Slashdot Mirror

EmBSD, have to say I am a pretty big advocate of "less is more", basically it is the bare minimum of OpenBSD for securing a network (kernel, packet filter, ssh, syslogd and ipsec/named/dhcpd if you need em) and it all fits on under 32 meg and its all under the BSD license, so its free. It all comes preconfiged for firewalling (ipf and ipnat turned on and everything else just gone or turned off), so there is less to make mistakes with, less means less vulrablities and less to manage. So I would say look at EmBSD after reading this article and compare for yourself.

http://www.openbsd.org/slides/musess_2002/index.ht ml

This website gives a few tips on avoiding the main pitfalls of insecure coding, including how to avoid buffer overflow exploits.

If you are a Unix geek you should seriously think about doing your own. I host 7 domains web/email now and it really wasn't too hard. Just put a cd-burner on the webserver. (For fast backup/restore) All you need is one IP address.

OpenBSD makes a great firewall. Drop three NIC's in it and you are ready to rock. The really cool part is you can charge a nominal fee for hosting and either pay for your DSL or bump it up to a bigger pipe.

Virtual Hosting with Apache is brain dead easy. With postfix and OpenBSD and the ports tree, Authenticated SMTP is really easy too.
A friend of mine has a howto on the authenticated part.

The funniest part of Cryptonomicon is where the Brits are busy sending bombers to "see" German shipping but not bomb it. (If they just bombed the Germans, the Germans would realize that their crypto had been broken.) One of the protagonist's jobs, as an information theorist, was to figure out just how often they could get away with "just bombing them" and how often they had to make it look like they "got lucky" with a chance overflight or other observation.

I like the part where they send soldiers to spend a couple weeks at a remote listening post in German territory with the intent of making it appear as though they've been there for over a year. The soldiers don't quite understand why they're being ordered to scatter a year's worth of empty bottles and cigarette butts around the camp, and why the radioman is in such a high-visibility location, but it's all part of the ploy to keep the Germans ignorant of how else the Allies could get vital information.

I think various government organizations do the exact same thing. There's no way I can believe these directors whine about how terrible their budgets are, and how they can't keep up with overseas intelligence. For all we know, there's an enormous amount of theatrics involved in interviews and reports like those. I feel as contradicted as the soldiers in the book: if my government can't keep up with their intelligence needs, I'm discomforted. If they're just lying to me because they don't feel like letting me know the best crypto I can throw at them is like a child's plaything, well, I suppose I'd better start wearing a tinfoil hat and writing crazed, rambling letters to the OpenBSD team telling them to "quit p_ssying around with security and start making it *really* good." You know. Before the aliens take me home.

There are a couple of extremely stable kernels out there...

There sure are. Here's one and here's another.

C-X C-S

• Stripe of right top fish is made of Sun logos
• Yellow left top fish is covered with Windows logos

Anyone else notice the Quicksilver G4?

It was a bit tedious flicking through all those slides but the final one did bring a smile to my face.

Maybe Tinfoil is for the mildly paranoid but for the true paranoiac, there is OpenBSD. It hasn't had a hole in it's build in over 2 years and so forth. (There's more that I wont bother to go into. Maybe it's because I can't remember. What's there might be wrong, it's been a while.) *BSD is by far superior to anything Linux anyways, so why bother with Linux?

However, the Mozilla issue does suck indeed.

However, the Mozilla issue does suck indeed.

However, the Mozilla issue does suck indeed.

Q: I'm having problems with running two of the same NICs.
A: It's not suggested to use two of the same brand and make because it makes diagnosing problems rather difficult.

Thanks for all the advice!

Girls like good looking clothes.

Guys like good looking girls. And their favourite OS.

Actually now you can get the best of both worlds, you can buy an OpenBSD skinny Tshirt (size XS)!

It kind of looks like http://www.tengu.be/bb1.jpg (minus the hardware :-).

The latest one is the "Chix dig OpenBSD" one, which has a silver lining, looks perfect in those
dark eh... cinemas and serverrooms.

You can order them in Europe only though.

In Canada (for the rest of the world) you can order only one design, that's the
2.8 Girly shirt, in small size.
2vv

Girls like good looking clothes.

Guys like good looking girls. And their favourite OS.

Actually now you can get the best of both worlds, you can buy an OpenBSD skinny Tshirt (size XS)!

It kind of looks like http://www.tengu.be/bb1.jpg (minus the hardware :-).

The latest one is the "Chix dig OpenBSD" one, which has a silver lining, looks perfect in those
dark eh... cinemas and serverrooms.

You can order them in Europe only though.

In Canada (for the rest of the world) you can order only one design, that's the
2.8 Girly shirt, in small size.
2vv

Girls like good looking clothes.

Guys like good looking girls. And their favourite OS.

Actually now you can get the best of both worlds, you can buy an OpenBSD skinny Tshirt (size XS)!

It kind of looks like http://www.tengu.be/bb1.jpg (minus the hardware :-).

The latest one is the "Chix dig OpenBSD" one, which has a silver lining, looks perfect in those
dark eh... cinemas and serverrooms.

You can order them in Europe only though.

In Canada (for the rest of the world) you can order only one design, that's the
2.8 Girly shirt, in small size.
2vv

Girls like good looking clothes.

Guys like good looking girls. And their favourite OS.

Actually now you can get the best of both worlds, you can buy an OpenBSD skinny Tshirt (size XS)!

It kind of looks like http://www.tengu.be/bb1.jpg (minus the hardware :-).

The latest one is the "Chix dig OpenBSD" one, which has a silver lining, looks perfect in those
dark eh... cinemas and serverrooms.

You can order them in Europe only though.

In Canada (for the rest of the world) you can order only one design, that's the
2.8 Girly shirt, in small size.
2vv

Actually you can get the best of both worlds, you can buy an OpenBSD skinny Tshirt (size XS)!

It kind of looks like
http://www.tengu.be/bb1.jpg (minus the hardware :-).

The latest one is the "Chix dig OpenBSD" one.

You can order them in Europe only though

Way too cool.

*sigh*

First of all, since you're posting a link, make it clickable. Use HTML.

Second, the url should end with a slash, like this:

http://www.openbsd.org/

..and oh, stick to the subject.

when there are better solutions out there?

There's an info manual for kerberos which comes with OpenBSD which seems to be pretty easy to follow.

I assume that it'd come with the source to your installation too (OpenBSD's source for the documentation is here)

Since the documentation has source in texinfo you can run it through LaTeX to create a book with chapters and everything.

I've just had a brief look at the new docs there and it even seems to have the subtopics you list.

OpenBSD!!!!!

The gripes I have with it are: No AGP graphics, It uses the S3 Savage chipset with shared video memory (a bad thing). I don't think it supports 512MB DIMMS, and there are only 2 slots for memory. The overclocking options are not what they could be. Apart from that it's great, and pretty damn cheap too. Overclockers.co.uk sell them in the UK, as do Kustom PCs

What I would like to know is where I can get a Neon light and case mod for this thing...

I've heard rumours of a successor motherboard to the fv24 which will have AGP, and a more overclocker-friendly BIOS (but the power supply and cooling will always be an issue with this form-factor. As it is, the SV24 comes with its own heatsink and fan because a conventional sized one will not fit in the case.

The mindset you describe is exactly that of OpenBSD. Say what you will about Theo as a person, but for out of the box security, OpenBSD is hard to beat.

My current preference for Linux is to install a Debian minimum install and apt-getting or compiling exactly what I want. There's a bit more work involved (setting up PAM, logins, wheel, netfilter), but I prefer the certain things about Linux better (apt-get, ReiserFS and /proc among other things) .

I wonder where OpenBSD ranked in this survey ? Apparently there has not been a remote root exploit in the out-of-the-box configuration for over four years.

Despite all the BSD is dying trolls out there, BSD is alive and kicking Linux and NTs asses (in security terms)

In my opinion, the article is extremely badly written. Also, it is nonsense, as is easily proven by giving a link to another operating system:

Open BSD: Four years without a remote hole in the default install!

If the Open BSD team can make a secure operating system as volunteers, Microsoft, with a reported $33 billion in the bank, could take one of those billions and clean up their code.

Microsoft's security problems come partly from feeling that they don't have to care, apparently.

Also, maybe there is some secret U.S. government surveillance agency that requires that Microsoft operating systems not be secure. For years the U.S. government tried to prevent cryptography. For example, see these notes from the Center for Democracy and Technology: An overview of Clinton Administration Encryption Policy Initiatives. The notes say, "The long-standing goal of every major encryption plan by the [U.S. government] has been to guarantee government access to all encrypted communications and stored data."

It is not impossible that software insecurity is secret U.S. government policy. The U.S. government is involved in many hidden activities, as this collection of links and explanation shows: What should be the Response to Violence?

Much of OS X is closed source but Darwin, it's unix based core, is not. If doing a darwin port doesn't float your boat there is always OpenBSD or NetBSD or even Linux ports that will run on your IIsi cluster.

rofl, u assume someone is using ms just cos they dont like linux? thats kind of egocentric aint it?

Of course not! Everyone knows there are only two operating systems in existance, linux (may Allah bless it's name), and Windows.

Do you need to be sent to a re-education camp?

C-X C-S

Being a complete newbie to BSD (and linux too).. I installed OpenBSD 2.6 without a problem a couple years ago. Ofcourse I made good use of the resources available, I printed the entire FAQ, read it for 2-3 days at work and when it came time to start installing, I made sure I had this handy.

The only way I think it can look intimidating is if you dive into it not knowing what to expect and not planning on doing any reading. In fact, I'm spoilt after using the OpenBSD installer.. I wish FreeBSD had a text-only install too, navigating through sysinstall's menus can be a pain sometimes.

Being a complete newbie to BSD (and linux too).. I installed OpenBSD 2.6 without a problem a couple years ago. Ofcourse I made good use of the resources available, I printed the entire FAQ, read it for 2-3 days at work and when it came time to start installing, I made sure I had this handy.

The only way I think it can look intimidating is if you dive into it not knowing what to expect and not planning on doing any reading. In fact, I'm spoilt after using the OpenBSD installer.. I wish FreeBSD had a text-only install too, navigating through sysinstall's menus can be a pain sometimes.

Go from a mostly working project to mostly not working project. Wow. That's progress.

To avoid the problem of Linus and the Linux kernel, I'll suggest here, here, or perhaps here You could even go get Debian/NetBSD, or Apple's Darwin if that floats your boat.

The Linux operating system was born in 1991 and was created by one man, a
Finnish student coincidentally named Linux Torvalds. Since these humble
beginnings, a multi-million dollar
industry has sprung up to exploit the commercial potential of Linux, but
until recently Linux has eluded mainstream acceptance. However, due to the
recent economic downturn together with uncertainty over changes to Microsoft's pricing policy, Linux is
now being touted as a serious contender to Microsoft Windows. While there
are many other alternatives to Windows, including BSD which is based on SUN's (Stanford University Network - correction by bc) server-grade Solaris operating system,
none have commanded the same level of media attention as Linux.

Linux Mandrake is just the
latest in a long line of quirkily christened versions of Linux. Previous
versions of Linux have been named Red Hat, Slack Ware,
Storm and Coral. In stark contrast to the mundane names such
as 98, ME or NT preferred by Microsoft, the crazy
names of each Linux release hint at its renegade nature.

My foray into the world of Linux began by downloading a "CD image" from
the Linux web site. But don't worry, this isn't software piracy, it's
perfectly legal! Linux is shareware, meaning that it can be freely
redistributed without fear of a visit by the Business Software Alliance. The free
availability of Linux is a major reason for its popularity among
cash-strapped students and self-styled anti-capitalist hackers.

Before installing new software, it is always advisable to read the
documentation. Unfortunately, an unpleasant surprise was in store for me
in the "required configuration" section of the manual.
I was shocked to learn that Linux Mandrake only runs on Pentium
processors, meaning that my hopes of testing the water with my old Gateway 486 were dashed. Furthermore, a
whopping 32 megabytes of memory are required to run Linux! Although the advocates of Linux self-righteously
boast the efficiency of their chosen operating system and deride the
"bloatware" produced by Microsoft, it appears that their claims are
blatantly incorrect. Although my humble 486 will happily run Windows 95,
it seems that Linux requires far more powerful, and more expensive,
computer hardware. Is this really the sign of a lean, mean operating system?
Of course not.

Sadly, not even being able to install Linux is just the first of my many
complaints. A brief perusal of the
features of Linux Mandrake reveals that Linux is sorely lacking many
crucial productivity applications. For example, why isn't the industry
standard web browser, Internet Explorer, included with Linux? Despite the
best efforts of the experts at the Internet
Engineering Task Force to encourage adoption of the Internet Explorer
standard, the creators of Linux seem to think that they know better. By
refusing to adhere to recognised standards, Linux is simply undermining
its own credibility.

Similarly, almost all of the world's most popular and widely used software
is completely incompatible with Linux! It may surprise you to learn that
your copy of Microsoft Office, Outlook Express, or Lotus Notes will not
work under Linux. Those who wish to use their computer for recreational
purposes are also out of luck, for almost all of the most popular games
are unavailable for Linux. Although a wide range of software is freely
available for Linux, these pitiful offerings are mostly unfinished, unreliable and do not
bear comparison to their commercial counterparts.

Computer security is also an area that seems to have been overlooked by
the developers of Linux. In these times when hacking and viruses are
commonplace, it defies belief to learn that no anti-virus software is available for
Linux. To add insult to injury, there is no Linux version of the popular
ZoneAlarm firewall. By using Linux,
you are issuing an open invitation to the hordes of ne'er-do-wells on the
Internet.

The shortcomings of Linux are obvious. Without even installing Linux
Mandrake, I have exposed several fundamental flaws. Surely it is not too
much to expect that, after ten years of development, the creators of Linux
would have addressed these problems? The real question that the
prospective Linux user must ask himself is, "Why bother?" After all,
Microsoft Windows comes free with most PCs and there simply isn't a need
to replace it, particularly not with a product of inferior quality.

Although it is always tempting to support the underdog, Windows XP will
be the deserved victor in the battle ahead. I recommend that those
Adequacy readers who are hoping to upgrade their operating system
patiently wait for the release of Windows XP, rather than foolishly
wasting their time, effort and money on Linux.

If you want an insecure system, Linux already does more for you that it's distributions being bloated. If you chose Linux for security relevant systems - and I consider pure desktop use as one of the most dangerous ones - you should probably think of better using a system made by people who care about security more than they care about cloning the most insecure operating system available.

If my personal information is going to be stored on a computer that is linked to a network, I want the best damn security money can buy.

Take two, burn to CDR, and call me in the morning. ;-)

] This got me thinking: Why can't I freeze down the process and thaw it back up at a later time?
It ought to be possible to take all the connected memory pages and save them in some way, preserve file handles and pointers, and everything.
Maybe net-connections would die, but that's understandable.

Time for you to read my notes on KaosBSD, it has a built in autosave which records the state of the programs it's running.
] Has any work been done in this field? If not, shouldn't there be? I'd like to contribute in some way, but I think it's a bit over my head.."
Just leave a note in my Journal or email me if you want something done.

] Laptops have been doing this in some form for years: most laptops, when they run out of power, or when told by the user will go into "suspend" mode which is similar to what the poster is describing, however outside of laptops, I haven't seen this done.
Sleeping processes also do something similar, sending their memory pages into swap so other running processes can use the memory. What, if anything, is preventing someone from taking this a step further?

I'm already doing this in KAOS, but it's different from suspend or sleep because it uses a status file to track the processes of every program.
This lets individual agents of any app crash and the other agents pickup what that agent was doing and keep your work, you don't lose it.
Say you're writing a report and the agent crashes, you might lose about a minutes work (depending on the autosave rate) instead of the hours you would lose by not saving in MS office.
Or maybe you're running a web browser with a dozen tabs on a window, then that agent crashes. You can then choose to start a new window with all those tabs loaded with the pages you were surfing, which is way better than trying to reload a browser by the history logs.

] by sklib: It's not possible to hibernate a single process. Maybe not in windows, but KAOS can hibernate a single process. You can pause it and then save the state file or hibernate which saves the state then quits.
] During thawing, to restore the process's memory structure, one would have to do one of two things: Either put the process *exactly* where it was before in system memory, which may not be possible because other programs (perhaps even the OS?) are running in that memory space now.
My system is different, it uses status files that say what it's doing. It wouldn't need to wrry about the memory use.
The other option is to reallocate new memory for the process, and then go through and fix every pointer in the process to point to new memory locations. I will remind you that this is not possible, because processes can do very strange things with pointers and it's not possible to keep track of all of them from the object code side.
The need to reallocate new memory is not a concern if you uses status files.

] Now, if the process could hibernate itself... well that's the same as hitting Save, and Exit in any program.
Which is why I have put hibernate in KAOS, I'm sick and tired of losing track of websites I'm surfing then trying to reload from history.
] So the only problem here is that programs that take weeks and/or months to compute stuff need to be written in such a way that you can save every once in a while, so when the power DOES go out, you don't lose that much of what you've processed.
Actually it's easier to write the OS so that programs autosave to a status file about once a minute regardless of if they are surfing websites or looking for little green men.

] In my opinion OS-level hibernation (which already exists for many windows versions, and seems like it should exist for those big mainframes) coupled with some smart programming (no intractable problems here)
I'm programming KaosBSD which can run on anything OpenBSD knows about and maybe port it to some of the things NetBSD supports.
The smart programming is the status manager which all apps can use to autosave.
This is part of the unique way that apps run as part of the system. It can also offer other app services inside your app.
The best example is the calculator, it can popup as a panel you use in any app.
] would put a thorough end to these shenanigans with losing months of processing time just because the power went out 5 minutes before it finished.
Yes, I've run Seti@home and had that happen dozens of times. It always annoys me to see a day of processing go down the drain.

i've probably dropped a few details here, so feel free to flame me with corrections. that aside, i can see a new open source project brewing: Stealth NAT. A NAT implementation that will rewrite TCP sequence numbers and randomize anything else that would give the impression that multiple machines were in use.

OpenBSD can actually already do this: it's called the modulate state directive to the pf packet filter. From what I can tell, it works under NAT and bridged filtering as well as straight routing-type filtering.

Basically, what modulate state does is rewrite TCP initial sequence numbers using the same cryptographically strong randomness OpenBSD uses for its own sequence numbers. For more information, check out the "STATE MODULATION" section in the pf.conf manpage.

i've probably dropped a few details here, so feel free to flame me with corrections. that aside, i can see a new open source project brewing: Stealth NAT. A NAT implementation that will rewrite TCP sequence numbers and randomize anything else that would give the impression that multiple machines were in use.

OpenBSD can actually already do this: it's called the modulate state directive to the pf packet filter. From what I can tell, it works under NAT and bridged filtering as well as straight routing-type filtering.

Basically, what modulate state does is rewrite TCP initial sequence numbers using the same cryptographically strong randomness OpenBSD uses for its own sequence numbers. For more information, check out the "STATE MODULATION" section in the pf.conf manpage.

I went back and read the mailing list on both IPF and OpenBSD. There are some elements that are childish, one guy suddenly change his mind about his work and then another keep bashing and won't let IPF re-unit with OpenBSD even after some modification to the license.

Yes, there were lots of childish comments. However, doing a code-weighted-average in my head, it seemed like the OpenBSD group was pretty calm and considered about the whole thing. Not that I'm completely unbiased, I guess.

A more important point is that aside from the fact that pf was pretty much a fait acompli when Darren changed his license, Theo had a very good reason for not going back to ipf - the license change is still not open enough for OpenBSD to include ipf in the kernel.

Theo et al want OpenBSD to be usable by anyone for anything, which means that Darren's, "you can't change the license terms," clause is still a problem. (See item #2 on OpenBSD's goals page.) As far as Theo is concerned you are fully welcome to fork OpenBSD (along with pf) and license your version under the GPL, if that is your desire.

If you don't share or value that goal, fine. But criticising Theo and/or OpenBSD for maintaining these goals is a little harsh.

Here is what the OpenBSD project thinks of export restrictions

CLUE: Last time I checked, OpenBSD was distributed from Canada. I never mentioned US export laws (I am .au), my point is merely that any form of restriction is pointless.

...a Linux workstation with every daemon in the world running?

Perhaps OpenBSD would suit your needs better?

OpenBSD's just got good marketing... as you say, their security's on par with the other *BSDs and the better Linux distros.

The point is this: if you don't know what's running, you don't know where to watch

And finally (back on topic) why EXACTLY is BSD more secure than other OSs (Windows, etc.) Does it automatically protect from buffer overruns or something?

It's OpenBSD the previous poster was referring to as more secure. It's more secure because the developers make security top priority. They accomplish this through an exetensive auditing process, pro-actively fixing bugs like buffer overruns, and the use of cryptography. They also follow a philosophy that all non-essential services are off by default, with the assumption that in the process of learning to turn something on, you are more likely to learn how to run it safely. But don't take my word for it, read more about it here.

Hardly anyone really believed that Windows XP would be more secure than Windows 2000, at least the level that Win2k is at now and the level that Win XP is at now.

However, take a look at OpenBSD. They really are secure, or at least as secure as anyone can reasonably expect for an operating system. They have done a great job, but it takes time. A lot of time. OpenBSD was based on NetBSD, so security was always a priority, OpenBSD just made it more of a priority.

But really... even if security really is job one now at Microsoft, we aren't going to see any concrete results in the near future. Forget Microsoft's next operating system. It is going to take years, not months, to get results. I mean, we are looking at 2006, likely, until Microsoft systems have a hope of being secure. Will Microsoft (would any corporation) invest that many years of development? Are their customers really demanding security?

People have been using 'CFS' to encrypt their home directories, etc for years, recently they added the ability to encrypt swap, with a moderate performance hit.

For the truly paranoid, a friend of mine is involved in a project developing hardware solutions for encryption between the CPU and RAM.

Yeah, I thought this was going to be an article about making a cluster of 386's or something, since a cluster of pentiums apparently constitutes a super-computer.

Anyway, nothing sucks like a Vax...

OpenBSD is a good solution for anyone with a 486 and 8MB RAM. It is fairly simple and easy to use. (If you are familiar with Unix).
You can find all kinds of examples of how to set one up like here.
Older distro's used IPF, but as of 3.0 they use pf. You can read about pf here.

OpenBSD has gone 4 years without a remote hole in the default install. Pretty impressive.

But hey, only use it if you are SERIOUS about security AND don't want to pay anything.
Although you should consider helping fund the project out of the kindness of you ./ heart...;-)

If installing Linux, I suggest Debian GNU/Linux. I've had better luck with their distro on PPC Macs than other distributions. (Maybe I'm just more used to apt than RPM.)

You might also want to check out MacOnLinux, which lets you run MacOS on top of Linux.

Finally, there's always Darwin and X Windows!