Apple's really making some inroads in the Unix world. OpenBSD doesn't really run on that, does it?

Other pluses: it's Really Free(TM) Software - as opposed to Redhat and others which bundle non-free software in the default distro, it's manpages don't suck, etc.

OpenBSD - the most secure Linux there never was ;)

Interesting that the NSA security enhanced linux is not even mentioned.

http://www.nsa.gov/selinux/

--
I vote for OpenBSD

> Call me paranoid, but I'm sticking with Linux, where I know I'm secure.

You're not qualified as paranoid befire you use OpenBSD.

I am. Both paranoid and an OpenBSD user.

Another lesson that this new coalition should learn is humility. I would hope after the "Unbreakable" campaign Oracle launched, and the blowback it received, that they'd take the time to tone down their attitude and ensure they're somewhere near as unbreakable as they'd like to think. If their claims aren't so grandiose they're less likely to suffer an explosive userland reaction when a flaw is (and there will be flaws, it's just Murphy's law) is discovered.

Otherwise, I applaud the idea. Linux can benefit from a hardened, secure-from-the-box distribution initiative powered by folks with the pockets to fund the massive codewalks it will take to tighten things up. OpenBSD brought several benefits to the BSD community, I can see this doing much the same thing.

Subject: "Opening the Open Source Debate"

Date: 31 May 2002 15:45:59 +1200

Some references you might wish to consider before publishing your article "Opening the Open Source Debate"

http://www.businesswire.com/cgi-bin/f_headline.cgi ?bw.053002/221502375

Bruce Schneier, one of the recognized leading expert on computer security on Kerckhoffs' Principle and Secrecy, Security, and Obscurity of software.

http://www.counterpane.com/crypto-gram-0205.html#1

Dr. Blaine Burnham, Director, Georgia Tech Information Security Center (GTISC) and previously with the National Security Agency (NSA), gives an keynote speech overview of current encryption and security technologies and outlines possible strategies for future defense.

http://technetcast.ddj.com/tnc_play_stream.html?st ream_id=411

Also you might wish to address the issue of Microsoft's disproportionately high number of open vulnerabilities in its Internet Explorer components. All of which where discovered without access to the source code.

http://jscript.dk/unpatched/

Richard Purcell, Microsoft's director of corporate privacy, has recently stated that any major improvement in regard to the security of it's products may be at least "5, 10 years, maybe".

http://www.businessweek.com/technology/content/may 2002/tc20020523_6029.htm

As for the issue of Trojan horse injection into open source code, it is far from being an open source only issue.

http://www.eeggs.com/

Or were all the "Easter Eggs" currently found in Microsoft's products officially authorized?

If you are looking for a methodology for providing a suitably secure and hardened solution, start with a real world example.

http://www.openbsd.org/security.html

I welcome any open debate.

Are you an anti-OpenBSD user? And let me refrase your sentence. I use OpenBSD too.

Are you an anti-OpenBSD user?

OpenBSD

I suspect that they are releasing the administration tools under something very similar to the YaST2 license. More less you cannot redistribute for a fee but the source is avaialable. Considering how much this base package is likely to lean on SuSE configuration tools, that makes sense.

The real question at that point becomes do they drop the 'commericial use' clause and play a little harder with the user. While they are no where near HP Secure Linux, it would be playing a stronger hand than they have so far.

However, how can they restrict people from copying the ISOs?

One method would be to copyright the layout like Theo.

Bsd is crap! Its so crap infact that the OpenBSD project runs on Solaris

Bsd is dead
Linux sucks
Mac OS X is expensive
Windows is fucked
Is there any sane OS?
Yes, and its name is MSDOS 1.10

It's OpenBSD that's you're thinking of. They have regular security audits of the code, and brag they havn't had a remote exploit in the base install in 4 years.

Well actually, you should read the thread more
thoroughly, because r-* clients are going away
too, the only one left as three days ago was rsh.

checkout the cvs interface if you want
more info

This page http://www.openbsd.org/cgi-bin/man.cgi?query=style &apropos=0&sektion=0&manpath=OpenBSD+Current&arch= i386&format=html is a good start.

Any/all companies that write or edit code should have documents like this. Then again I also think all code should be peer reviewed and tested before it's considered stable for use. But then again I'm an idealist and know the world works exactly the opposite way.

umm.. listen.. read about stuff before you make a fool of yourself. This FAQ explains everything about the copyright.

Sendmail in OpenBSD hasn't run as root since 2.9.

Theo and team seem confident in Sendmail's security. They've spent upwards of 30 hours going through the source and reporting bugs. That's why it's included in the default install. Keep in mind that you can easily disable sendmail and go to postfix or another mail transfer agent through the ports tree if you don't trust Theo's judgement. An email regarding the why's of using Sendmail versus another MTA are here.

I implement sendmail all the time, and I work in an IT security shop. Set up properly, it's rock solid. My pen-tester co-workers have the same knee-jerk reaction to sendmail that you have. They heard somewhere that sendmail is insecure... Funny though, not one of them has been able to penetrate any of my OpenBSD boxes, through sendmail or any other avenue. These are guys that walk through firewalls and IIS webservers in moments. They're so good at this, that we give a money back guarantee, we don't get in, it's free. If OpenBSD gets popular, we might start losing money.

This is probably what you're looking for

>OpenBSD has nothing to do with the daemon, it's a FISHY!

Yeah right. There's pics like this, this and several like this one that feature the good old, red BSD Daemon in them. The fish, whose name is Puffy, by the way, can be seen on some as well.

>please check it first, thus you might achieve accuracy

>OpenBSD has nothing to do with the daemon, it's a FISHY!

Yeah right. There's pics like this, this and several like this one that feature the good old, red BSD Daemon in them. The fish, whose name is Puffy, by the way, can be seen on some as well.

>please check it first, thus you might achieve accuracy

>OpenBSD has nothing to do with the daemon, it's a FISHY!

Yeah right. There's pics like this, this and several like this one that feature the good old, red BSD Daemon in them. The fish, whose name is Puffy, by the way, can be seen on some as well.

>please check it first, thus you might achieve accuracy

Here's your answer...

ISO images are copywrite to Theo de Raadt and are not distributed beyond actual cds. OpenBSD has a different support/developement model, funded through cd sales and donations.

The non US distribution points seem to be solely in Europe and can be found here