Slashdot Mirror

You mean sftp?

as long as they cannot decrypt what you're sending, you're safe. i doubt Excite@home will also spend the money on a beowulf cluster to decrypt everything that's getting dl'd, but the RIAA might.

We should all be sending all packets encrypted anyways, using encrypted protocols, but oops, neither am i. I bet if we were encrypting everything then the big players would lobby for key escrow or similar so they could monitor everything.

On a side note, does this mean all the FBI has to do, to use Carnivore without a warrant, is to become an ISP?

Instead of password auth, use something like s/key, so it really won't matter if the evil cracker gets:

OpenBSD supports s/key right out of the box, which is spiffy. Or use Public Key authentication, expensive crypto cards, or any of the other alternative authentication techniques out there.

So I'm curious to see where your info came from, because if it's true, then I'm sure the good folks who manage the OpenBSD site will update it. Hell, if you really find an exploit, I'll setup a box with an unpatched 2.6 install to test it on.

OpenBSD is free. "Four years without a remote hole in the default install!"

Most people that haven't used a BSD operating system before would be surprised to find out that most BSD developers don't consider the GPL free at all. I kindof agree with them.

They all use a lot of GPL software, though, just because they don't neccessarily want to re-do all the code themselves. If you're interested, take a look at these URLs:

Here and Here

There are real reasons for not wanting the OS to be developed in the USA. One is the way the US wants to control technology, such as encryption and, now, copyright. OpenBSD, for example, is based in Canada for the specific purpose of avoiding constraining US export laws.

I don't care who develops my OS. The only foreigners that bother me are the ones that have "Kill Americans" on today's list of things to do. Additionally, California isn't necessarily going to keep up in a crisis, especially if their UPSs are draining during a blackout.

Farid's Publications

say, which one of those papers listed on the page you mention talks about Farid's steganographic detection work?

The best part about Neil Provos' work is that he goes both ways, working on both OutGuess and stegdetect.

While i'm singing the praises of Neil Provos, thanks for your work on OpenSSH and pf, as well as the rest of the OpenBSD work you've contributed.

-f
http://www.blackant.net/

Farid's Publications

say, which one of those papers listed on the page you mention talks about Farid's steganographic detection work?

The best part about Neil Provos' work is that he goes both ways, working on both OutGuess and stegdetect.

While i'm singing the praises of Neil Provos, thanks for your work on OpenSSH and pf, as well as the rest of the OpenBSD work you've contributed.

-f
http://www.blackant.net/

Wow, this suddenly puts the new (2.9) OpenBSD art into better perspective.

I'm sure other distros do this, but Mandrake is the only one I've ever installed, likewise to other unix-based OSs

If you are interested in an OS that is secure by default, check out OpenBSD.

(For those of you who fear /. links, the site can be found at http://www.openbsd.org)

Compare the number of security advisories that affect OpenBSD versus the number that affect m$ products, and the value of a secure OS is obvious.

Going here gives a pretty complete rundown on using all things networking with openbsd.

Ignore all the 31337 h4xx0r5 looking for recognition because they use Debian (what's so hard about Debian anyway?) or Slackware. There's simply nothing that special about either, and really the only thing that seperates them from the more mainstream Linux distros (Red Hat, Mandrake, SuSE) is their lack of graphical installer, and different package formats.

There is nothing in Mandrake, Red Hat, et al to prevent you from configuing eveything by hand and using only the command line, if thats how youo get off. Me, I prefer KDE 2 (and konsole is a damn nice app). This probably makes some of those l337 d00dz mad, but whatever.

And don't think Linux is the be-all, end-all of free Unix. OpenBSD is quite nice (I'm using 2.9 right now), and one of the things I like about it is the ease with which you can install it over the internet (one of the major reasons I'm using it on this machine), not to mention security, correctness, etc which don't matter so much to me anyway.

HaiLHaiL asked about crypto.

the OpenBSD crypto page talks about encryption. How is that off topic?

Get versed! Spend an hour or two with OpenBSD . They gotta liscence or two, hee hee. Now go forth and kick some ass, Hailman.

• MS's "Code Red" "homepage"
• Technical bulliten on "Code Red"
• NT Server Patch
• Win 2k Server Patch

You know, I just happened to think, how screwed with this be if the worm also targeted MS so that people wouldn't be able to get at the patches...

Meanwhile I'll stick with OpenBSD...

Of course, it is not Linux, but there is always OpenBSD. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.

That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.

Educational, if nothing else.

ROTFLMAO! And the warning that this was in the wild appeared on bugtraq 2 days ago. You'd think they could at least apply their own patches. I knew there was a reason I don't allow M$ software on my network unless it's absolutely required. (I tend to use Linux sparingly too :-))

pétard

That is rather amusing!!! :-)

Of course, all of this havok is just funny when you sit behind an OpenBSD firewall, running on a stackguarded version of Linux. ;-)

Blockqoth the AC, AKA Lional Will:

For example FreeBSD has kernel secure levels (-1, 0, 1 etc) that you can set to decide how secure you would like your kernel to operate, for example on higher security levels you can not open up /dev/mem or /dev/kmem for writing and other things, while on lower security levels you can do pretty much what a regulat OpenBSD or NetBSD can do by default.

Ahem. OpenBSD has runlevels.

It's also best to remember that security is not a feature set, but rather a process and a frame of mind. OpenBSD is designed to give you a platform which gives you a good start for your security process. An OpenBSD system can be made very insecure, and most any other operating system can be made very secure. One of OpenBSD's goals, however, is to make security a bit easier.

Besides, should TrustedBSD turn out to be something worthwhile--and it's rather likely it will--there's an excellent chance it'll find its way into the other BSDs. There's a heck of a lot of cross-polination that goes on in the BSD world.

FreeBSD is very well suited to this kind of research. The other BSDs will benefit, just as all have benefited from OpenSSH, NetBSD's ports....

b&

Code audits are possible, you know. The OpenBSD project has done it. It wouldn't have been possible with binary-only software.
--

Honestly, I don't understand what all the fuss is about.

Unless you're the kind who likes to pay for water, just use one of the many other Linux distributions out there that don't have such odious licensing terms. It's not like there aren't any alternatives out there.

Or, better, you can use something with no restrictions at all on how you use it.

If Caldera wants to shoot themselves in the foot, who are we to stop them?

b&

Hmm... According to the OpenBSD FAQ, www.openbsd.org is running on Solaris.

If France wants to plug up her ears and wipe Nazi artifacts from existence in their own country, fine with me. Yahoo! France complies with French law and if that is not enough for the French authorities, maybe Yahoo! should look into moving their French servers to a neighboring country that has more rational laws.

The reason why the ISO images cannot be made official is that Theo de Raadt has copyrighted the OpenBSD CD-ROM's ISO layout.

Below is a snippet of the OpenBSD FAQ (which can be found here:

3.1.2 - Does OpenBSD provide an ISO image available for download? You can't. The official OpenBSD CD-ROM layout is copyright Theo de Raadt, as an incentive for people to buy the CD set. Note that only the layout is copyrighted, OpenBSD itself is free. Nothing precludes someone else to just grab OpenBSD and make their own CD.

> Can a Canadian shed some light on the technological literacy in their nation?

Everything from kernel development to the illiterate.

If you're asking for a national average, then web surfing, and using application software (i.e. Photoshop) would be there.

Cheers

One correction to your otherwise excellent post: there is a LOT of commercial support, more than I expected. Check out the page at OpenBSD dedicated to listing the support by country

• Operating System: Although OpenBSD is generally regarded as the best Freenix in terms of security, GNU/Linux is under more active development, faster, more user friendly and supports far more software packages and types of hardware than OpenBSD (sorry Theo, much respect...). I, along with most of the other admins and users are more familiar with a GNU environment. The distribution we use is Debian. I chose Debian for several reasons: free (libre and gratis), strong package system and reliability. It hasn't let me down. I do prefer Slackware on my personal box, since the -current tree is more stable than Debian's unstable. However, Debian's package system is nicer and provides many things that Slackware lacks (I may abandon Slackware as soon as Debian supports XF4 and kernel 2.4 by default in stable). Debian also keeps up to date on security issues.
• Kernel: We now run a Linux 2.4 kernel. Although most security tools/patches are 2.2 only, the mature (READ: usable) ones have been ported to kernel 2.4. I'm confident that more will follow. 2.2 is dead. We have disabled modules entirely in our kernel to prevent hax0ring and to avoid using modules (does anyone else hate them?). We only have a few drivers enabled. Besides helping performance, this protects against hostile code injection into the kernel. It is possible for a clever coder to inject code into a non-modular kernel, but most rootkits use kernel modules. Not allowing kernel modules and using 2.4, prevents us from using some really cool security tools like LOMAC. However, I found that LOMAC did not play nicely with OpenWall's Secure Linux patch (or cron, or init or getty ...). When Lomac behaves nicer, it will be added (I'd also like to see it as a patch rather than a module). Currently, we are using the GetRewted.net patch which provides lots of security enhancements. We may be adding more secure kernel additions such as the NSA's Security Enhanced Linux. However, at this time, we feel that the current kernel security model is both secure and usable. If you have any neat kernel goodies we might like, tell us.
• Firewall: Note that we are NOT running any sort of real firewall. We feel that the extra kernel overhead of the firewall hurts performance and adds needless complexity to the server. Since we are NOT trusting local (ie: users with shell access) anyway, we feel that a firewall is basically useless since Linux's TCP/IP stack is already fault-tolerant, mature and robust. We augmented the TCP/IP stack with this shell script to limit our vulnerability to DoS attacks. Firewalling services should not be needed if your services are secure (run with minimal priviliges and SECURE by design and condiguration). Eventually we may drop an OpenBSD or Linux 2.4 firewall in front of the server as a measure for restricting local users ability to portscan, DoS and exploit remote hosts.
• Authentication / Login: Remote interactive sessions are only supported over ssh (and we run OpenSSH). Telnet is not allowed. Rhosts authentication is not allowed. I've looked at forcing people to use S/Keys, but it is a real pain in the ass on both ends. We are currently allowing FTP in. When I'm confident that all the users can get a good graphical scp/sftp client for their platform, I'll kill FTP. Since I'm not relying on trusting local users anyway, this is more a security concern for individual users. I'm considering locking some users who don't use their shells out of real shell access.
• Users: I only make accounts for people I know personally. I also monitor user login s and their activity using whowatch and process accounting. I'm suspicious of logins from weird hosts. I also use PAM to set resource limits.
• Monitoring: We watch out for network nastiness with Snort which is an AWESOME IDS. We monitor its logs and other system activity with Psionic's LogCheck. Occasionally, I'll audit the machines for weird ports using nmap and Nessus, both of which are REALLY nice. I'll also routinely verify system integrity using a combination of Tripwire and chkrootkit, on a system booted from a known CLEAN floppy containing the tools.

I don't know shit about OpenBSD. Do you really think I will be more secure if I were to use OpenBSD tomorrow rather than Debian that I know pretty well? I don't think so either.

Well I most certainly do think that atleast you should feel more secure with OpenBSD. I think the comment on the www.openbsd.org site says it all "Four years without a remote hole in the default install!". I feel pretty safe saying that there aren't any other major OS's that can say that...

Although I do admit that you're right about knowing the system at hand and keeping it updated, but you really shouldn't undermine the security that OpenBSD can provide just because all the other vendors/distributors have kept failing over and over again.

-

Because it's GPL'd, and you CAN do that. FreeBSD and NetBSD do as well. Are you going to flame them also?

The GPL does NOT prohibit use of GPL'd code in commercial software. It does say that source must be made available for GPL'd software or derivitive works. Software that you write can be licensed by whatever method you see fit, as Darren Reed would be unhesitant to tell you.

I suggest you read http://www.openbsd.org/goals.html and http://www.openbsd.org/policy.html for more information on this.

Because it's GPL'd, and you CAN do that. FreeBSD and NetBSD do as well. Are you going to flame them also?

The GPL does NOT prohibit use of GPL'd code in commercial software. It does say that source must be made available for GPL'd software or derivitive works. Software that you write can be licensed by whatever method you see fit, as Darren Reed would be unhesitant to tell you.

I suggest you read http://www.openbsd.org/goals.html and http://www.openbsd.org/policy.html for more information on this.

Click here: https://https.openbsd.org/cgi-bin/order

Or just use your existing 2.8 for your firewall and use 2.9 for everything else.

Sorry, I was wrong. The announcement is still there.

It looks like you're right; I just went to the OpenBSD page, and it looks as if the announcement of the June 1 release date has been pulled. This particularly sucks because I just pre-ordered last night.

Not an answer to the original question, but do you guys know that OpenBSD policy is to never touch the /etc (neither from the ports, nor during the system upgrades)?

As for logging the changed files, how about looking at mtree and tripwire?

hahaha... good call!

by the way, dont forget OpenBSD 2.9 is being released in a week! Help support the cause and buy a CD for you and a friend!

---------------

Babelfish translator has lost his creator and maintainer.
Who will feed the fish, now ?
Maybe we should give the babelfish to Theo de Raadt, so that OpenBSD will run all hardware (past, present and future) over the universe ? And we will give back the ex-OpenBSD blowfish to the Altavista dudes, they won't see any change, anyway.

Better Source:
See the (Net|Free|Open)BSD port systems. Lots of smallish singular apps do compile cleanly on most any unix. But complex ones (do you realize how many dependencies Gnome has??) are just a pain in the ass. Don't get me started on GNU ``portability tools'' like libtool. The ports tree allows all BSD users to benefit from just a few people's porting efforts. And it doesn't depend on the goodwill of the software authors to incorporate patches, although that's always preferred.

Which Distro?:
The usual barrier to cross-distribution binaries, afaik, is library versions and/or config file placement. The emulation layer is distro-agnostic in that respect.

The emulation layer itself doesn't do much but support syscalls and convert kernel structures to what linux binaries expect. But in addition, every linux binary running sees an alternate version of the filesystem -- one in which the contents of "/emul/linux" override the rest. If "/emul/linux/foo" exists, linux binaries will access it rather than "/foo". That's how the linux_lib port works.

Gripe:
This is actually quite a disappointing document if you ask me. It doesn't say anything that's not easily available elsewhere. I know you linux types love having your hand held, but this question has been answered many times on OpenBSD's mailing lists, which are archived and searchable. And a more detailed explanation is available at my fingertips with the command man compat_linux. Or to the rest of you at OpenBSD's online manual pages.

Actually, the first release to have OpenSSH or "_any_ SSH" was OpenBSD 2.6.

This errata will show that SSH was in there for this release.

Note: Sun Microsystems does not provide support for the Linux operating system, either directly through Sun's Enteprise Services division, or by any indirect means. Linux users who wish to receive commercial support for their Linux systems should contact the vendor of the operating system distribution, or investigate third-party organizations that may help them.

I do wish there was more Linux support for Sparc, but it's not the end of the world. Most people who have Sparcs already have an OS that makes them happy. It's not like Sparc-Linux is going away just because RHAT decided Sparc isn't in the best interest of their shareholders.

Nor is the Sparc platform going away. Sun4 architecture is elegant and well documented. Compared to developing Linux for Mac/PPC, developing for Sparc is a breeze. With Apple you have to reverse engineer it onto a closed architecture. With Sparc, the vast majority of the stuff is documented and based on open standards.

In a few years, 64 bit UltraSPARCs are going to start appearing on the surplus market in large numbers. Like the pizza boxes that us Sparc nuts use today, there are going to be a bunch of cheap Ultras available for geeks to tinker with. Continuing to develop all Sparc-capable OS'es is important.

I do wish there was more Linux support for Sparc, but it's not the end of the world. Most people who have Sparcs already have an OS that makes them happy. It's not like Sparc-Linux is going away just because RHAT decided Sparc isn't in the best interest of their shareholders.

Nor is the Sparc platform going away. Sun4 architecture is elegant and well documented. Compared to developing Linux for Mac/PPC, developing for Sparc is a breeze. With Apple you have to reverse engineer it onto a closed architecture. With Sparc, the vast majority of the stuff is documented and based on open standards.

In a few years, 64 bit UltraSPARCs are going to start appearing on the surplus market in large numbers. Like the pizza boxes that us Sparc nuts use today, there are going to be a bunch of cheap Ultras available for geeks to tinker with. Continuing to develop all Sparc-capable OS'es is important.

You might just be suprised at how well they perform.

-dan

Huh?

OpenBSD 2.7 was the first to have OpenSSH (or _any_ SSH in the default install, and you said "prior to 2.8" so let's have a look at the errata page to see just how full of s--t you are.

Well, we can force ssh _clients_ to do X11 forwarding... not a root flaw, and not remote... so on to the next.

The non-default UseLogin feature can cause an exploit on other operating systems. Nope... no problem there.

And... the installer fails to set things up so ssh works at all on the m68k installer. So please, do tell... what the hell are you blabbering about?

Good advice, except:

couple of 20-gig hard drives, throw Linux with Apache, Sendmail (or Qmail), Radius

Only use Linux if you're comfortable securing it - if not you'll be owned in no time flat. If you want to run UNIX servers your best bet is OpenBSD

*sniff* *sniff*

There be trolls here. But given the fact there are gullible people who will buy into the conspiracy you push...

First, take a look at:

Where you see how many developers of OpenBSD are in the "American" sector.

Next, take a look at:

BTW, what outside independent group has reviewed M$ code, or DEC code, or Sun code, or AIX code...

I suppose you don't consult to the feds, since they use xbsd (DOJ uses OpenBSD).

As an expert on operating systems, you should be aware that the common commercial vendors are full of bugs and security holes. By telling your customers that they are safe because they are using American/commercial products, you are doing them a disservice.

How could you trust the agenda of an outside independent code review. After all, they might be just as anti-American!

I truly hope you make it as an anti-xbsd consultant. Good luck.

So while NT won't replace UNIX anytime soon, companies everywhere are discovering what the RISC/UNIX Conspiracy doesn't want you to know: it may take several dozen NT/IA boxes to equal the power of one enterprise-level UNIX/RISC box, but the Intel hardware is so fucking cheap that you end up saving money anyway. Even when you add Microsoft Hidden Costs ("$800 per server license? Are you out of your Vulcan mind, Spock?"), you pay less. And because IA is IA, you'll pay thousands of dollars for memory upgrades, as opposed for hundreds of thousands. (Last week I was watching our IT guys add some RS/6000 boxes to our cluster, and they let me hold $400k -- holy shit, $400k -- worth of RAM. It's a funny feeling, realizing that you could run for the door, sell the RAM, and buy a house with the profit.)

Anyhoo, I think that the NetBSD freaks should stop trying to port to dying architectures and instead implement SMP on a certain lamer NetBSD-ripoff, whose lack of SMP is the only thing keeping it from attaining a level of mediocrity comparable to say, Cheese-Wiz. But hey, these are the guys that port software to fucking toasters for the hell of it, so we can't expact them to contribute anything valuable to the world.

--

and there isnt even a web server platform that runs on the mac!

Really? Then what's this? Oh, and how about this? And then there's this, and this! Don't forget this. And finally, there's this! Now I figure either you meant to say something else, or you just don't know what you're talking about. If it's the former, perhaps you should clarify. If the latter you just lost alot of credibility in my mind.

-----
"Goose... Geese... Moose... MOOSE!?!?!"

After using assorted Linux distributions, FreeBSD, OpenBSD, NetBSD, Solaris, and other operating systems for the past few years, I've started tinkering with RTOS' (Real Time Operating Systems) such as QNX, dabbled with ChorusOS for a month or two, and have looked into a few others (Nucleus, ThreadX).

Some RTOS' can be used, for a typical production server running http, mail, etc, often faster and more productive than most other OS', and I'm sure there has to be advocates of RTOS' with a comment or two. There are benefits to making a switch or are RTOS' a high tech OS solely geared for companies needing higher computing standards, but I can see many here trying to advocate Linux, Linux, and oh yea Linux, and I'm sure there are those who will mod unfairly. whatever

Don't get them confused, a lot of THESE OS's are not free to download, and they're not the same as using redcrap, or dumbian progeny. The article itself though didn't mention that some of these are pricey OS' it seems like they just jumped on another "Oh ... OpenSource" for attention.

Is our soldiers forthcoming homecoming?

Microsoft used the source code for Kerbos and rewrote it to be non-interoperable with the opensource implimentation and because it was under the BSD license they were not required to release their changes to the public.

Sure, linux could go all cloistered and slow like *BSD and only release the occassional new update, but then, this is slow precisely because there aren't thousands of users helping find the bugs.

Actually, you are completly wrong and ignoring the fact that due to their more open developement process *BSD is "faster" since you can get a new current Kernel (and OS) every day (Or with anon-CVS every few hours...) and don't have to wait for Linus or Alan to anounce a new (test-)version.

• http://www.netbsd.org/Releases/release-map.html
• http://www.freebsd.org/handbook/cutting-edge.html
• http://www.openbsd.org/faq/upgrade-minifaq.html#1. 1